814847b7c084a316dd0eddaa40416d1ac5ef3ff22aa3d2c8ac442c396bc1fa73

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 04:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7b8f03991a3b2b5b49abd82b0fa06d4.exe
Size

13KB
MD5

c7b8f03991a3b2b5b49abd82b0fa06d4
SHA1

eda5c004ddd55d03591960f7f030f9882ba1d869
SHA256

814847b7c084a316dd0eddaa40416d1ac5ef3ff22aa3d2c8ac442c396bc1fa73
SHA512

538afe7b83701b6387dbd0f82d395b5f1267fbbd3f4129795f5ae669b6f70be2aa7a84cafdf9be204f49f844f2f30fb0eeddd98b3ce0d7aa3dc9f43d64bb8af3
SSDEEP

384:ESKNf9dQqPME2szOrimQYSJ2zDzqq4/2d:BKNjQoMvszoimQfJuzqe

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	mirwzntk.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe
2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mirwznt.dll	c7b8f03991a3b2b5b49abd82b0fa06d4.exe
File created	C:\Windows\SysWOW64\mirwzntk.exe	c7b8f03991a3b2b5b49abd82b0fa06d4.exe
File opened for modification	C:\Windows\SysWOW64\mirwzntk.exe	c7b8f03991a3b2b5b49abd82b0fa06d4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2260	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	28
PID 2824 wrote to memory of 2260	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	28
PID 2824 wrote to memory of 2260	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	28
PID 2824 wrote to memory of 2260	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	28
PID 2824 wrote to memory of 2532	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	29
PID 2824 wrote to memory of 2532	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	29
PID 2824 wrote to memory of 2532	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	29
PID 2824 wrote to memory of 2532	2824	c7b8f03991a3b2b5b49abd82b0fa06d4.exe	29

C:\Users\Admin\AppData\Local\Temp\c7b8f03991a3b2b5b49abd82b0fa06d4.exe
"C:\Users\Admin\AppData\Local\Temp\c7b8f03991a3b2b5b49abd82b0fa06d4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\mirwzntk.exe
  C:\Windows\system32\mirwzntk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\c7b8f03991a3b2b5b49abd82b0fa06d4.exe.bat
  2⤵
  - Deletes itself
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c7b8f03991a3b2b5b49abd82b0fa06d4.exe.bat

Filesize
182B

MD5
5c26f52bdceb4cf3a5850dad2c2d48d6

SHA1
0f9d8b67c43c30a36c4fbf6551e1a3cec1f29be6

SHA256
8f80701513349956a16767cceae6b2c4461889586b1411ccd816238423107857

SHA512
6d9ec11795a0ff728d51b9d243c810e9a65cef6c6b7e60841c658f29a8c4d0e5f320c181db6c4254eddc6b25ef06d390e8b4fe643f65843b1183e4155d4f9679

Download Submit
\Windows\SysWOW64\mirwzntk.exe

Filesize
13KB

MD5
c7b8f03991a3b2b5b49abd82b0fa06d4

SHA1
eda5c004ddd55d03591960f7f030f9882ba1d869

SHA256
814847b7c084a316dd0eddaa40416d1ac5ef3ff22aa3d2c8ac442c396bc1fa73

SHA512
538afe7b83701b6387dbd0f82d395b5f1267fbbd3f4129795f5ae669b6f70be2aa7a84cafdf9be204f49f844f2f30fb0eeddd98b3ce0d7aa3dc9f43d64bb8af3

Download Submit
memory/2260-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2260-13-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2824-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2824-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2824-5-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2824-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download