Malware Analysis Report

2025-03-14 22:54

Sample ID 240406-1pfcysca2s
Target 666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4
SHA256 666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4

Threat Level: Shows suspicious behavior

The file 666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:49

Reported

2024-04-06 21:51

Platform

win7-20240221-en

Max time kernel

148s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\srocya.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\srocya.exe" C:\ProgramData\srocya.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe

"C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe"

C:\ProgramData\srocya.exe

"C:\ProgramData\srocya.exe"

Network

N/A

Files

memory/2244-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2244-1-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\srocya.exe

MD5 e9d50544f96ac26bbd870a4beceb5912
SHA1 32cda6bc3ad9c080289906d229cb715a90a3735c
SHA256 1ae01164f042874e1c16ef6c069b07e6af49b127443ac39cb5cccf928770cd7e
SHA512 638949ec14018540847745aff09dba921dc59b68584f7f9ab6d0a4b18b3a5f5cc095d83d333916bcf5fee109dbc3478951acb1db3abb23766a7bbfd2c8d6a114

memory/2244-12-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

C:\MSOCache .exe

MD5 9634c8b95ef5f925db10e5eb4f5903e6
SHA1 88b456b566ef2b3db1ff348849fca68fae6dafae
SHA256 94a1162f96c4073057e18fc4ac3160bec01bec8621bdc423edf13781c10da895
SHA512 dc54ac262743d306fab3d9217490cae7db9928dababc150e0a692ad0c2d416f0b7f46ee2d9df90e2e45ebdeb15fba247d2cdf711d28554f4a0e930c67cfe5518

memory/2476-131-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:49

Reported

2024-04-06 21:51

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\qlkbsn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\qlkbsn.exe" C:\ProgramData\qlkbsn.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe

"C:\Users\Admin\AppData\Local\Temp\666e62e6dba72a7662799bf567507d87f20e9793aa88f4a229e26e40dc9abbd4.exe"

C:\ProgramData\qlkbsn.exe

"C:\ProgramData\qlkbsn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 159.185.200.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/1716-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1716-1-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\qlkbsn.exe

MD5 e9d50544f96ac26bbd870a4beceb5912
SHA1 32cda6bc3ad9c080289906d229cb715a90a3735c
SHA256 1ae01164f042874e1c16ef6c069b07e6af49b127443ac39cb5cccf928770cd7e
SHA512 638949ec14018540847745aff09dba921dc59b68584f7f9ab6d0a4b18b3a5f5cc095d83d333916bcf5fee109dbc3478951acb1db3abb23766a7bbfd2c8d6a114

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

memory/1716-9-0x0000000000400000-0x0000000000474000-memory.dmp

C:\DumpStack.log.tmp .exe

MD5 fbc069b1a9a9ea4e2f36b3d322cd2ee7
SHA1 070a52ecd2f3fa59ad5a5c00c1a28cd2232dc8d7
SHA256 b9c60e42c6a0221359ceae1c0b28878be50223f34652776332563f179930d83d
SHA512 b3377b739f5b5f411355395cbccf528720e5adb26929b0d529515aaf82227cc6672c9a1060570ecb770c77121993dfa549dae9d36888fbe5405ae9d686376786

memory/1968-130-0x0000000000400000-0x0000000000448000-memory.dmp