Malware Analysis Report

2025-03-14 22:29

Sample ID 240407-x6wvgscf59
Target 25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465
SHA256 25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465

Threat Level: Shows suspicious behavior

The file 25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:28

Reported

2024-04-07 19:31

Platform

win7-20240221-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jtjbn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\jtjbn.exe" C:\ProgramData\jtjbn.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe

"C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe"

C:\ProgramData\jtjbn.exe

"C:\ProgramData\jtjbn.exe"

Network

N/A

Files

memory/2364-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2364-1-0x0000000000400000-0x0000000000474000-memory.dmp

\ProgramData\jtjbn.exe

MD5 6e7cb7a3ccfa3fb39d4d7127c7f19b68
SHA1 2901b912506fb69c019dc038886f1e539bb3d67e
SHA256 a8f15037f5ef2505a3cdbf9706ef3293beab6167e9336c527860bb74ff32048b
SHA512 cab79c8d8a6cccd06a01008b97fefac6cc1e6036c810bdb2575c02aa07dbab6dee81232d5af1c58ea9b9ecb609f91415b243aec4e712185afba9a77f172ee8f7

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

memory/2364-14-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Documents and Settings .exe

MD5 e4ff70a9716f154c26e0e9946cfd1302
SHA1 3f2e8cbf9703695cb90965374d846cf4d65ceaa6
SHA256 93ab73aa6f0d9c175f2e5ef9a08ea8b45381fcc8d916a6e6e61adbe25fec73ff
SHA512 f1a792fa1b98a77e10654a7b47385d6bb27d11b9e61a721090ef1160402ee70d729530eb9596945938becda6defc2331d6a1e3c0ef85041f00843f95c2d44c57

memory/1884-133-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:28

Reported

2024-04-07 19:31

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\efvmlj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\efvmlj.exe" C:\ProgramData\efvmlj.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe

"C:\Users\Admin\AppData\Local\Temp\25c8b0df2ee1dcf2808f438288ae0c7e07a6313380231c147092308b58f7d465.exe"

C:\ProgramData\efvmlj.exe

"C:\ProgramData\efvmlj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3144-0-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3144-1-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\efvmlj.exe

MD5 6e7cb7a3ccfa3fb39d4d7127c7f19b68
SHA1 2901b912506fb69c019dc038886f1e539bb3d67e
SHA256 a8f15037f5ef2505a3cdbf9706ef3293beab6167e9336c527860bb74ff32048b
SHA512 cab79c8d8a6cccd06a01008b97fefac6cc1e6036c810bdb2575c02aa07dbab6dee81232d5af1c58ea9b9ecb609f91415b243aec4e712185afba9a77f172ee8f7

C:\ProgramData\Saaaalamm\Mira.h

MD5 cb4c442a26bb46671c638c794bf535af
SHA1 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256 f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

memory/3144-9-0x0000000000400000-0x0000000000474000-memory.dmp

C:\DumpStack.log.tmp .exe

MD5 701427a84ca6be751707420dbba21810
SHA1 7b57be2e9bc9281342a15a9256e5c9851ba9eb20
SHA256 4c8622657bc333ae3a7ce56dccdbd8e3cd673fab779f210fa039690046538802
SHA512 22ba4d094b5f147856b146e0d8c26132cef413d2ec562ac4056e5be6784f8ad93c8c9c916292a70878779384647fbfcf848e47a71b92b3e126e938d6a9ab60c4

memory/3300-130-0x0000000000400000-0x0000000000448000-memory.dmp