9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61.exe
Size

544KB
MD5

c1ab072728234bc61b834a2774d45f8b
SHA1

45b970ea683476a6bba6e9ce8cb1506dc209b695
SHA256

9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61
SHA512

2fe227d2a024dd8594012a011adfacdf0ee2f704b5d599f03670af72a2fbc889b80845781249442641ce122c3f49b5f45154f11a60b42642c29f1ca6bd24628e
SSDEEP

12288:4jauDReWoMXyFgH8o0WX/Mm72634Dg7eOrTL:4DDEAkm7qDg7R3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3724	tfbsf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\tfbsf.exe"	tfbsf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 3724	1064	9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61.exe	81
PID 1064 wrote to memory of 3724	1064	9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61.exe	81
PID 1064 wrote to memory of 3724	1064	9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61.exe	81

C:\Users\Admin\AppData\Local\Temp\9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61.exe
"C:\Users\Admin\AppData\Local\Temp\9d925bcb516cb4f20bdb13a1ba3f8a1fe7ea3b68555c6c04b51b04d0c340ec61.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\ProgramData\tfbsf.exe
  "C:\ProgramData\tfbsf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
544KB

MD5
b757708c678c4d685999b06a145d78d6

SHA1
fc21808b75fb839b4bb124de17b59205f649b335

SHA256
b6d496e09f45e6426ad84f69340379b9a025e153fe2f4405c1a8ebdd4f8e25fa

SHA512
cd3c31c4dcb87c8b64c8a6ed741b14048db5cfbd66e8eb8df98fb417528518db4e33da9a38ce572a32020d05e618f4b409043ffbc0c54aca8b5785a07e052cb7

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\tfbsf.exe

Filesize
407KB

MD5
3207660b910be7a6c87fd74b8529c37c

SHA1
8bd4f0a29e322cfc71914d1ad8a59c2bbd9bb825

SHA256
1a67134bf0ed62af9e84815d7ce34d9eefb254d6736a7a4ababe63c8fcdbe69d

SHA512
fbcecc5209892fc58017c5b9fd5d6adadd291f614fcfe8dfd0c551b679c73e791bc1c2f20814525d6d8f99b04c9f2509bd75fae0de1c006e627534811fa1fa19

Download Submit
memory/1064-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1064-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1064-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3724-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads