c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
Size

395KB
MD5

ef7cbea327c9b6b03723c7affa16b41d
SHA1

9da04d2355a9ad916a33fb0abb633b1332745e1c
SHA256

c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df
SHA512

31f19cbdb0b4dec9c79769e9c797b107d7f86f6b3742a15ac09c4baf55019c8d5c357a9d5aa6c8c9de3b32d9e9b70bb3f7c567bed5b24d02b0fffae91c1bbf0c
SSDEEP

6144:AjlYKRF/LReWAsUy/ZQaE3iq3f+vknFCut30+A0EjocN1L8A2R:AjauDReWfQaE3iq3Vkut30uEksq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	twmbjs.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
2044	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\twmbjs.exe"	twmbjs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1968	2044	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	28
PID 2044 wrote to memory of 1968	2044	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	28
PID 2044 wrote to memory of 1968	2044	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	28
PID 2044 wrote to memory of 1968	2044	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	28

C:\Users\Admin\AppData\Local\Temp\c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
"C:\Users\Admin\AppData\Local\Temp\c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\ProgramData\twmbjs.exe
  "C:\ProgramData\twmbjs.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
395KB

MD5
41a5d28120e823c2a05a9826760707bf

SHA1
a645ac2c94303c283ea2dff38ef7710a52435215

SHA256
eec2383cde31cb8512e521ee1fbd3b2a03f561460110148b7fa79be13a09b4bb

SHA512
6ba5678a629e48201566f3ab27408936f378bdb5ed3cf6f4a96a3fbef72a932b87d5a790fbca068319fe1a7159fef747e1fed83a19da60503d02cf53ab21aa3d

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
e80c459f053fdd59ceec0e85a4e8d155

SHA1
e54b69e03838bf5e8029a2670fbcbbf90eac1f11

SHA256
e088559f06b3f4caea1d06fb246da111c4b88d5e81e9f95eaa99f37e1bda9df4

SHA512
719147342d7245a2bc66d4c4b6713064b7a66ad9101cb2d679c4e68a79560970081c843dfa4dfd48d6caec2c42dd0c60a6cdafacadfde513e8b57417d059af9f

Download Submit
\ProgramData\twmbjs.exe

Filesize
258KB

MD5
fc9191988b426d6a3a0981a938ecdde4

SHA1
4b1b1d116ec6a136b29da49293f29b40a8c8bab3

SHA256
4749ee11933d4c0a72d53c518b189a345c5953056758894660a6d766f08b7639

SHA512
cd77e9527d95f413907d8a9d1cddb44292bb9f1af2019cbdbf63ac0d90eca4092671ea0524c4cf1ed652bca2972d54a5412b1fcdd119757f98aa3e25dd41f625

Download Submit
memory/1968-129-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2044-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads