Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
74eb6ab375801443f3493f973bdfcb91.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
74eb6ab375801443f3493f973bdfcb91.exe
Resource
win10v2004-20231215-en
General
-
Target
74eb6ab375801443f3493f973bdfcb91.exe
-
Size
404KB
-
MD5
74eb6ab375801443f3493f973bdfcb91
-
SHA1
b6c9dbe98e61a7dd1e4c00c9d7643562928a85a1
-
SHA256
0e85cb703779c76167f601356a9c5ae59a591cc106ecb125169934b94ea2fa3a
-
SHA512
c0fa5e829b1bda2393f03007bef156fe501cb69f6d9190247bdb7085b0c34b46a2ab1aa77f4aa6114423e7710e12419bf51250544b99e7ae075b934ea265860c
-
SSDEEP
6144:4jlYKRF/LReWAsUyawmHD2rXo3chzMI6YtgyoH9WFqXdH1:4jauDReW0jz3yv6YtgyWKqXD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
iwavj.exepid process 2260 iwavj.exe -
Loads dropped DLL 2 IoCs
Processes:
74eb6ab375801443f3493f973bdfcb91.exepid process 2124 74eb6ab375801443f3493f973bdfcb91.exe 2124 74eb6ab375801443f3493f973bdfcb91.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
iwavj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\iwavj.exe" iwavj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
74eb6ab375801443f3493f973bdfcb91.exedescription pid process target process PID 2124 wrote to memory of 2260 2124 74eb6ab375801443f3493f973bdfcb91.exe iwavj.exe PID 2124 wrote to memory of 2260 2124 74eb6ab375801443f3493f973bdfcb91.exe iwavj.exe PID 2124 wrote to memory of 2260 2124 74eb6ab375801443f3493f973bdfcb91.exe iwavj.exe PID 2124 wrote to memory of 2260 2124 74eb6ab375801443f3493f973bdfcb91.exe iwavj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74eb6ab375801443f3493f973bdfcb91.exe"C:\Users\Admin\AppData\Local\Temp\74eb6ab375801443f3493f973bdfcb91.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\ProgramData\iwavj.exe"C:\ProgramData\iwavj.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache .exeFilesize
404KB
MD5f4b07bfa08a02f8a640587f3dc4faa3d
SHA125c99aee85af3fc301957437e38811d517132bc0
SHA25668e62cba8307dcbc9895f237aa132c7208ea19f04e45faee2cbeb6e2edc19bf3
SHA512275219abd7468820659bb56d3b4f0e7014c03d8c3976ae06a4ab2f55b358de1151fdc89c8a6328b133f30029c9851e5493d9349a94041af4f04d6cb287abccbc
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
\ProgramData\iwavj.exeFilesize
267KB
MD5d3c1493f93768dc9a751af894021ee1f
SHA1a12639712c71692ba49fbc6a334cfbb3a79732df
SHA256d7d79d4c3dff25a6636e6cd52715cf74cd75fa0c6354a2324c2fd43e7406166a
SHA512bcd3ee722c4203c5240380765858db4f18d97276c0c9ab2cb5beb6d2f13d47d56b0c35eacfc259e587689901e6a3ca72a1f684925259ba0901664cae2d08e29b
-
memory/2124-0-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2124-1-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2124-14-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2260-131-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB