a04e6e2cfd0fa217b9908e052708cf6666234433f5f942e27b535352b0ac6690

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

543f3b2a77cedfbc3ee19b66783a4700N.exe
Size

395KB
MD5

543f3b2a77cedfbc3ee19b66783a4700
SHA1

0af0ff9b96e784bdd14c76e09901bddec81ab438
SHA256

a04e6e2cfd0fa217b9908e052708cf6666234433f5f942e27b535352b0ac6690
SHA512

a1562dfb8369efc4dfdc5393b733233caabd964b2b97a4cd02723be5b1cb2eb59f804a1cd1cca7fd317493457b3a01422c6d4ddc4fd7be9d1bae478b7bcf4312
SSDEEP

6144:4jlYKRF/LReWAsUyEkcnvOpbLMBDVbzIrWrPBt7F3Eu9yTaG:4jauDReWNc8boZxz1Bt7FUu9yT9

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2560	dqhvbt.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	543f3b2a77cedfbc3ee19b66783a4700N.exe
2864	543f3b2a77cedfbc3ee19b66783a4700N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\dqhvbt.exe"	dqhvbt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	543f3b2a77cedfbc3ee19b66783a4700N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqhvbt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2560	2864	543f3b2a77cedfbc3ee19b66783a4700N.exe	30
PID 2864 wrote to memory of 2560	2864	543f3b2a77cedfbc3ee19b66783a4700N.exe	30
PID 2864 wrote to memory of 2560	2864	543f3b2a77cedfbc3ee19b66783a4700N.exe	30
PID 2864 wrote to memory of 2560	2864	543f3b2a77cedfbc3ee19b66783a4700N.exe	30

C:\Users\Admin\AppData\Local\Temp\543f3b2a77cedfbc3ee19b66783a4700N.exe
"C:\Users\Admin\AppData\Local\Temp\543f3b2a77cedfbc3ee19b66783a4700N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864
- C:\ProgramData\dqhvbt.exe
  "C:\ProgramData\dqhvbt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
395KB

MD5
f60183d57270dc03e318ffa8a7a7ddf2

SHA1
163c9dd01112bf45f7865734cdd6b4c1115bd096

SHA256
2935754298491eac576c009bc89d75ac8a82b0cf1ddbc0204849763c4675aa99

SHA512
822b3f904bb58cdded897e55c640fd974c7fbbd1dc77b46caf49e24254def33a877def9be881ea76d219d43307df7617ff79773c9cfa48059cb03ab8ea375236

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\dqhvbt.exe

Filesize
258KB

MD5
652e8fd03dafe856023266d3459ff4a8

SHA1
f3be4b832a7cadf63a02c12330d44b52e3915501

SHA256
a6f52be37652e2e955e31e843e7039eac6f4cbec192a000f2059ff37f561ba9e

SHA512
bb01aebe4d4ddb9fe9228128a63cea4c08ad4cae3d0efa8f156a0977a9881de3f6d7f548850ee8af69d3eef9b9411ea2f118c3de71f2e8714551fc322fe6098d

Download Submit
memory/2560-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2864-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2864-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2864-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads