Malware Analysis Report

2025-03-14 23:11

Sample ID 240406-31cgjsfe34
Target a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584
SHA256 a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584

Threat Level: Shows suspicious behavior

The file a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:58

Reported

2024-04-07 00:00

Platform

win7-20231129-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\lailb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\lailb.exe" C:\ProgramData\lailb.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe

"C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe"

C:\ProgramData\lailb.exe

"C:\ProgramData\lailb.exe"

Network

N/A

Files

memory/2168-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2168-1-0x0000000000400000-0x0000000000474000-memory.dmp

\ProgramData\lailb.exe

MD5 107cb9aca928426867649e262588e54c
SHA1 cf3d0ffce42e9e34a129d012205106bbb7bd2dc2
SHA256 c8b1c6e284367c3c7e703e855d0629eff46fa32e4fd628c6a80a6c39a4432574
SHA512 767730b16aa2c86e6cea8240af25ec940fe3be95eba7a949833ea8dcdcc1b2605e088e7f2cdca7ee1ca3c8b771ea8b0754874a54c1572cc76e3b90b67f848675

memory/2168-14-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

C:\Documents and Settings .exe

MD5 13258980080abe5ade8b91f6131dc218
SHA1 37ce64c0aa5dded023e701fb2e9d83be47df5cb0
SHA256 c6a8be3316b66eff974b6bde5473ba11fb643fb6a4559e248ba4c98656c141d4
SHA512 809bef8db0f040754d3ba23a9fcce05e0aac187a4d9fd2174683c2ca8a750dab034dc273dc35f737e311bc114af8a26c4d13bd5ddb824e8b2fd4e6b3bda27d5f

memory/1692-133-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:58

Reported

2024-04-07 00:01

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\svijix.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\svijix.exe" C:\ProgramData\svijix.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe

"C:\Users\Admin\AppData\Local\Temp\a32ae101a8bb6c5173c76715cc2ed9789d226e623f3597711ddfda75f124a584.exe"

C:\ProgramData\svijix.exe

"C:\ProgramData\svijix.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/5080-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/5080-1-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\svijix.exe

MD5 107cb9aca928426867649e262588e54c
SHA1 cf3d0ffce42e9e34a129d012205106bbb7bd2dc2
SHA256 c8b1c6e284367c3c7e703e855d0629eff46fa32e4fd628c6a80a6c39a4432574
SHA512 767730b16aa2c86e6cea8240af25ec940fe3be95eba7a949833ea8dcdcc1b2605e088e7f2cdca7ee1ca3c8b771ea8b0754874a54c1572cc76e3b90b67f848675

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

memory/5080-12-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Documents and Settings .exe

MD5 43adf8a86e6947959e81f9c1da1d0ce2
SHA1 40efbeb2244f333aa6edec3cb766c63196807658
SHA256 dc1ce7d5215c2f3c96240570a9b83afc4615f9f88424145e6bc6cc8db1d739d1
SHA512 457b2547307283c8b8289c7e5d32e160bf7f3172a377865ce9aa566a8f98162e0a4ec77adfc30ff676d1e9a49389b88ce9039b4b3f8340e3d52da429a2f5c2b6

memory/2856-102-0x0000000000400000-0x0000000000448000-memory.dmp