Analysis Overview
SHA256
666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4
Threat Level: Shows suspicious behavior
The file 666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:49
Reported
2024-04-06 21:51
Platform
win7-20240221-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\srocya.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\srocya.exe" | C:\ProgramData\srocya.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\srocya.exe |
| PID 2244 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\srocya.exe |
| PID 2244 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\srocya.exe |
| PID 2244 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\srocya.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe
"C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe"
C:\ProgramData\srocya.exe
"C:\ProgramData\srocya.exe"
Network
Files
memory/2244-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2244-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\srocya.exe
| MD5 | e9d50544f96ac26bbd870a4beceb5912 |
| SHA1 | 32cda6bc3ad9c080289906d229cb715a90a3735c |
| SHA256 | 1ae01164f042874e1c16ef6c069b07e6af49b127443ac39cb5cccf928770cd7e |
| SHA512 | 638949ec14018540847745aff09dba921dc59b68584f7f9ab6d0a4b18b3a5f5cc095d83d333916bcf5fee109dbc3478951acb1db3abb23766a7bbfd2c8d6a114 |
memory/2244-12-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
C:\MSOCache .exe
| MD5 | 9634c8b95ef5f925db10e5eb4f5903e6 |
| SHA1 | 88b456b566ef2b3db1ff348849fca68fae6dafae |
| SHA256 | 94a1162f96c4073057e18fc4ac3160bec01bec8621bdc423edf13781c10da895 |
| SHA512 | dc54ac262743d306fab3d9217490cae7db9928dababc150e0a692ad0c2d416f0b7f46ee2d9df90e2e45ebdeb15fba247d2cdf711d28554f4a0e930c67cfe5518 |
memory/2476-131-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:49
Reported
2024-04-06 21:51
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\qlkbsn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\qlkbsn.exe" | C:\ProgramData\qlkbsn.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1716 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\qlkbsn.exe |
| PID 1716 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\qlkbsn.exe |
| PID 1716 wrote to memory of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe | C:\ProgramData\qlkbsn.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe
"C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe"
C:\ProgramData\qlkbsn.exe
"C:\ProgramData\qlkbsn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.185.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/1716-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1716-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\qlkbsn.exe
| MD5 | e9d50544f96ac26bbd870a4beceb5912 |
| SHA1 | 32cda6bc3ad9c080289906d229cb715a90a3735c |
| SHA256 | 1ae01164f042874e1c16ef6c069b07e6af49b127443ac39cb5cccf928770cd7e |
| SHA512 | 638949ec14018540847745aff09dba921dc59b68584f7f9ab6d0a4b18b3a5f5cc095d83d333916bcf5fee109dbc3478951acb1db3abb23766a7bbfd2c8d6a114 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/1716-9-0x0000000000400000-0x0000000000474000-memory.dmp
C:\DumpStack.log.tmp .exe
| MD5 | fbc069b1a9a9ea4e2f36b3d322cd2ee7 |
| SHA1 | 070a52ecd2f3fa59ad5a5c00c1a28cd2232dc8d7 |
| SHA256 | b9c60e42c6a0221359ceae1c0b28878be50223f34652776332563f179930d83d |
| SHA512 | b3377b739f5b5f411355395cbccf528720e5adb26929b0d529515aaf82227cc6672c9a1060570ecb770c77121993dfa549dae9d36888fbe5405ae9d686376786 |
memory/1968-130-0x0000000000400000-0x0000000000448000-memory.dmp