797e52d61827ac81a4528d8ae01e56a96b26941954d644ddfa009a1a6e179fd8

Analysis

max time kernel
149s
max time network
164s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

miflash_unlock-en-6.5.224.28/miflash_unlock.exe
Size

1.2MB
MD5

cae58b1ca6545c067240cd65bbe13fb4
SHA1

e51e65408e8184a37bfc10da363eaf21aee288e8
SHA256

11fcbaf79ff507c7ba47cb541c752c6ef7d0cddc7af2df8bd396b21a45e92957
SHA512

c0872efbc4c0ecbeef9233c1ce312a044086007864799fd0b5bedf78f6d6b05d1a80e620c17f72841a6e4a732df4a652444f3c8b70cafcb847f0288f05a341a6
SSDEEP

24576:t8GSdwT+4y8wnF1WIQ0n5UgVspfjrc8IEuDyegT:/0Ocsdjrc8IDy7T

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	miflash_unlock.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	miflash_unlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	miflash_unlock.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	miflash_unlock.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	miflash_unlock.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	miflash_unlock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	miflash_unlock.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	miflash_unlock.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3080	miflash_unlock.exe
3080	miflash_unlock.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1632	3080	miflash_unlock.exe	82
PID 3080 wrote to memory of 1632	3080	miflash_unlock.exe	82
PID 3080 wrote to memory of 1632	3080	miflash_unlock.exe	82
PID 3080 wrote to memory of 3492	3080	miflash_unlock.exe	81
PID 3080 wrote to memory of 3492	3080	miflash_unlock.exe	81
PID 3080 wrote to memory of 3492	3080	miflash_unlock.exe	81

C:\Users\Admin\AppData\Local\Temp\miflash_unlock-en-6.5.224.28\miflash_unlock.exe
"C:\Users\Admin\AppData\Local\Temp\miflash_unlock-en-6.5.224.28\miflash_unlock.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\miflash_unlock-en-6.5.224.28\fastboot.exe
  C:\Users\Admin\AppData\Local\Temp\miflash_unlock-en-6.5.224.28\fastboot.exe devices
  2⤵
  PID:3492
- C:\Users\Admin\AppData\Local\Temp\miflash_unlock-en-6.5.224.28\miflash_unlock.exe
  "C:\Users\Admin\AppData\Local\Temp\miflash_unlock-en-6.5.224.28\miflash_unlock.exe" --type=renderer --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\Xiaomi\miflash_unlock\Log\cef.log" --log-severity=warning --user-agent=miNative/1.0 --enable-pinch --device-scale-factor=1 --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3080.0.120157958\1228817996" /prefetch:673131151
  2⤵
  - Checks processor information in registry
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Xiaomi\miflash_unlock\Log\cef.log

Filesize
93B

MD5
8d96983a21786b44c78eca8e08f27ad3

SHA1
b6c4e10ab43fb5fdb421a860a15d048d54663731

SHA256
b9f1177acf00f4c761ceaba9f43a91443177f44827be9156b9a838a1b501d433

SHA512
c9af305f7bdc377d3965a39e4333d9231376e46b7eff06773bce74659c0df0137145483a29a6bbb6f8c47aba884d2e33f9721a6e3377141a073d3cc6dfd9518a

Download Submit
memory/1632-14-0x000000000CA00000-0x000000000CA01000-memory.dmp

Filesize
4KB

Download
memory/3080-4-0x000000003EE00000-0x000000003EE01000-memory.dmp

Filesize
4KB

Download
memory/3080-5-0x000000002DC00000-0x000000002DC01000-memory.dmp

Filesize
4KB

Download
memory/3080-8-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/3492-16-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download