Analysis Overview
SHA256
a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584
Threat Level: Shows suspicious behavior
The file a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:58
Reported
2024-04-07 00:00
Platform
win7-20231129-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\lailb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\lailb.exe" | C:\ProgramData\lailb.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\lailb.exe |
| PID 2168 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\lailb.exe |
| PID 2168 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\lailb.exe |
| PID 2168 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\lailb.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe
"C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe"
C:\ProgramData\lailb.exe
"C:\ProgramData\lailb.exe"
Network
Files
memory/2168-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2168-1-0x0000000000400000-0x0000000000474000-memory.dmp
\ProgramData\lailb.exe
| MD5 | 107cb9aca928426867649e262588e54c |
| SHA1 | cf3d0ffce42e9e34a129d012205106bbb7bd2dc2 |
| SHA256 | c8b1c6e284367c3c7e703e855d0629eff46fa32e4fd628c6a80a6c39a4432574 |
| SHA512 | 767730b16aa2c86e6cea8240af25ec940fe3be95eba7a949833ea8dcdcc1b2605e088e7f2cdca7ee1ca3c8b771ea8b0754874a54c1572cc76e3b90b67f848675 |
memory/2168-14-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
C:\Documents and Settings .exe
| MD5 | 13258980080abe5ade8b91f6131dc218 |
| SHA1 | 37ce64c0aa5dded023e701fb2e9d83be47df5cb0 |
| SHA256 | c6a8be3316b66eff974b6bde5473ba11fb643fb6a4559e248ba4c98656c141d4 |
| SHA512 | 809bef8db0f040754d3ba23a9fcce05e0aac187a4d9fd2174683c2ca8a750dab034dc273dc35f737e311bc114af8a26c4d13bd5ddb824e8b2fd4e6b3bda27d5f |
memory/1692-133-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:58
Reported
2024-04-07 00:01
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\svijix.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\svijix.exe" | C:\ProgramData\svijix.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5080 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\svijix.exe |
| PID 5080 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\svijix.exe |
| PID 5080 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe | C:\ProgramData\svijix.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe
"C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe"
C:\ProgramData\svijix.exe
"C:\ProgramData\svijix.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/5080-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/5080-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\svijix.exe
| MD5 | 107cb9aca928426867649e262588e54c |
| SHA1 | cf3d0ffce42e9e34a129d012205106bbb7bd2dc2 |
| SHA256 | c8b1c6e284367c3c7e703e855d0629eff46fa32e4fd628c6a80a6c39a4432574 |
| SHA512 | 767730b16aa2c86e6cea8240af25ec940fe3be95eba7a949833ea8dcdcc1b2605e088e7f2cdca7ee1ca3c8b771ea8b0754874a54c1572cc76e3b90b67f848675 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/5080-12-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Documents and Settings .exe
| MD5 | 43adf8a86e6947959e81f9c1da1d0ce2 |
| SHA1 | 40efbeb2244f333aa6edec3cb766c63196807658 |
| SHA256 | dc1ce7d5215c2f3c96240570a9b83afc4615f9f88424145e6bc6cc8db1d739d1 |
| SHA512 | 457b2547307283c8b8289c7e5d32e160bf7f3172a377865ce9aa566a8f98162e0a4ec77adfc30ff676d1e9a49389b88ce9039b4b3f8340e3d52da429a2f5c2b6 |
memory/2856-102-0x0000000000400000-0x0000000000448000-memory.dmp