716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
Size

396KB
MD5

1c4ce184213ebdd5094ed966afc6fae0
SHA1

41c1c7d31dca1455232cf126c8c52894f0b7563f
SHA256

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8
SHA512

bbe7b01c9b402d086ffa524b69404f7293d3f2a08f7d649d6bc9bab5556531da376778adb8fcbbea408703d31a6515f3100d13c924eba0113068bd1ee5fa89d2
SSDEEP

6144:4jlYKRF/LReWAsUyJq5r3PWSAR0DkNVn0bcmF:4jauDReWeFPa90b

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ycjpgk.exe

pid process

2924 ycjpgk.exe

pid	process
2924	ycjpgk.exe

Loads dropped DLL 2 IoCs

Processes:

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe

pid	process
2664	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
2664	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ycjpgk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ycjpgk.exe"	ycjpgk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe

description	pid	process	target process
PID 2664 wrote to memory of 2924	2664	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	ycjpgk.exe
PID 2664 wrote to memory of 2924	2664	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	ycjpgk.exe
PID 2664 wrote to memory of 2924	2664	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	ycjpgk.exe
PID 2664 wrote to memory of 2924	2664	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	ycjpgk.exe

C:\Users\Admin\AppData\Local\Temp\716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
"C:\Users\Admin\AppData\Local\Temp\716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\ProgramData\ycjpgk.exe
"C:\ProgramData\ycjpgk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
396KB

MD5
0503de0e991d7331398a69d69fb42477

SHA1
a3c78a93e54ad313bf138e5fbd8ffb6d36937c9b

SHA256
33efd3b4a5f33e605c0af71762a34dd7a7955800d342c47352819f18ee7de8bc

SHA512
925f88e422c7c1697d70488d279a9771b2e99b3e2f0f854e7dac8cb14014f79e9d7e056455dcc11415ecf081717d9c97c950e47f724583685742e01042012944

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\ycjpgk.exe

Filesize
259KB

MD5
b9b1a11f4914e8787d811317997fa6bb

SHA1
435f76a02c445cba1975314b21fa5b4664b548c4

SHA256
d7ac8c1204527a1ec8df0bcf6b632189e8e79a9ccc54221c683dacece7ed4c53

SHA512
caf0efb9d2f7f301da5e47025b56b4e6b902c4b950db86253298a669bc1766806195d0c7aaa3b89f288fa0e42ac6242a8def101a7d77d0647f2c3e82810fc5dd

Download Submit
memory/2664-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2664-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2664-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2924-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download