f62b5f8812c33eca587dc3a80ef0d35723c0995ffe120ac6aa32570ad3c86f43

Analysis

max time kernel
172s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d8f6f0448f3b9434ac7fa3fd0f3a4.exe
Size

395KB
MD5

905d8f6f0448f3b9434ac7fa3fd0f3a4
SHA1

69b10fbaf8995eefcaf770e72616d84710e9242e
SHA256

f62b5f8812c33eca587dc3a80ef0d35723c0995ffe120ac6aa32570ad3c86f43
SHA512

3b2dc4ce2077fc7d62accf5d4550e08386ae33a003caca36563d4a060e7dedaf60978d8be00d605892e5064c86321f2d6b7bc7cd22c1fa7ce49ed8443babab57
SSDEEP

12288:4jauDReWPEklZKtOAfzmbVXLXl+im5oLVe:4DDrtKsArm9lHmP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3012	tgxfx.exe

Loads dropped DLL 2 IoCs

pid	Process
1000	905d8f6f0448f3b9434ac7fa3fd0f3a4.exe
1000	905d8f6f0448f3b9434ac7fa3fd0f3a4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\tgxfx.exe"	tgxfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 3012	1000	905d8f6f0448f3b9434ac7fa3fd0f3a4.exe	27
PID 1000 wrote to memory of 3012	1000	905d8f6f0448f3b9434ac7fa3fd0f3a4.exe	27
PID 1000 wrote to memory of 3012	1000	905d8f6f0448f3b9434ac7fa3fd0f3a4.exe	27
PID 1000 wrote to memory of 3012	1000	905d8f6f0448f3b9434ac7fa3fd0f3a4.exe	27

C:\Users\Admin\AppData\Local\Temp\905d8f6f0448f3b9434ac7fa3fd0f3a4.exe
"C:\Users\Admin\AppData\Local\Temp\905d8f6f0448f3b9434ac7fa3fd0f3a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000
- C:\ProgramData\tgxfx.exe
  "C:\ProgramData\tgxfx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
395KB

MD5
cbed677b9ba59d1fc12229d4ed9c21c5

SHA1
e0c76b8dcf3de97e21075aa8bb6aedbb48f207c9

SHA256
9d294499685ef61170aa920f38234bcdda5308b0c5dc5e5d41b178ffb8a80253

SHA512
1bc91ae7793aecf9179ea392f4b4b6effe336e023e04bbfe68f1416bf8533a8f4abc88ad4577b26d7a640ae42f1795e1b567a3ee739a138387268b0c6c1cc444

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\tgxfx.exe

Filesize
258KB

MD5
5cc474c1c02e999550c750c446883cde

SHA1
907d3f13a27e470affc391f4264b897516d7f8a2

SHA256
91fcca952f5f3ca8a37d6273cbcb0c4fa5035d72e883f769f3bd88984656f737

SHA512
1fc7850bbc09702015db485ae9ff9fe1122746e7040f2898f54b99fadc13ec761c85c4ab52ade8d9f985e8f50a2a58fd66dc2780f8f183e6eb30e99919b6c32b

Download Submit
memory/1000-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1000-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3012-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3012-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3012-148-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads