c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
Size

395KB
MD5

ef7cbea327c9b6b03723c7affa16b41d
SHA1

9da04d2355a9ad916a33fb0abb633b1332745e1c
SHA256

c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df
SHA512

31f19cbdb0b4dec9c79769e9c797b107d7f86f6b3742a15ac09c4baf55019c8d5c357a9d5aa6c8c9de3b32d9e9b70bb3f7c567bed5b24d02b0fffae91c1bbf0c
SSDEEP

6144:AjlYKRF/LReWAsUy/ZQaE3iq3f+vknFCut30+A0EjocN1L8A2R:AjauDReWfQaE3iq3Vkut30uEksq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3296	brlxq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\brlxq.exe"	brlxq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3296	3068	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	86
PID 3068 wrote to memory of 3296	3068	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	86
PID 3068 wrote to memory of 3296	3068	c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe	86

C:\Users\Admin\AppData\Local\Temp\c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe
"C:\Users\Admin\AppData\Local\Temp\c0d6ad8a6aab6b38cbd58483420476747afcd7e1722a92780c8054e0307e34df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\ProgramData\brlxq.exe
  "C:\ProgramData\brlxq.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe

Filesize
395KB

MD5
bde860bc41da1cf784cc3a009dfc98ad

SHA1
e80128c1ccb3dd9d81eceaccad8c4df61a531f61

SHA256
a069d3e62356198ea67396cfd56f3284325af89b1eb34acf3c5e9b5b5143f126

SHA512
dfdfb6aa5ed731af640e5e85ae64bb536a81c20e8fbada4c1e306df00b97fb4de21ebbb11bd1b7831cbbc2a5c084d1a78776fe37c85b3d672a6b9fbba4a7aa16

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
e80c459f053fdd59ceec0e85a4e8d155

SHA1
e54b69e03838bf5e8029a2670fbcbbf90eac1f11

SHA256
e088559f06b3f4caea1d06fb246da111c4b88d5e81e9f95eaa99f37e1bda9df4

SHA512
719147342d7245a2bc66d4c4b6713064b7a66ad9101cb2d679c4e68a79560970081c843dfa4dfd48d6caec2c42dd0c60a6cdafacadfde513e8b57417d059af9f

Download Submit
C:\ProgramData\brlxq.exe

Filesize
258KB

MD5
fc9191988b426d6a3a0981a938ecdde4

SHA1
4b1b1d116ec6a136b29da49293f29b40a8c8bab3

SHA256
4749ee11933d4c0a72d53c518b189a345c5953056758894660a6d766f08b7639

SHA512
cd77e9527d95f413907d8a9d1cddb44292bb9f1af2019cbdbf63ac0d90eca4092671ea0524c4cf1ed652bca2972d54a5412b1fcdd119757f98aa3e25dd41f625

Download Submit
memory/3068-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3296-128-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads