a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe
Size

932KB
MD5

0d3e094b2ad9f8d65491caa36e524e50
SHA1

18533d76c33452a20be61dcb0f3e26235c013212
SHA256

a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60
SHA512

fcb85e3224f6668c3eaf807db49b26f901b286b3353470242c8826441fd0e8bdb686d5aa0cf6f6624206459646aa988d447c758110b7e0fc2f240f95e85ea16a
SSDEEP

24576:P1/aGLDCM4D8ayGMZo8/SxXfG/Dn2L+8rmd:gD8ayGMZoZB+8rmd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1204	flwqe.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe
1692	a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\flwqe.exe"	flwqe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1204	1692	a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe	27
PID 1692 wrote to memory of 1204	1692	a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe	27
PID 1692 wrote to memory of 1204	1692	a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe	27
PID 1692 wrote to memory of 1204	1692	a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe	27

C:\Users\Admin\AppData\Local\Temp\a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe
"C:\Users\Admin\AppData\Local\Temp\a5605ee29b345135fc4e5a2150d68d27ea34b29f978cfb6a23205f1bb8e77e60.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\ProgramData\flwqe.exe
  "C:\ProgramData\flwqe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
70d6cb7dd01ebd5a21af02945d2ae12f

SHA1
05260b3e17a221e66b58d1e5ed1d0f518392159a

SHA256
136fb79a4b868976a011043345fbef2cb088dd799757ec3970480eb99d9f2e92

SHA512
b2c4c5b6bc5519ebb8e701c37eb298f6bdbb89b09bbf93a4f5c7a0e5b809b7bb3a6355087797e5064c1cc67a1555cbdab782fcba2f8a9d0f18d4f53337a34ea9

Download Submit
C:\ProgramData\flwqe.exe

Filesize
454KB

MD5
2507eb259ce65b042a8166f12ad50aed

SHA1
77855cfd38319bf5c72248a6a898519747dfad9b

SHA256
fc221830d6f2aac78b3b3237fd8eb4bd5712c482bf937e5e48f6a7251ebc40d6

SHA512
16eb338624c44bccf1a4a40064088c749e21329712dea5094702bb9a9e787353efafb29715e6267fdbeb4a2d26aeaab02f75effd82ce476300e5db7100988e54

Download Submit
C:\ProgramData\flwqe.exe

Filesize
454KB

MD5
2507eb259ce65b042a8166f12ad50aed

SHA1
77855cfd38319bf5c72248a6a898519747dfad9b

SHA256
fc221830d6f2aac78b3b3237fd8eb4bd5712c482bf937e5e48f6a7251ebc40d6

SHA512
16eb338624c44bccf1a4a40064088c749e21329712dea5094702bb9a9e787353efafb29715e6267fdbeb4a2d26aeaab02f75effd82ce476300e5db7100988e54

Download Submit
\ProgramData\flwqe.exe

Filesize
454KB

MD5
2507eb259ce65b042a8166f12ad50aed

SHA1
77855cfd38319bf5c72248a6a898519747dfad9b

SHA256
fc221830d6f2aac78b3b3237fd8eb4bd5712c482bf937e5e48f6a7251ebc40d6

SHA512
16eb338624c44bccf1a4a40064088c749e21329712dea5094702bb9a9e787353efafb29715e6267fdbeb4a2d26aeaab02f75effd82ce476300e5db7100988e54

Download Submit
\ProgramData\flwqe.exe

Filesize
454KB

MD5
2507eb259ce65b042a8166f12ad50aed

SHA1
77855cfd38319bf5c72248a6a898519747dfad9b

SHA256
fc221830d6f2aac78b3b3237fd8eb4bd5712c482bf937e5e48f6a7251ebc40d6

SHA512
16eb338624c44bccf1a4a40064088c749e21329712dea5094702bb9a9e787353efafb29715e6267fdbeb4a2d26aeaab02f75effd82ce476300e5db7100988e54

Download Submit
memory/1692-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download