cebaa3f3a653be3dd1698cee441de05354679b0288191f46ceee8b268303b18a

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518f35c3820d178597036943e281bf6d.exe
Size

404KB
MD5

518f35c3820d178597036943e281bf6d
SHA1

5b3ccb6c1822ecd65029cfe5540d8ad42c36d961
SHA256

cebaa3f3a653be3dd1698cee441de05354679b0288191f46ceee8b268303b18a
SHA512

c979f6d77046278e3a64e9273a0e6f3939418cf15af0b7911cad41ccaf7d2ec9153e22c59d105c7c59c17f5876a2618c9815b4b05d1be3e42cb016959e1fee17
SSDEEP

6144:4jlYKRF/LReWAsUyfynU2AaXwjRrjORjeegUVH2zfKEQGgiOtvpS6BtRI8FXeIoj:4jauDReWFzlUVwUpxI8UIzC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	nqqiw.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	518f35c3820d178597036943e281bf6d.exe
1748	518f35c3820d178597036943e281bf6d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\nqqiw.exe"	nqqiw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2308	1748	518f35c3820d178597036943e281bf6d.exe	28
PID 1748 wrote to memory of 2308	1748	518f35c3820d178597036943e281bf6d.exe	28
PID 1748 wrote to memory of 2308	1748	518f35c3820d178597036943e281bf6d.exe	28
PID 1748 wrote to memory of 2308	1748	518f35c3820d178597036943e281bf6d.exe	28

C:\Users\Admin\AppData\Local\Temp\518f35c3820d178597036943e281bf6d.exe
"C:\Users\Admin\AppData\Local\Temp\518f35c3820d178597036943e281bf6d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\ProgramData\nqqiw.exe
  "C:\ProgramData\nqqiw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
404KB

MD5
a486a8bd429d7e3e83299dbf0e6e2df1

SHA1
0031991d40c252ee8bee309160b92a4d64220108

SHA256
c3b9fc88b3370d87305eef003832c0db0e2082b82748c5cb30b4b3a134eb2315

SHA512
8bb203ef933036bf90ea3eb721ab79e9f5fff9fbeb66169e345035b346f06badf4e2c6b2093de3ab28d52b057ef4dea5d92d0a802b8a37f538da761831390e77

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\nqqiw.exe

Filesize
267KB

MD5
252ced8d1aae607b15b2aaf419993f73

SHA1
e961134e8b14a92558ef2b30a85dce0892149f53

SHA256
02b6ab586930c4087b6c024e5e005d505b01a6e4f65f8e28b66656d2bb7f9897

SHA512
6252a2861fa04151318e07ede4002f4190758fa5b600212a4861e4682c17691cb813c956596a13bcbf95bba946d257860378de2f1c887c9550d24f68aafe0620

Download Submit
memory/1748-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1748-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1748-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2308-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads