Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1ey3babf2z
Target 5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77
SHA256 5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77

Threat Level: Shows suspicious behavior

The file 5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:34

Reported

2024-04-06 21:37

Platform

win7-20240221-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\uydko.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uydko.exe" C:\ProgramData\uydko.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe

"C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe"

C:\ProgramData\uydko.exe

"C:\ProgramData\uydko.exe"

Network

N/A

Files

memory/2232-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2232-1-0x0000000000400000-0x0000000000474000-memory.dmp

\ProgramData\uydko.exe

MD5 e3dac9747f2a325ecddf85c6367f811a
SHA1 d1e7c1b3aec55f6834b9e0b9b6e677288e557d3a
SHA256 e15e06a0cb68c704ad1f65f536a63bed1c43973e5ed3e9bf5a7f9a7f5232f5a8
SHA512 c39187450618accd52c33825895d48548a84ddd704b3eb42856eaa84929c97d4b16ae2d98bb41a454685aab48757e85498d8a1e8a761132d63f40822f7302aa6

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

C:\Documents and Settings .exe

MD5 fb5ba470b55a03f1a9611a14dfa86282
SHA1 c3fdcb0a7eb16cf264a248049eea71990222fc3f
SHA256 51b0c6e3cf2c7d362aded428754ba78a6b674751eb5334f0fdba7cf2b4107e6a
SHA512 20187fa055c515095e0a5682ef6d2c25b5f340638c41c8a2c00d57b4db699b3636f6211622243405245761d2eb92d37f1b328c72530c3863e2bc3764bffa7c2a

memory/2232-14-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2456-137-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:34

Reported

2024-04-06 21:37

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\aflly.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\aflly.exe" C:\ProgramData\aflly.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe

"C:\Users\Admin\AppData\Local\Temp\5fe0dfa5f68b71c922db32e16bb56aadf3a087d68f673f475a2664f59dd2cc77.exe"

C:\ProgramData\aflly.exe

"C:\ProgramData\aflly.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2256,i,16750283575152780128,2524258836761969159,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/2480-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2480-1-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\aflly.exe

MD5 e3dac9747f2a325ecddf85c6367f811a
SHA1 d1e7c1b3aec55f6834b9e0b9b6e677288e557d3a
SHA256 e15e06a0cb68c704ad1f65f536a63bed1c43973e5ed3e9bf5a7f9a7f5232f5a8
SHA512 c39187450618accd52c33825895d48548a84ddd704b3eb42856eaa84929c97d4b16ae2d98bb41a454685aab48757e85498d8a1e8a761132d63f40822f7302aa6

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

memory/2480-9-0x0000000000400000-0x0000000000474000-memory.dmp

C:\DumpStack.log.tmp .exe

MD5 57d40a84fb32edc9c5789b19beae163f
SHA1 308255f4d42e432e232d2fb983f745a3cb6bb887
SHA256 dc298da1c8378bc1234428069ac181499109c1122bf87d2e2504a4083c7352ff
SHA512 c1466d3708b81fcf77ba7375a17fdf48c8648da660e47732a52435435229ba7440ee40b401443af47b84e16f20054e05a59b4528fe8a0e418bb37a27892ec3db

memory/3388-100-0x0000000000400000-0x0000000000448000-memory.dmp