Analysis Overview
SHA256
5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77
Threat Level: Shows suspicious behavior
The file 5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:34
Reported
2024-04-06 21:37
Platform
win7-20240221-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\uydko.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uydko.exe" | C:\ProgramData\uydko.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\uydko.exe |
| PID 2232 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\uydko.exe |
| PID 2232 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\uydko.exe |
| PID 2232 wrote to memory of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\uydko.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe
"C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe"
C:\ProgramData\uydko.exe
"C:\ProgramData\uydko.exe"
Network
Files
memory/2232-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2232-1-0x0000000000400000-0x0000000000474000-memory.dmp
\ProgramData\uydko.exe
| MD5 | e3dac9747f2a325ecddf85c6367f811a |
| SHA1 | d1e7c1b3aec55f6834b9e0b9b6e677288e557d3a |
| SHA256 | e15e06a0cb68c704ad1f65f536a63bed1c43973e5ed3e9bf5a7f9a7f5232f5a8 |
| SHA512 | c39187450618accd52c33825895d48548a84ddd704b3eb42856eaa84929c97d4b16ae2d98bb41a454685aab48757e85498d8a1e8a761132d63f40822f7302aa6 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
C:\Documents and Settings .exe
| MD5 | fb5ba470b55a03f1a9611a14dfa86282 |
| SHA1 | c3fdcb0a7eb16cf264a248049eea71990222fc3f |
| SHA256 | 51b0c6e3cf2c7d362aded428754ba78a6b674751eb5334f0fdba7cf2b4107e6a |
| SHA512 | 20187fa055c515095e0a5682ef6d2c25b5f340638c41c8a2c00d57b4db699b3636f6211622243405245761d2eb92d37f1b328c72530c3863e2bc3764bffa7c2a |
memory/2232-14-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2456-137-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:34
Reported
2024-04-06 21:37
Platform
win10v2004-20240319-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\aflly.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\aflly.exe" | C:\ProgramData\aflly.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\aflly.exe |
| PID 2480 wrote to memory of 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\aflly.exe |
| PID 2480 wrote to memory of 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe | C:\ProgramData\aflly.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe
"C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe"
C:\ProgramData\aflly.exe
"C:\ProgramData\aflly.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2256,i,16750283575152780128,2524258836761969159,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/2480-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2480-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\aflly.exe
| MD5 | e3dac9747f2a325ecddf85c6367f811a |
| SHA1 | d1e7c1b3aec55f6834b9e0b9b6e677288e557d3a |
| SHA256 | e15e06a0cb68c704ad1f65f536a63bed1c43973e5ed3e9bf5a7f9a7f5232f5a8 |
| SHA512 | c39187450618accd52c33825895d48548a84ddd704b3eb42856eaa84929c97d4b16ae2d98bb41a454685aab48757e85498d8a1e8a761132d63f40822f7302aa6 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/2480-9-0x0000000000400000-0x0000000000474000-memory.dmp
C:\DumpStack.log.tmp .exe
| MD5 | 57d40a84fb32edc9c5789b19beae163f |
| SHA1 | 308255f4d42e432e232d2fb983f745a3cb6bb887 |
| SHA256 | dc298da1c8378bc1234428069ac181499109c1122bf87d2e2504a4083c7352ff |
| SHA512 | c1466d3708b81fcf77ba7375a17fdf48c8648da660e47732a52435435229ba7440ee40b401443af47b84e16f20054e05a59b4528fe8a0e418bb37a27892ec3db |
memory/3388-100-0x0000000000400000-0x0000000000448000-memory.dmp