Analysis Overview
SHA256
25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465
Threat Level: Shows suspicious behavior
The file 25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:28
Reported
2024-04-07 19:31
Platform
win7-20240221-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\jtjbn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\jtjbn.exe" | C:\ProgramData\jtjbn.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\jtjbn.exe |
| PID 2364 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\jtjbn.exe |
| PID 2364 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\jtjbn.exe |
| PID 2364 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\jtjbn.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe
"C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe"
C:\ProgramData\jtjbn.exe
"C:\ProgramData\jtjbn.exe"
Network
Files
memory/2364-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/2364-1-0x0000000000400000-0x0000000000474000-memory.dmp
\ProgramData\jtjbn.exe
| MD5 | 6e7cb7a3ccfa3fb39d4d7127c7f19b68 |
| SHA1 | 2901b912506fb69c019dc038886f1e539bb3d67e |
| SHA256 | a8f15037f5ef2505a3cdbf9706ef3293beab6167e9336c527860bb74ff32048b |
| SHA512 | cab79c8d8a6cccd06a01008b97fefac6cc1e6036c810bdb2575c02aa07dbab6dee81232d5af1c58ea9b9ecb609f91415b243aec4e712185afba9a77f172ee8f7 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/2364-14-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Documents and Settings .exe
| MD5 | e4ff70a9716f154c26e0e9946cfd1302 |
| SHA1 | 3f2e8cbf9703695cb90965374d846cf4d65ceaa6 |
| SHA256 | 93ab73aa6f0d9c175f2e5ef9a08ea8b45381fcc8d916a6e6e61adbe25fec73ff |
| SHA512 | f1a792fa1b98a77e10654a7b47385d6bb27d11b9e61a721090ef1160402ee70d729530eb9596945938becda6defc2331d6a1e3c0ef85041f00843f95c2d44c57 |
memory/1884-133-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:28
Reported
2024-04-07 19:31
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\efvmlj.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\efvmlj.exe" | C:\ProgramData\efvmlj.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3144 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\efvmlj.exe |
| PID 3144 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\efvmlj.exe |
| PID 3144 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe | C:\ProgramData\efvmlj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe
"C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe"
C:\ProgramData\efvmlj.exe
"C:\ProgramData\efvmlj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/3144-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3144-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\efvmlj.exe
| MD5 | 6e7cb7a3ccfa3fb39d4d7127c7f19b68 |
| SHA1 | 2901b912506fb69c019dc038886f1e539bb3d67e |
| SHA256 | a8f15037f5ef2505a3cdbf9706ef3293beab6167e9336c527860bb74ff32048b |
| SHA512 | cab79c8d8a6cccd06a01008b97fefac6cc1e6036c810bdb2575c02aa07dbab6dee81232d5af1c58ea9b9ecb609f91415b243aec4e712185afba9a77f172ee8f7 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
memory/3144-9-0x0000000000400000-0x0000000000474000-memory.dmp
C:\DumpStack.log.tmp .exe
| MD5 | 701427a84ca6be751707420dbba21810 |
| SHA1 | 7b57be2e9bc9281342a15a9256e5c9851ba9eb20 |
| SHA256 | 4c8622657bc333ae3a7ce56dccdbd8e3cd673fab779f210fa039690046538802 |
| SHA512 | 22ba4d094b5f147856b146e0d8c26132cef413d2ec562ac4056e5be6784f8ad93c8c9c916292a70878779384647fbfcf848e47a71b92b3e126e938d6a9ab60c4 |
memory/3300-130-0x0000000000400000-0x0000000000448000-memory.dmp