41d563fd8e50855078670ee2c3418a0b019a578eecb79434e25ecae109d6b720

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbce190429b90815caabc5601bafe950N.exe
Size

704KB
MD5

bbce190429b90815caabc5601bafe950
SHA1

aaf9731405d970cea31d12577d0ab2d1531dc24d
SHA256

41d563fd8e50855078670ee2c3418a0b019a578eecb79434e25ecae109d6b720
SHA512

af87aaf6622ec6bb2c872c0aef7fcca1b2e32ec156a54f8d548925295464b5f2494be80c593e94e2c5700eadb8142039ae87c3f851b02c9aa46d15fea4d60690
SSDEEP

12288:4jauDReWDOrWQ6BZ+wphWhIBSPhNxQ5xbXjiN+PLN7nC1bbJReZKAEN+tb:4DDn+wpQuByhXQP3AyUAEN+tb

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	kwsrx.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	bbce190429b90815caabc5601bafe950N.exe
2520	bbce190429b90815caabc5601bafe950N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kwsrx.exe"	kwsrx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2220	2520	bbce190429b90815caabc5601bafe950N.exe	30
PID 2520 wrote to memory of 2220	2520	bbce190429b90815caabc5601bafe950N.exe	30
PID 2520 wrote to memory of 2220	2520	bbce190429b90815caabc5601bafe950N.exe	30
PID 2520 wrote to memory of 2220	2520	bbce190429b90815caabc5601bafe950N.exe	30

C:\Users\Admin\AppData\Local\Temp\bbce190429b90815caabc5601bafe950N.exe
"C:\Users\Admin\AppData\Local\Temp\bbce190429b90815caabc5601bafe950N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\ProgramData\kwsrx.exe
  "C:\ProgramData\kwsrx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
704KB

MD5
01c7a2d57aa191112c90535f109c45d9

SHA1
955e439c94cd9e7879628dfc3d75c9b5477bdb05

SHA256
efe26634b07f0486670da46db9b5d27bcbaf1af881c6d42e4a953aa7082df101

SHA512
bc64011d0028bddba8447f0cef5260f74d015a8b40043b3ce8c736affca1c279d0d20a022e31ff8ddbad17f575ff4d97c1a7f70328ff8534a3b1b5f011a355e0

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\kwsrx.exe

Filesize
567KB

MD5
3b53e0e1131007596546b4c32971b242

SHA1
5f3ab92bd4df903b3d1785eb79ec7276f609de20

SHA256
34cbdf33d9dabb54f830fcc30eceaf50fc011e04c5f71812063d66f162376565

SHA512
bd2a7524502459d7744cee332dd9c1c811191cb58356d53700c7bc9b639d36b223486beb74ffaf168555661cbcb5236fc7350dfe21e6090f3cfa3e5e36d33971

Download Submit
memory/2220-143-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2520-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2520-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2520-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads