047e39cd8ee1395aee03e79852aa3b010d21f85264162837a769e8297d3ad0bc

Analysis

max time kernel
119s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5144fc12cf19bbefcd765c6efc23d9f0N.exe
Size

624KB
MD5

5144fc12cf19bbefcd765c6efc23d9f0
SHA1

e42794c2b2de6857162ea96c2dc200fbb5b085b6
SHA256

047e39cd8ee1395aee03e79852aa3b010d21f85264162837a769e8297d3ad0bc
SHA512

d41a0333e2a5fe52124d48070380cf351b4d389ef37149f0ea23a32b546cfdda2e1f894f7ca55930f8cc03bd37279ab45d1a11451ecdf9c4b557678c438a8219
SSDEEP

12288:P1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0yGepRFdcUpsiQ/YMy:P1/aGLDCM4D8ayGMuGeTcUpbQ/YMy

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4976	bttrf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\bttrf.exe"	bttrf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4976	3540	5144fc12cf19bbefcd765c6efc23d9f0N.exe	86
PID 3540 wrote to memory of 4976	3540	5144fc12cf19bbefcd765c6efc23d9f0N.exe	86
PID 3540 wrote to memory of 4976	3540	5144fc12cf19bbefcd765c6efc23d9f0N.exe	86

C:\Users\Admin\AppData\Local\Temp\5144fc12cf19bbefcd765c6efc23d9f0N.exe
"C:\Users\Admin\AppData\Local\Temp\5144fc12cf19bbefcd765c6efc23d9f0N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3540
- C:\ProgramData\bttrf.exe
  "C:\ProgramData\bttrf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
624KB

MD5
b391e2ae1344fa2ed43e5658434f949c

SHA1
dbcd7c0b1033270af356790027565297f932e3fd

SHA256
6293f69a9e03554cd9de704893e276de238b71d9f5f392502dbab7f40c096dbc

SHA512
6b6e77f1c8924a73aa7c0f7b3b66410da27e07c89da9655c349a760ce6637d40ac1dc26317db0f595fd9491b71d6afc08caa2cdc8318c3333e4eb33e5dcc01c1

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
256KB

MD5
20cbdc8dcf94039052f99496a9ad76ec

SHA1
e82b8212beebe02448490775eccb44258fc0770f

SHA256
733fc0290137738e6ca23bce6a28ffd92e26ffc2cad69fb199999b1aaac0eaf5

SHA512
fcac8392c282974844f8dbac75ef16f8e77da4624a63950a8ed29f6c554a094891f0ed70048daaa187846bf187b6baeaffe92f06c3904846a4412bbb67e1c1cd

Download Submit
C:\ProgramData\bttrf.exe

Filesize
367KB

MD5
3e35102b94137202c0206076b984f28c

SHA1
37c364db1ece3b2bd34a4b915e99d6ec832d5eaf

SHA256
d959ca9443d2ad11c726e1ff5a57782fa972779a3701eba5370ccfd477088403

SHA512
828cd708a0b686e2eea78668f98d8b1b1ea4dc41483af69fa063ae0e963607105c3edfef373d7a1a9b824dbfd05bfaa31a7a13da46604d22176f0de9a52a2cff

Download Submit
memory/3540-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4976-128-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads