Analysis Overview
SHA256
046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e
Threat Level: Shows suspicious behavior
The file 046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:17
Platform
win7-20240221-en
Max time kernel
171s
Max time network
136s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\libmir.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\libmir.exe" | C:\ProgramData\libmir.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\libmir.exe |
| PID 2532 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\libmir.exe |
| PID 2532 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\libmir.exe |
| PID 2532 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\libmir.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe
"C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe"
C:\ProgramData\libmir.exe
"C:\ProgramData\libmir.exe"
Network
Files
memory/2532-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2532-1-0x0000000000400000-0x000000000047C000-memory.dmp
\ProgramData\libmir.exe
| MD5 | 1e9139a4cf7586395dd62c39012634f8 |
| SHA1 | ab2f3277fb6afafcb0a024004656cf36c8fce4f2 |
| SHA256 | 8b24af510ea0af246730879f235288f609b2f0d2dda8c15770e9cc8f919e2e98 |
| SHA512 | 5e4e27126e7c93784d54646be5a7aae39aa00ac39bba624d581bb53be917b3de931f2872e9165bc812be627200f07b7ffa94e24c774e8be49373cca7637ab925 |
memory/2532-12-0x0000000000400000-0x000000000047C000-memory.dmp
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | a52d6cb53c4c31e9f5ad53a356adf9dd |
| SHA1 | 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101 |
| SHA256 | f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8 |
| SHA512 | 6d86153ffb8c803092d4fe30f1df1371657023eb10fd56dfeca684ff13a3222f64b11592576d3990f14cf915987a3372cf89774f811ef33dbd5f1b7db5ba681b |
C:\MSOCache .exe
| MD5 | 8ebed831921df187a17f3b32ec98a9f9 |
| SHA1 | 20718ca0a0c0bc227f52eb9913734bfac8b721da |
| SHA256 | ab9f1eb60659a6b6d469320431854690af038ce4b469e13153c18af1e0b0c7da |
| SHA512 | 13016d6aa620ae8033e9b4ca08b360b82a2ce46e114b8da0a191fea8059f87ac9efce50071dfecfd3a71c6e9c1c7cda3eef74b6f853ac3d68119f3f870d229e7 |
memory/2552-131-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2552-170-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2552-177-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2552-632-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:13
Reported
2024-04-07 18:16
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\imjne.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\imjne.exe" | C:\ProgramData\imjne.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\imjne.exe |
| PID 1100 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\imjne.exe |
| PID 1100 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe | C:\ProgramData\imjne.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe
"C:\Users\Admin\AppData\Local\Temp\046c9c3a5ee7c66991dce176a5be4be57aca722419a6a4abc504aac0805df57e.exe"
C:\ProgramData\imjne.exe
"C:\ProgramData\imjne.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/1100-0-0x0000000000400000-0x000000000047C000-memory.dmp
memory/1100-1-0x0000000000400000-0x000000000047C000-memory.dmp
C:\ProgramData\imjne.exe
| MD5 | 1e9139a4cf7586395dd62c39012634f8 |
| SHA1 | ab2f3277fb6afafcb0a024004656cf36c8fce4f2 |
| SHA256 | 8b24af510ea0af246730879f235288f609b2f0d2dda8c15770e9cc8f919e2e98 |
| SHA512 | 5e4e27126e7c93784d54646be5a7aae39aa00ac39bba624d581bb53be917b3de931f2872e9165bc812be627200f07b7ffa94e24c774e8be49373cca7637ab925 |
memory/1100-9-0x0000000000400000-0x000000000047C000-memory.dmp
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | a52d6cb53c4c31e9f5ad53a356adf9dd |
| SHA1 | 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101 |
| SHA256 | f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8 |
| SHA512 | 6d86153ffb8c803092d4fe30f1df1371657023eb10fd56dfeca684ff13a3222f64b11592576d3990f14cf915987a3372cf89774f811ef33dbd5f1b7db5ba681b |
C:\Documents and Settings .exe
| MD5 | 0df6a19cbf0ac927106913a6922039e4 |
| SHA1 | 2c3d2988f231e95fc3ba623a6bbc14d7e7bfdee3 |
| SHA256 | 6c667eb22f361e80b665d3add113681aee524c67e0eb35084238ecfdf513ddb6 |
| SHA512 | 85837d0df6e447c392382ac5507170e68f181135f2703d8ffc0bb317079203123c0959c7a583e72e8984f6aa2edf491477a7e87e33e4c2286d14a03ec548fe46 |
memory/1708-132-0x0000000000400000-0x0000000000448000-memory.dmp