556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e

Analysis

max time kernel
152s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe
Size

932KB
MD5

339c3c26120fb2b959f45b50fdc41fdc
SHA1

84643b42b02adf7acc2ea1a0cce7cec67a912e9d
SHA256

556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e
SHA512

2a00bdc96a69d8dec6f1eeaf0c88163bcfcfe0d856151584d3c9caefcbc555190054bb549f0684209cb73bee9753c9426a76089ddd2e1594b5a5f05bc43bcb9b
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0FoWxJpcEi0/3IWV//7cSd2A4E4oVJK:71/aGLDCM4D8ayGMZo8/9/a

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	uesdas.exe

Loads dropped DLL 2 IoCs

pid	Process
1380	556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe
1380	556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uesdas.exe"	uesdas.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2696	1380	556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe	28
PID 1380 wrote to memory of 2696	1380	556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe	28
PID 1380 wrote to memory of 2696	1380	556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe	28
PID 1380 wrote to memory of 2696	1380	556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe	28

C:\Users\Admin\AppData\Local\Temp\556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe
"C:\Users\Admin\AppData\Local\Temp\556d716d1e384f97e15c634527068e40ad2043e361e1cf45c6f9f3ae45789b9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380
- C:\ProgramData\uesdas.exe
  "C:\ProgramData\uesdas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
932KB

MD5
93edc4dfd695193fe2de1e7cc3ba44b3

SHA1
e3989bb289a49361911646c812a7b2474374e8c4

SHA256
f8152d3e08dfa129becf3b867ca6dbaa24dde2fda46a1b6b3c9b31c81e138624

SHA512
e304955f7c2357fcb2e33d8ddc37b697a413eb78de1bd9a09d887bcb228fbc298cf0517ba015753d28342cedc1b5dab006114c3bc1865a6cca9f1e185ed82559

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
477KB

MD5
71e38cb8371fa644436922e0eee6040d

SHA1
6e9e897cb95fd8434891e87a584f5f1b9482cae2

SHA256
2c97f31658ca63791439d384a5c4488bdca89adac6c363c2cc97e5763af30db4

SHA512
852954de6ce9732c6533d475ebd22f308c5659690d5197dd5865cde0ef740b40f380035baf8d9e6e38dc0541b5f16ffb01ea1560cbb89528ec4b2214c7fcc3be

Download Submit
\ProgramData\uesdas.exe

Filesize
454KB

MD5
68dacd73d80428aba56253ebbf64b82a

SHA1
26ad25b72691f40c606a29ed0cc24f9a991b2300

SHA256
fd5d949a0ff1fe48b9f9188e3b8816fcd310b81890b023777942b70333708bfe

SHA512
f1bee1be7f93d178b2d4214affa4de6183ca000cb86fadd3b24854c971f23c2896116fb1ebd72395b81ebe09fa39f93f4b12f2c4eb521e4e117f76ed6e6e22ec

Download Submit
memory/1380-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1380-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2696-101-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads