Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-wt6cqaba77
Target 046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e
SHA256 046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e

Threat Level: Shows suspicious behavior

The file 046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:13

Reported

2024-04-07 18:17

Platform

win7-20240221-en

Max time kernel

171s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\libmir.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\libmir.exe" C:\ProgramData\libmir.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe

"C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe"

C:\ProgramData\libmir.exe

"C:\ProgramData\libmir.exe"

Network

N/A

Files

memory/2532-0-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2532-1-0x0000000000400000-0x000000000047C000-memory.dmp

\ProgramData\libmir.exe

MD5 1e9139a4cf7586395dd62c39012634f8
SHA1 ab2f3277fb6afafcb0a024004656cf36c8fce4f2
SHA256 8b24af510ea0af246730879f235288f609b2f0d2dda8c15770e9cc8f919e2e98
SHA512 5e4e27126e7c93784d54646be5a7aae39aa00ac39bba624d581bb53be917b3de931f2872e9165bc812be627200f07b7ffa94e24c774e8be49373cca7637ab925

memory/2532-12-0x0000000000400000-0x000000000047C000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 a52d6cb53c4c31e9f5ad53a356adf9dd
SHA1 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
SHA256 f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
SHA512 6d86153ffb8c803092d4fe30f1df1371657023eb10fd56dfeca684ff13a3222f64b11592576d3990f14cf915987a3372cf89774f811ef33dbd5f1b7db5ba681b

C:\MSOCache .exe

MD5 8ebed831921df187a17f3b32ec98a9f9
SHA1 20718ca0a0c0bc227f52eb9913734bfac8b721da
SHA256 ab9f1eb60659a6b6d469320431854690af038ce4b469e13153c18af1e0b0c7da
SHA512 13016d6aa620ae8033e9b4ca08b360b82a2ce46e114b8da0a191fea8059f87ac9efce50071dfecfd3a71c6e9c1c7cda3eef74b6f853ac3d68119f3f870d229e7

memory/2552-131-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2552-170-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2552-177-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2552-632-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:13

Reported

2024-04-07 18:16

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\imjne.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\imjne.exe" C:\ProgramData\imjne.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe

"C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe"

C:\ProgramData\imjne.exe

"C:\ProgramData\imjne.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/1100-0-0x0000000000400000-0x000000000047C000-memory.dmp

memory/1100-1-0x0000000000400000-0x000000000047C000-memory.dmp

C:\ProgramData\imjne.exe

MD5 1e9139a4cf7586395dd62c39012634f8
SHA1 ab2f3277fb6afafcb0a024004656cf36c8fce4f2
SHA256 8b24af510ea0af246730879f235288f609b2f0d2dda8c15770e9cc8f919e2e98
SHA512 5e4e27126e7c93784d54646be5a7aae39aa00ac39bba624d581bb53be917b3de931f2872e9165bc812be627200f07b7ffa94e24c774e8be49373cca7637ab925

memory/1100-9-0x0000000000400000-0x000000000047C000-memory.dmp

C:\ProgramData\Saaaalamm\Mira.h

MD5 a52d6cb53c4c31e9f5ad53a356adf9dd
SHA1 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
SHA256 f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
SHA512 6d86153ffb8c803092d4fe30f1df1371657023eb10fd56dfeca684ff13a3222f64b11592576d3990f14cf915987a3372cf89774f811ef33dbd5f1b7db5ba681b

C:\Documents and Settings .exe

MD5 0df6a19cbf0ac927106913a6922039e4
SHA1 2c3d2988f231e95fc3ba623a6bbc14d7e7bfdee3
SHA256 6c667eb22f361e80b665d3add113681aee524c67e0eb35084238ecfdf513ddb6
SHA512 85837d0df6e447c392382ac5507170e68f181135f2703d8ffc0bb317079203123c0959c7a583e72e8984f6aa2edf491477a7e87e33e4c2286d14a03ec548fe46

memory/1708-132-0x0000000000400000-0x0000000000448000-memory.dmp