4c3244d7c522a4c37e5a71fb4dc83e1f560f69de68b9ffd5ef96f54b68b684cc

Analysis

max time kernel
147s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0142e91e3f41cc1444fa66f894fbe220N.exe
Size

410KB
MD5

0142e91e3f41cc1444fa66f894fbe220
SHA1

6b71e9a6ca4c193dc76e1d047df4111b0a5152de
SHA256

4c3244d7c522a4c37e5a71fb4dc83e1f560f69de68b9ffd5ef96f54b68b684cc
SHA512

34d6eacb93a56b9dd92d7339ac777ba60fbe2f8bd58f87ecb21059cc2171b19878a40094cb88b99d946e795a27b83cbcd88fcef1017d388e3e1cdb6f62220331
SSDEEP

6144:6BxIK3CTW8TMjp41u6nyHwnZFxcnj0RtAMBuK610aMhxjqRp1RM33wrJud71PFhl:CxIK9V14ImyHY0sQx6Ukysr

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	kcmsa.exe

Loads dropped DLL 2 IoCs

pid	Process
1152	0142e91e3f41cc1444fa66f894fbe220N.exe
1152	0142e91e3f41cc1444fa66f894fbe220N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kcmsa.exe"	kcmsa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2704	1152	0142e91e3f41cc1444fa66f894fbe220N.exe	30
PID 1152 wrote to memory of 2704	1152	0142e91e3f41cc1444fa66f894fbe220N.exe	30
PID 1152 wrote to memory of 2704	1152	0142e91e3f41cc1444fa66f894fbe220N.exe	30
PID 1152 wrote to memory of 2704	1152	0142e91e3f41cc1444fa66f894fbe220N.exe	30

C:\Users\Admin\AppData\Local\Temp\0142e91e3f41cc1444fa66f894fbe220N.exe
"C:\Users\Admin\AppData\Local\Temp\0142e91e3f41cc1444fa66f894fbe220N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152
- C:\ProgramData\kcmsa.exe
  "C:\ProgramData\kcmsa.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
410KB

MD5
10bff1865ab88a7ea8f841261ebb3728

SHA1
14992b0eeaca8999a524939e820ba1dc4b496793

SHA256
fc49199547b6c14a9f80a7fa9430d40345137a3173a3c2aaaad50ec9d846bbe3

SHA512
d3d8aab5c0d19469a17c6f7f82f5bdee0a86b7ee48aeefc79860fb7ab9fb8dd22d2b6ce4c9888c15ceb14cf98f25a81af79c71a675343e1052022c0fdc1b11a5

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
150KB

MD5
a52d6cb53c4c31e9f5ad53a356adf9dd

SHA1
4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101

SHA256
f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8

SHA512
6d86153ffb8c803092d4fe30f1df1371657023eb10fd56dfeca684ff13a3222f64b11592576d3990f14cf915987a3372cf89774f811ef33dbd5f1b7db5ba681b

Download Submit
\ProgramData\kcmsa.exe

Filesize
260KB

MD5
9492197c1cb6ca400eeec06c7d30ae27

SHA1
54c04a7bb16ad49993eff7b931849759901c4a9e

SHA256
a7f5bdc8d1f313ab330c88552f50800431c83184ef07fbe37518725b15ab942b

SHA512
67e2b312cb81a856e6d8f108f0e9c38a4c7051e3ceed6f85d1b82a72ef952b41b654e53119b2ebc51c64dc66eb3f05a7aa4f0a80c560514ac4be0dcf1eeffb95

Download Submit
memory/1152-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1152-1-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1152-14-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2704-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads