a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe
Size

724KB
MD5

00beaee78979ce3819a8665321f713a0
SHA1

21574671ca62ac2d7f188a2f0f6a217aeb2d3b3e
SHA256

a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004
SHA512

6c49b593672e81c0e55b04070258c468bff6255c0b34070873d4634eebc3a6880b02532d3743aabf31fa1e64c6bc0699ac1276e0291c5ecfc8ab91e726532a6c
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0ymJGt+nYeboCqNLBLQdvFwdZBqQ1opEp:71/aGLDCM4D8ayGMjJGt+nYeb5qtvope

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2256	hwccvl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\hwccvl.exe"	hwccvl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2256	4808	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	80
PID 4808 wrote to memory of 2256	4808	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	80
PID 4808 wrote to memory of 2256	4808	a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe	80

C:\Users\Admin\AppData\Local\Temp\a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe
"C:\Users\Admin\AppData\Local\Temp\a27f1e75c63e77e4d28f38290c2316dbc30683a7e522b1000b0ce224946e7004.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\ProgramData\hwccvl.exe
  "C:\ProgramData\hwccvl.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\hwccvl.exe

Filesize
454KB

MD5
c98832c5cf9ec4614f5e237e33b11e85

SHA1
b546a01baae016ee0f8210da09f9962f40b0bb75

SHA256
90ddc55c8cb1e85f66a2e4257c425e6197a2e615c22b5eb2ccb4c6000a86108c

SHA512
a885ae595574115901301b5ee6255bd29c7788f8536e1efe29af87797f81e4fbbfa80009ee04f26d73bf6161c2152fd4e00805fbfff3aa0f12a04bd5444ad986

Download Submit
C:\ProgramData\hwccvl.exe

Filesize
454KB

MD5
c98832c5cf9ec4614f5e237e33b11e85

SHA1
b546a01baae016ee0f8210da09f9962f40b0bb75

SHA256
90ddc55c8cb1e85f66a2e4257c425e6197a2e615c22b5eb2ccb4c6000a86108c

SHA512
a885ae595574115901301b5ee6255bd29c7788f8536e1efe29af87797f81e4fbbfa80009ee04f26d73bf6161c2152fd4e00805fbfff3aa0f12a04bd5444ad986

Download Submit
memory/2256-133-0x0000000000000000-mapping.dmp

Download
memory/4808-132-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4808-136-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download