Analysis Overview
SHA256
8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74
Threat Level: Shows suspicious behavior
The file 8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:14
Reported
2024-04-07 23:17
Platform
win7-20240221-en
Max time kernel
152s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\haqckx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\haqckx.exe" | C:\ProgramData\haqckx.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\haqckx.exe |
| PID 2180 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\haqckx.exe |
| PID 2180 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\haqckx.exe |
| PID 2180 wrote to memory of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\haqckx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe
"C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe"
C:\ProgramData\haqckx.exe
"C:\ProgramData\haqckx.exe"
Network
Files
memory/2180-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2180-1-0x0000000000400000-0x0000000000474000-memory.dmp
\ProgramData\haqckx.exe
| MD5 | b5cd52710e0dd541a40488d7e4899e14 |
| SHA1 | 2f05bd1b7a3127d7ef4377622fa333eacf742eaa |
| SHA256 | 168821702449da6f29cca57ba8dcbfdd01aebb05329580ccf4f0dcab755baedb |
| SHA512 | baf9fe45d8356975d7ebefdb2d5fc5d5ff4fed8cf576d95d6c447ca6422b7d5f43e712f777214b666c499331757c6b5a38e3a58b0b074eb9dd7c16f91408ccd2 |
C:\Documents and Settings .exe
| MD5 | fc4a7b7c127944cd9d5f0fd659cce528 |
| SHA1 | 81b9d8c935a53f9b7db13b281fad682a29de72d9 |
| SHA256 | d4dedec008a18767cd31f024d2dcf2683a77d3ac6cf02592edba0a40c46e9395 |
| SHA512 | 8ea427e98a07d810348ece034e3e98018366734aca20419d31abd86e3df36793ee2e85d0763c5234c203c22d81be52a22f4346224f084c65b47e0b72fc62b88f |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/2180-14-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1748-82-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1748-134-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:14
Reported
2024-04-07 23:16
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\uqclk.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uqclk.exe" | C:\ProgramData\uqclk.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4612 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\uqclk.exe |
| PID 4612 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\uqclk.exe |
| PID 4612 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe | C:\ProgramData\uqclk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe
"C:\Users\Admin\AppData\Local\Temp\8d679c4b34a13216f4127437804a0de9a2c2b15e2314568e6b68a11a9c267d74.exe"
C:\ProgramData\uqclk.exe
"C:\ProgramData\uqclk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4612-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4612-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\uqclk.exe
| MD5 | b5cd52710e0dd541a40488d7e4899e14 |
| SHA1 | 2f05bd1b7a3127d7ef4377622fa333eacf742eaa |
| SHA256 | 168821702449da6f29cca57ba8dcbfdd01aebb05329580ccf4f0dcab755baedb |
| SHA512 | baf9fe45d8356975d7ebefdb2d5fc5d5ff4fed8cf576d95d6c447ca6422b7d5f43e712f777214b666c499331757c6b5a38e3a58b0b074eb9dd7c16f91408ccd2 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/4612-9-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Documents and Settings .exe
| MD5 | 69a871e657f0b9846fa688def8dde35c |
| SHA1 | fb6d6d5893c11cbe3ccf834ad58524f61c4fe196 |
| SHA256 | c1acc11d34bccb0f8a140131aacc208e9d717a61be7ef734dfd99303c0059f6d |
| SHA512 | 76443d3745fef15d89112ad3367f2cd7b0473076b4e77563e3026ae5c18c166545d7fd538de73a02f37b8351791de894fc1d5980ff1d848ef0eea75c888b1ed0 |
memory/4592-132-0x0000000000400000-0x0000000000448000-memory.dmp