a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004

Analysis

max time kernel
153s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe
Size

724KB
MD5

00beaee78979ce3819a8665321f713a0
SHA1

21574671ca62ac2d7f188a2f0f6a217aeb2d3b3e
SHA256

a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004
SHA512

6c49b593672e81c0e55b04070258c468bff6255c0b34070873d4634eebc3a6880b02532d3743aabf31fa1e64c6bc0699ac1276e0291c5ecfc8ab91e726532a6c
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0ymJGt+nYeboCqNLBLQdvFwdZBqQ1opEp:71/aGLDCM4D8ayGMjJGt+nYeb5qtvope

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	thclg.exe

Loads dropped DLL 2 IoCs

pid	Process
1460	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe
1460	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\thclg.exe"	thclg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 980	1460	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	28
PID 1460 wrote to memory of 980	1460	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	28
PID 1460 wrote to memory of 980	1460	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	28
PID 1460 wrote to memory of 980	1460	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	28

C:\Users\Admin\AppData\Local\Temp\a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe
"C:\Users\Admin\AppData\Local\Temp\a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460
- C:\ProgramData\thclg.exe
  "C:\ProgramData\thclg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
226KB

MD5
a8dee8dc8067f457c09365230f0dc104

SHA1
cc0d20978c080351dec48066c1166b59b2d80974

SHA256
58cb438b7b21300d0555c34007b7a5dd9371d2d74b172d3985a2a9ecea75ec0e

SHA512
3ab219b7ed3ad9575dfb71ebbe6dd0642b2562ebb84d1352ce41d1773a93406b94a9783a28fe3732e78b6be97e730659697763359fa89f744d395193de395e08

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\thclg.exe

Filesize
454KB

MD5
c98832c5cf9ec4614f5e237e33b11e85

SHA1
b546a01baae016ee0f8210da09f9962f40b0bb75

SHA256
90ddc55c8cb1e85f66a2e4257c425e6197a2e615c22b5eb2ccb4c6000a86108c

SHA512
a885ae595574115901301b5ee6255bd29c7788f8536e1efe29af87797f81e4fbbfa80009ee04f26d73bf6161c2152fd4e00805fbfff3aa0f12a04bd5444ad986

Download Submit
C:\ProgramData\thclg.exe

Filesize
454KB

MD5
c98832c5cf9ec4614f5e237e33b11e85

SHA1
b546a01baae016ee0f8210da09f9962f40b0bb75

SHA256
90ddc55c8cb1e85f66a2e4257c425e6197a2e615c22b5eb2ccb4c6000a86108c

SHA512
a885ae595574115901301b5ee6255bd29c7788f8536e1efe29af87797f81e4fbbfa80009ee04f26d73bf6161c2152fd4e00805fbfff3aa0f12a04bd5444ad986

Download Submit
\ProgramData\thclg.exe

Filesize
454KB

MD5
c98832c5cf9ec4614f5e237e33b11e85

SHA1
b546a01baae016ee0f8210da09f9962f40b0bb75

SHA256
90ddc55c8cb1e85f66a2e4257c425e6197a2e615c22b5eb2ccb4c6000a86108c

SHA512
a885ae595574115901301b5ee6255bd29c7788f8536e1efe29af87797f81e4fbbfa80009ee04f26d73bf6161c2152fd4e00805fbfff3aa0f12a04bd5444ad986

Download Submit
\ProgramData\thclg.exe

Filesize
454KB

MD5
c98832c5cf9ec4614f5e237e33b11e85

SHA1
b546a01baae016ee0f8210da09f9962f40b0bb75

SHA256
90ddc55c8cb1e85f66a2e4257c425e6197a2e615c22b5eb2ccb4c6000a86108c

SHA512
a885ae595574115901301b5ee6255bd29c7788f8536e1efe29af87797f81e4fbbfa80009ee04f26d73bf6161c2152fd4e00805fbfff3aa0f12a04bd5444ad986

Download Submit
memory/1460-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1460-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download