2188f43c4e7bc5075c759f5941257d48c7dc8535f84aff49f40bac5ec9def54b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa2dbca450a986d3571bdf9f93fcddbe.exe
Size

404KB
MD5

aa2dbca450a986d3571bdf9f93fcddbe
SHA1

caf9b4d6895d65e5e09db439a33778affae3dded
SHA256

2188f43c4e7bc5075c759f5941257d48c7dc8535f84aff49f40bac5ec9def54b
SHA512

7efe418fec1319e75a78b127ca4636c8d61770f7315b50037ef892098fb7b8aac9da71ca2432cd2a384aedfdc9365088c3782703b30256bcc44c454d62943932
SSDEEP

6144:4jlYKRF/LReWAsUy3FMKxGP6E1fY9IfJ5eVRXOnMAy+glfqPc/5:4jauDReWNv+6ENYWfJdnMUc/5

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5004	ycjgk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ycjgk.exe"	ycjgk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 5004	3920	aa2dbca450a986d3571bdf9f93fcddbe.exe	92
PID 3920 wrote to memory of 5004	3920	aa2dbca450a986d3571bdf9f93fcddbe.exe	92
PID 3920 wrote to memory of 5004	3920	aa2dbca450a986d3571bdf9f93fcddbe.exe	92

C:\Users\Admin\AppData\Local\Temp\aa2dbca450a986d3571bdf9f93fcddbe.exe
"C:\Users\Admin\AppData\Local\Temp\aa2dbca450a986d3571bdf9f93fcddbe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\ProgramData\ycjgk.exe
  "C:\ProgramData\ycjgk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe

Filesize
404KB

MD5
f0a713e657b8668bd7dda7c472fee21c

SHA1
995e6e69ec4fc63f3f8b72021822011d0c3c2166

SHA256
eb0529b073b8a4038fceb4422d386f0835c2d42878a14decf9bd1e1dceb86c3e

SHA512
839a5da81a030fba03d56b858d8b7c134b25f4be123ad700fac808f358db1ad31775d5c87e564c94e2e7ab1daec379eaa7632154a436677c603ca895c7d8ebca

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\ycjgk.exe

Filesize
267KB

MD5
eb648f565481e06058cae3bc94802aea

SHA1
bdf502759e2ff0eaa404525d729818984d75c7a1

SHA256
47a3aea4ce81429958e7e9dda2ddf59fc964bae60f9017736032c92be9900d16

SHA512
f167bed55210aef78f9003924a5b77a2046f08df3036f157bd8a6bfa08f6b3fcf20a9ccdd91d447ffba9298f12a470eb197c25048c1faa788c39f0569cc582ba

Download Submit
memory/3920-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3920-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3920-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/5004-40-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5004-41-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5004-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads