25558be34207ff07a5dd7dc508fd1f9e6b511748b3d5990239f0567c855b7f6e

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bb696b21442f4e664fd670f5529e370N.exe
Size

511KB
MD5

7bb696b21442f4e664fd670f5529e370
SHA1

56d6cd0c5fe64e3a489ad0ff5d7e76837b57bd22
SHA256

25558be34207ff07a5dd7dc508fd1f9e6b511748b3d5990239f0567c855b7f6e
SHA512

fc1592355261efc86c1c7e8cae9aab3501511087a75c740e4b67c25b93030730179176a5c7b05f3cd24190ba32ca90687973deef1e9ab503fbd64bd9387839cd
SSDEEP

12288:H1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0urRPbOsC/M83Y0hjuXyl3b:H1/aGLDCM4D8ayGMydSnb

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

evsbel.exe

pid process

2728 evsbel.exe
Loads dropped DLL 2 IoCs

Processes:

7bb696b21442f4e664fd670f5529e370N.exe

pid process

2348 7bb696b21442f4e664fd670f5529e370N.exe
2348 7bb696b21442f4e664fd670f5529e370N.exe

pid	process
2728	evsbel.exe

pid	process
2348	7bb696b21442f4e664fd670f5529e370N.exe
2348	7bb696b21442f4e664fd670f5529e370N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

evsbel.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\evsbel.exe"	evsbel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7bb696b21442f4e664fd670f5529e370N.exeevsbel.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bb696b21442f4e664fd670f5529e370N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evsbel.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7bb696b21442f4e664fd670f5529e370N.exe

description	pid	process	target process
PID 2348 wrote to memory of 2728	2348	7bb696b21442f4e664fd670f5529e370N.exe	evsbel.exe
PID 2348 wrote to memory of 2728	2348	7bb696b21442f4e664fd670f5529e370N.exe	evsbel.exe
PID 2348 wrote to memory of 2728	2348	7bb696b21442f4e664fd670f5529e370N.exe	evsbel.exe
PID 2348 wrote to memory of 2728	2348	7bb696b21442f4e664fd670f5529e370N.exe	evsbel.exe

C:\Users\Admin\AppData\Local\Temp\7bb696b21442f4e664fd670f5529e370N.exe
"C:\Users\Admin\AppData\Local\Temp\7bb696b21442f4e664fd670f5529e370N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348

C:\ProgramData\evsbel.exe
"C:\ProgramData\evsbel.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
511KB

MD5
74bf111cface75aa9131d5d270a89e86

SHA1
679e6f773e7203aa7198e95939fc6ebfa6d86f1c

SHA256
b5a2e3c87660d7132daeb781ed0e395672ceca2910d5a44bd864074bcda01a39

SHA512
232738d4f487f50602abd89acd67c44bb1be111ef5ac8302665e6fe95c988dcc7e0e2797405936ecf1958122fbb00184f29f77c50973e6913ff331f9f65068b8

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
255KB

MD5
f351898b5ba2d709e4d73d3160071029

SHA1
5bddf9621650635913bea3f15cb0f7108a09079e

SHA256
22972cfc5b13ea8cedef1adca83358f89fea716b3e775bd70553ed44ef04e668

SHA512
c9c680f93577ca853d9db3d9b84d16a43c1986c95d3bfc4ff3bbbafaa585cf6ee6ada6da6e86cea529e817f39e4e98d78c1ad99069aa417514ef5bab735ccf88

Download Submit
\ProgramData\evsbel.exe

Filesize
256KB

MD5
7b0998730bdd10a26e43908747b0c688

SHA1
80b26d95e6818347264a439e6903748a39151597

SHA256
66ac753d240815b4fe37c5a69894e66b81da54b70b981e687d9a1e70300ffb3e

SHA512
5c5b5d38e116c3e73fa3d0059992a271b3800a41b5aa1c96df81e271aaabcbcdfb72cca614cd703ec0075fb62940a36941d9725ede8df15fc86c116a445041b5

Download Submit
memory/2348-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2728-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download