75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d

Analysis

max time kernel
152s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d.exe
Size

680KB
MD5

a36546e9618e82d32538d45726353ee0
SHA1

9caf22a1d537dd2e5249f7d81e95be48c577aaca
SHA256

75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d
SHA512

ff873752915aec4fb53402bdbb32defd27e86a58a355bc31c1350680f4624cfc73aac76231ee1d9ac58ff7ecefa13f574f6e6be31cb86ac79f206ce39a988091
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWx46LsHN5Ma/XGrp:P1/aGLDCM4D8ayGMZoX6LsHN5L/XGt

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4892	dpmtp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\dpmtp.exe"	dpmtp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 4892	2120	75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d.exe	80
PID 2120 wrote to memory of 4892	2120	75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d.exe	80
PID 2120 wrote to memory of 4892	2120	75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d.exe	80

C:\Users\Admin\AppData\Local\Temp\75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d.exe
"C:\Users\Admin\AppData\Local\Temp\75b9492a08c29c6986fdfde148a32cc2c31c2dbd22aa0a46160b84c1be4cab4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\ProgramData\dpmtp.exe
  "C:\ProgramData\dpmtp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
405KB

MD5
004509392d1abc55335706d2d2ce3473

SHA1
ebdf7a8a7d125d486b458bc7ae54cb625d471545

SHA256
13a55d7d522d4d1a970ac2891b168ea0f136e7bdc95474a253672137d5369999

SHA512
af38d700280b0e8fca33683045be82c350a2663c0529962a3d6b2f0b0f81265e7fac2d40b5a30c95bf2dd21af9347e2b58dcebae9ea802e7bd9dff4db651a3f5

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
405KB

MD5
004509392d1abc55335706d2d2ce3473

SHA1
ebdf7a8a7d125d486b458bc7ae54cb625d471545

SHA256
13a55d7d522d4d1a970ac2891b168ea0f136e7bdc95474a253672137d5369999

SHA512
af38d700280b0e8fca33683045be82c350a2663c0529962a3d6b2f0b0f81265e7fac2d40b5a30c95bf2dd21af9347e2b58dcebae9ea802e7bd9dff4db651a3f5

Download Submit
C:\ProgramData\dpmtp.exe

Filesize
274KB

MD5
70404fae06dcd139c9653f3eaea60118

SHA1
de59ebfc6dbf59d124b053336559731df12583b0

SHA256
26dd851ff4f894abf77c3206f0b7103580c421f0f68e10707022a8e8e8bc7758

SHA512
4ffba8f521c34a83e92abd12cf974538f2c21009ce79ddfbe20a88752bb94bff7c6f892d725c7d630fe6a6ac6cb1b46727f1cbbbdf902b7601589e9c30d1282b

Download Submit
C:\ProgramData\dpmtp.exe

Filesize
274KB

MD5
70404fae06dcd139c9653f3eaea60118

SHA1
de59ebfc6dbf59d124b053336559731df12583b0

SHA256
26dd851ff4f894abf77c3206f0b7103580c421f0f68e10707022a8e8e8bc7758

SHA512
4ffba8f521c34a83e92abd12cf974538f2c21009ce79ddfbe20a88752bb94bff7c6f892d725c7d630fe6a6ac6cb1b46727f1cbbbdf902b7601589e9c30d1282b

Download Submit
memory/4892-132-0x0000000000000000-mapping.dmp

Download