56d9179370c6ac4d4092e8d0540a2cc756f28feaf7ae8f06a737b05729f02755

Analysis

max time kernel
118s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85b8b79f45cc182fbd96fed4badb5e70N.exe
Size

688KB
MD5

85b8b79f45cc182fbd96fed4badb5e70
SHA1

56085e42609c31c02f09e56c8e61c7de42e49eda
SHA256

56d9179370c6ac4d4092e8d0540a2cc756f28feaf7ae8f06a737b05729f02755
SHA512

31e16c61c31ebcf2b2dcdf699689ec0a9a0c3d94e9c0de3f840abcfb580ee8dbdad8537ac265c9c30a4965b858754b50652836492850d9f6b6f513f9b6868063
SSDEEP

6144:4jlYKRF/LReWAsUyE9zA9BNPyO5OYiGrhufJ5g+/H8Te/s4gEc3hG:4jauDReW69zA9rPymDWJ5L/6iLshG

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	bblvh.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	85b8b79f45cc182fbd96fed4badb5e70N.exe
1696	85b8b79f45cc182fbd96fed4badb5e70N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\bblvh.exe"	bblvh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2700	1696	85b8b79f45cc182fbd96fed4badb5e70N.exe	30
PID 1696 wrote to memory of 2700	1696	85b8b79f45cc182fbd96fed4badb5e70N.exe	30
PID 1696 wrote to memory of 2700	1696	85b8b79f45cc182fbd96fed4badb5e70N.exe	30
PID 1696 wrote to memory of 2700	1696	85b8b79f45cc182fbd96fed4badb5e70N.exe	30

C:\Users\Admin\AppData\Local\Temp\85b8b79f45cc182fbd96fed4badb5e70N.exe
"C:\Users\Admin\AppData\Local\Temp\85b8b79f45cc182fbd96fed4badb5e70N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\ProgramData\bblvh.exe
  "C:\ProgramData\bblvh.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
688KB

MD5
75a2b80fca29d0e9ca3ecbba2a2bcf15

SHA1
564e11f060cb71047be115ad1c56a2699d1eb6a0

SHA256
de0785ee560baae698d5826ae2aa8ec93fbc46cfdf28d60cdfe86cd58a0bebf7

SHA512
2abc59d8d092cbfb49afd1206dcd7859008be9addced0e761c0fa72d5bc37ad4b8472b154250c9f0deb59ae6825b0563e9e906b9351442f612e8b2957f33f3b3

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\bblvh.exe

Filesize
551KB

MD5
73cbc7732e0c13550bc5ef6ba72e1690

SHA1
cf6be4c90656cc0fa9b55fbe9ceb1a9eb1d5b5c3

SHA256
1315b42051fa2b9edf4f27fc63e673d54a59e684dabf5e28b196e864793f2b29

SHA512
7c49329bdce6be11bfb94a56694090b8dc4289ad5454ba30e1f0332b52eeaa70319c0d2f56fa1093d2156596930abb79b2295fe2ebd7794d5cb14eb221da4f33

Download Submit
memory/1696-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1696-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1696-11-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2700-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads