a423b2e8c741f5ab8468db84d381ae0a7942678b753980cf3a5fc3128ea1ae66

Analysis

max time kernel
159s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 14:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ef6adb562e1a58b6af7397bb852d01dc.exe
Size

932KB
MD5

ef6adb562e1a58b6af7397bb852d01dc
SHA1

d05edf88f9f056321e755a755febca17cda6382a
SHA256

a423b2e8c741f5ab8468db84d381ae0a7942678b753980cf3a5fc3128ea1ae66
SHA512

2306bb518deed9c3b69b815eec76077665f8d568243061278780bfe10438a3b7a9b8628afb6aea66eaaa3c65d2a6a0aafe48507e7083d003caca826f5d81b1e5
SSDEEP

24576:Q1/aGLDCM4D8ayGMZo8/GF/a4c+kLPM2nt1h62Km+YyYBv1vn39flZLVMQW+oXkM:rD8ayGMZohw+OPM2nt1h62Km+YyYBv1Y

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	rmmycl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\rmmycl.exe"	rmmycl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3048	1432	NEAS.ef6adb562e1a58b6af7397bb852d01dc.exe	89
PID 1432 wrote to memory of 3048	1432	NEAS.ef6adb562e1a58b6af7397bb852d01dc.exe	89
PID 1432 wrote to memory of 3048	1432	NEAS.ef6adb562e1a58b6af7397bb852d01dc.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.ef6adb562e1a58b6af7397bb852d01dc.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ef6adb562e1a58b6af7397bb852d01dc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\ProgramData\rmmycl.exe
  "C:\ProgramData\rmmycl.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
932KB

MD5
afc1db761cf7181822d9c87d403f50ea

SHA1
a0cd20ff4f017dd3b0d8817d465741b9d47146ca

SHA256
2fc6d2eae9541739340d842f9d7305d8d83c320cf20098371eb346545f0c0278

SHA512
140fb867ccdfd8a7d04633ab1f85c47b3a492f8b12bbe42210feb741315434a7d3b0222aa521e6592062d9810c1ac163ba5c8655c9589f8db4c29e2cfd2592a8

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
b5739a9b8f99dd228a58cb648a2b24ab

SHA1
b15778997559966cacbf7a43f28b50702c711c86

SHA256
ff378f198ba52031fd2f6adf0f17b94e76960601fe1d2f3281bc49df1ee06e68

SHA512
009550329ad04c71bb39fc496cbcda4b8b5cf5934a52ac22ab79e5aa07f92d1a197cd576c6d6b52317202ee2c121923e844cde490bf729aceeede9938356af86

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
276KB

MD5
afcbd54a283b53c738df1bc672d71b43

SHA1
c66e51ca131913668e4c69d895f73912f588b2a1

SHA256
9dfa074a171af1f40b077224fa8368722c73f053cd794caeaa1b1778ab4e7cee

SHA512
3f9a5e1803d60f859e873ef188a7bedcabfe6d19aa2983d208601d86976fcbe3d29b0c92a849f5f31e0e88e8d0eed84cd8da1c924e07646919680428b1ce9b2b

Download Submit
C:\ProgramData\rmmycl.exe

Filesize
454KB

MD5
a8b56cb0b999957042c015eca624ac87

SHA1
11ea423a3d7ed970f6e5454a6ce3867e491bef1b

SHA256
e4c1899f1f50bc8ddff1a3f6d50bcbdba7f3aeecd3c451466b55298d5d242969

SHA512
263754cca24b109cdaa7fc13d2f6282320960342befcb06cdbe7a699d0ce9673efef61980a4d473d0606668b0128388058ecad396a3c4b88754cfaf934f49b12

Download Submit
C:\ProgramData\rmmycl.exe

Filesize
454KB

MD5
a8b56cb0b999957042c015eca624ac87

SHA1
11ea423a3d7ed970f6e5454a6ce3867e491bef1b

SHA256
e4c1899f1f50bc8ddff1a3f6d50bcbdba7f3aeecd3c451466b55298d5d242969

SHA512
263754cca24b109cdaa7fc13d2f6282320960342befcb06cdbe7a699d0ce9673efef61980a4d473d0606668b0128388058ecad396a3c4b88754cfaf934f49b12

Download Submit
memory/1432-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1432-12-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3048-4-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3048-70-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3048-133-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3048-342-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads