95a32d9975a8aedb0a2f9b6e11249a5e20163c7088a228f9b034fe02e17b8289

General

Target

2782bcf6afd7aed4919a9b435c92bf8b.exe
Size

410KB
MD5

2782bcf6afd7aed4919a9b435c92bf8b
SHA1

f3364e83a613458bb022c4c5a7fe1f0c6eb51621
SHA256

95a32d9975a8aedb0a2f9b6e11249a5e20163c7088a228f9b034fe02e17b8289
SHA512

21d2f1e3852a4b66fb73b32e53d9b59fda9aec65998dcf33a502939432bfa63a2d88db9b697630e16079f46b95b9c3f8c8f15f6856814e6077422af7d9b62737
SSDEEP

12288:CxIK9V14ImyHY155cfoFEu4iZ+2bNCNYUoXEG8m8jrIiG55x2eupA/hVBCk94NuX:CJEyYlas5F1qR7rPRm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	yvlvo.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	2782bcf6afd7aed4919a9b435c92bf8b.exe
3044	2782bcf6afd7aed4919a9b435c92bf8b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\yvlvo.exe"	yvlvo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2840	3044	2782bcf6afd7aed4919a9b435c92bf8b.exe	28
PID 3044 wrote to memory of 2840	3044	2782bcf6afd7aed4919a9b435c92bf8b.exe	28
PID 3044 wrote to memory of 2840	3044	2782bcf6afd7aed4919a9b435c92bf8b.exe	28
PID 3044 wrote to memory of 2840	3044	2782bcf6afd7aed4919a9b435c92bf8b.exe	28

C:\Users\Admin\AppData\Local\Temp\2782bcf6afd7aed4919a9b435c92bf8b.exe
"C:\Users\Admin\AppData\Local\Temp\2782bcf6afd7aed4919a9b435c92bf8b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\ProgramData\yvlvo.exe
  "C:\ProgramData\yvlvo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
16KB

MD5
ac848f4e3436b1c6905c7fe3428bcad2

SHA1
7dcba40bc826faacc105ee904b4313c71c55114c

SHA256
f4d294cf0619d30c92bc5a69351277a685cbbaea21637dadcf34a5810f0d07bf

SHA512
1ed26d9d5f3fe350d4dc88305e862f41798e070c00195669ff1bc823ea8b9422491e8143f70233036c0b5afa33fae0818eece23805e1c64788643392d07bac78

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
40KB

MD5
752a163c066cb55aa6b19e0e8766038c

SHA1
a8054b618fd995d48d4cb100bad74d1d711ea9a3

SHA256
7ff0c1389b341b268679332bc1ed653db9179845afefacad837f09ce37169e99

SHA512
213072092d99ee80ae61ed6e9c82b4f337d771c2ff16f78fac70c50c3297b3a5654bad455eec5cd4b52371244bdcf43cf94a962f38e0cde609d39c8d640bc3ba

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
1KB

MD5
ddc169b4c54f2120acf282c752342a9b

SHA1
bdc7c626c80fafe55172bf8d9de5886564531110

SHA256
654a9f67a792e418e1b16dad87c71232bbc01d85f30ed262cda72488f3695194

SHA512
79579168c1e9d8a048d6bf0761f62992ae73ba7feb3b844632002f008bfee5aa0add514ad17aae139da281544b5c7f24dfae16e73924e25cb3252ec6351f3cba

Download Submit
C:\ProgramData\yvlvo.exe

Filesize
5KB

MD5
de0a93a4eb507233bf571013f0fecc71

SHA1
390eea6b0ed82707854676323438d11fbf482ad5

SHA256
dba351fa9479ab81f49e31617eb5c10e7e78f2d2537523ab8903667298c07234

SHA512
bff0d8f3658d74d3c767cfde41c42511eeb71242b8cd8170694e0588e73de4901ee92a497ac47d22365cce533b52230d42b12375f29b26e698b3c220c3df9ea6

Download Submit
C:\ProgramData\yvlvo.exe

Filesize
16KB

MD5
a1ebfa5fbe976864f1e059c685c05241

SHA1
ae356267489ad20a4ef6c64cdf00f678e202d186

SHA256
090b675277fde82035867b71c52eb293f3da9550f805489d90e3d95e026a11f1

SHA512
dc6f97555544cc9da0d47538e9cb3033a08fdbe5f5371570967c832b7c96a9cadec957906f45e9a5a632b5fee353a767d65597a43725d73dea3cdc7d6b7f9ac0

Download Submit
C:\ProgramData\yvlvo.exe

Filesize
6KB

MD5
94a76bf0986d7daae413d9c4c35e98e9

SHA1
53ecf07482d47e3f8390d485c2bb98d359def7e5

SHA256
dbc7830530e5f9bcf21dde5d8630c83fdff9ab527ab75fc07d0adec5b4dcf424

SHA512
969c292c95917f00d1b8c96fda7f7ae2179a94366359987161c233521fe5c221a0dfec5275fbe600bcd836456d17b795272ddaa7c3410077a32d5d54c8741fdf

Download Submit
\ProgramData\yvlvo.exe

Filesize
27KB

MD5
fc3fd04d8085a3e07557a2375e7adc27

SHA1
026f1490aac2deac7c5f4ca1a1a91e95b9badb1b

SHA256
304a57525d29b4f42640874e1d6a4d1c242d5eaaf9f05a7451538a30c614639b

SHA512
c791877a5799018aca6068c6b5b04cb501a18dfc790786699d9c036b6e7d079ca0d97fcc4b04835ad8f5c72d45ba8d746ed8a98aaf23e705211b394672c10171

Download Submit
\ProgramData\yvlvo.exe

Filesize
22KB

MD5
ae4673fe78bc4052c49b03cdb74fc41c

SHA1
a3a4a26c41752f761c23959253087f622b7df459

SHA256
17fb53e222cc6cf55bbdb9545e6b9e7eecc3c03d6b4d6bcea8f0c5fec05b0c9b

SHA512
a8e74a5b824b136b231736241615a6860079b793882f9a8b1380e03062d2fca6ca358a79f1cb093834cfdd5829a282e57b4d0f02b3fd5363f2e28484f444afc6

Download Submit
memory/2840-83-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2840-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2840-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3044-14-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3044-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3044-1-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads