ac08b1b2cc493780e6908e18e152f03b0819e1e81feb88ed59c53cd06ff60a0c

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03133ebc5da31621c029e176f749464b.exe
Size

511KB
MD5

03133ebc5da31621c029e176f749464b
SHA1

ac77ad8e70869892c85d8faf62eedb01858b95bc
SHA256

ac08b1b2cc493780e6908e18e152f03b0819e1e81feb88ed59c53cd06ff60a0c
SHA512

07ab337aa62d04fa8cae40a9e2dd5170e770cada8369bfe74f3299863555a1c1ddbe10ee2d39c006f9218a3e4ec03796a15e15e76b619d72350772ae4f9b9bbb
SSDEEP

12288:H1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0mHW/avHceALtmiJc1NpxAyE8ZySZJx9X:H1/aGLDCM4D8ayGM6HPoMbfZX9KgB8w

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	yjlys.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	03133ebc5da31621c029e176f749464b.exe
2108	03133ebc5da31621c029e176f749464b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\yjlys.exe"	yjlys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1696	2108	03133ebc5da31621c029e176f749464b.exe	28
PID 2108 wrote to memory of 1696	2108	03133ebc5da31621c029e176f749464b.exe	28
PID 2108 wrote to memory of 1696	2108	03133ebc5da31621c029e176f749464b.exe	28
PID 2108 wrote to memory of 1696	2108	03133ebc5da31621c029e176f749464b.exe	28

C:\Users\Admin\AppData\Local\Temp\03133ebc5da31621c029e176f749464b.exe
"C:\Users\Admin\AppData\Local\Temp\03133ebc5da31621c029e176f749464b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108
- C:\ProgramData\yjlys.exe
  "C:\ProgramData\yjlys.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
511KB

MD5
9640bdef7af7fd28cff549729d0005e1

SHA1
ab8c169449aacbe32c126afa1dc723b7e977cdae

SHA256
f2d1c3e71055be17bd21e578d0c36cb82540f4befd461c877151604a314770ce

SHA512
6234fa85f5db914234cea27223bff9000e129051067a6cbe299e2da0af195cb0892110ed301fece069adbe368a4ef5e858698272faf6719f27df5198ce3ea832

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
255KB

MD5
f351898b5ba2d709e4d73d3160071029

SHA1
5bddf9621650635913bea3f15cb0f7108a09079e

SHA256
22972cfc5b13ea8cedef1adca83358f89fea716b3e775bd70553ed44ef04e668

SHA512
c9c680f93577ca853d9db3d9b84d16a43c1986c95d3bfc4ff3bbbafaa585cf6ee6ada6da6e86cea529e817f39e4e98d78c1ad99069aa417514ef5bab735ccf88

Download Submit
\ProgramData\yjlys.exe

Filesize
256KB

MD5
6d9ff9cdeb19298f01f0aea84451a3fc

SHA1
97b67b7c11c0609498bec971dddbbaf09d9c7da2

SHA256
f121899a8761350a30c1ec642ff0b5fcd00ad4786b592dcc08192acfe40557ef

SHA512
717b9474d388070479a61c39fbe2f7776c20a85e863afcadb9b65e51051773f71f86dada88c2b89cf91e4c03acb69cbd0d4d3fef780c0b210df5755b4b82ebd2

Download Submit
memory/1696-100-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1696-208-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2108-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads