Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
74eb6ab375801443f3493f973bdfcb91.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
74eb6ab375801443f3493f973bdfcb91.exe
Resource
win10v2004-20231215-en
General
-
Target
74eb6ab375801443f3493f973bdfcb91.exe
-
Size
404KB
-
MD5
74eb6ab375801443f3493f973bdfcb91
-
SHA1
b6c9dbe98e61a7dd1e4c00c9d7643562928a85a1
-
SHA256
0e85cb703779c76167f601356a9c5ae59a591cc106ecb125169934b94ea2fa3a
-
SHA512
c0fa5e829b1bda2393f03007bef156fe501cb69f6d9190247bdb7085b0c34b46a2ab1aa77f4aa6114423e7710e12419bf51250544b99e7ae075b934ea265860c
-
SSDEEP
6144:4jlYKRF/LReWAsUyawmHD2rXo3chzMI6YtgyoH9WFqXdH1:4jauDReW0jz3yv6YtgyWKqXD
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cimhi.exepid process 4820 cimhi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cimhi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\cimhi.exe" cimhi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74eb6ab375801443f3493f973bdfcb91.exedescription pid process target process PID 5028 wrote to memory of 4820 5028 74eb6ab375801443f3493f973bdfcb91.exe cimhi.exe PID 5028 wrote to memory of 4820 5028 74eb6ab375801443f3493f973bdfcb91.exe cimhi.exe PID 5028 wrote to memory of 4820 5028 74eb6ab375801443f3493f973bdfcb91.exe cimhi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74eb6ab375801443f3493f973bdfcb91.exe"C:\Users\Admin\AppData\Local\Temp\74eb6ab375801443f3493f973bdfcb91.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\ProgramData\cimhi.exe"C:\ProgramData\cimhi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DumpStack.log.tmp .exeFilesize
404KB
MD5dbe5a27592de47e8e4fb49d2b12c7ba9
SHA13b72dbe8f5a32b89ff650e6f9141c4007c67700d
SHA256912e77015deab7299751b7399fd5261b58314faf70d927b760ac763f30a5bf0d
SHA51212ce3268de99dc4706dd88b4172a7feece3af778d98c6ff78c2112dceb9a5e834f213c7fdaccc2733ddc0f7d7a832a797814770cc942bd7e35e703f55e956819
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
C:\ProgramData\cimhi.exeFilesize
267KB
MD5d3c1493f93768dc9a751af894021ee1f
SHA1a12639712c71692ba49fbc6a334cfbb3a79732df
SHA256d7d79d4c3dff25a6636e6cd52715cf74cd75fa0c6354a2324c2fd43e7406166a
SHA512bcd3ee722c4203c5240380765858db4f18d97276c0c9ab2cb5beb6d2f13d47d56b0c35eacfc259e587689901e6a3ca72a1f684925259ba0901664cae2d08e29b
-
memory/4820-130-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/5028-0-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/5028-1-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/5028-9-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB