09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368.exe
Size

454KB
MD5

b7a31c43726aa4e904605ad6548905e9
SHA1

3132e5eea7adb6a1e75aa7236ff908e18ceda90e
SHA256

09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368
SHA512

95f4bebcab9fc7e8d680741f00a426576629bedd8789b1d26a4c006f73570a77e8798f6a66fccbb59c1e7cf56a7669fb3376c7c5a932cdc6fe4f9f9fe90e2d95
SSDEEP

6144:4jlYKRF/LReWAsUyXeKrxt0slnivGYMtdCTcXF9luKXAdKNp6HxOd8tkxBYVbwe:4jauDReWpjX0sRivGYvcXJV6RRkDYV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3624	uyihgv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uyihgv.exe"	uyihgv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 3624	1804	09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368.exe	83
PID 1804 wrote to memory of 3624	1804	09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368.exe	83
PID 1804 wrote to memory of 3624	1804	09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368.exe	83

C:\Users\Admin\AppData\Local\Temp\09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368.exe
"C:\Users\Admin\AppData\Local\Temp\09671d97938337a0373e1b946b53712ebea6de59e7d118ecc3993c30f5812368.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\ProgramData\uyihgv.exe
  "C:\ProgramData\uyihgv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
454KB

MD5
728e64c1d950d040081a18b484d13197

SHA1
6e8c49955afd66733b7bcba092da96bb3ffbe01e

SHA256
dca2ecac41d9555499ae6862f19a8686410d7d810f0952474777e2e76cff54f3

SHA512
0fa19682a32f8c1e10cbaff9ac19e4eb8f7401fbc47e7b0a7b19b494d70d7e7c3e1b3f96e15905af380e3948c495723699af8f07fcb538a7ae4826c080d41bd6

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\uyihgv.exe

Filesize
317KB

MD5
85489368202dfbe6b14973e2c4d0b43e

SHA1
97050959ce731257e24ddda8a9c291fb26d54e98

SHA256
ce40032976eac209dc29a09ea507363297ac407acaecdd8dc88fb92ae1a4516d

SHA512
a891487b210eaa82fc5f0b104b6a02942cae30c92745f0e30ba834f13377bf342c1b903e2830aefb349ef87382805f991c26a8365ca7001d1473bf044f88c460

Download Submit
memory/1804-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1804-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1804-8-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3624-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3624-1221-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads