8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe
Size

432KB
MD5

3b4dea238c3bd7ec6fcca12e7d846361
SHA1

5072d208a9f5e17934decc5e787ff613ee2cf870
SHA256

8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627
SHA512

6e1a41f2610d1eb149b8c362ef98410e62382c6f4a43fefdf2e5b38d2741d311b3a943395f914cc23903d3ba1e97d8729b4e0ed7ec1a65636b6bd72a84d52acb
SSDEEP

6144:4jlYKRF/LReWAsUy0+sHOeDhX4RV+cw3GSo59nnS8gjHmrijMLH:4jauDReWpsHOTRV+T3vobnl/LH

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4732	hfqswf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\hfqswf.exe"	hfqswf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfqswf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 4732	1816	8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe	84
PID 1816 wrote to memory of 4732	1816	8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe	84
PID 1816 wrote to memory of 4732	1816	8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe	84

C:\Users\Admin\AppData\Local\Temp\8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe
"C:\Users\Admin\AppData\Local\Temp\8b7dea71ec5c3e4a81be2f53f2a38102de748e21ca62ee320993c6eff3c2e627.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816
- C:\ProgramData\hfqswf.exe
  "C:\ProgramData\hfqswf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
432KB

MD5
2460a981a814b1bd44a26e0eb7bfe505

SHA1
595350007d678b77ac580206b99110bd67cac337

SHA256
9aa59677bb488ae6135a0db2066fd07120ed51a984442ca66ba2cfbc104b4cec

SHA512
2fce93bcf783556b45256c2b223bd0d40b7ac11129c2a7f37a46af367cd0aaf987b3c91fad771c1e45045b0031c55fd940f30aaf32f40c5af29613bcc49b656b

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\hfqswf.exe

Filesize
295KB

MD5
6f2e3a92e4681c9bf6ff45d740797189

SHA1
2c2b0ce00410fa5fe9c2adf5749f119feefdd82e

SHA256
6d7541c1a578f8b18577f22a951a56fd60a2f44d28a41ed44b80f853cb7bb6cf

SHA512
a9245dfe95a8a4397cdd9d19c527b80f6e22ec809f2c05ba3dff4ec90e334a97868d5dfa0b0c8a1595c33140cedcadca1e5ed8bd051086cd3d22d39d16e14c96

Download Submit
memory/1816-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1816-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1816-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4732-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads