Overview

overview

7

Static

static

3

7bb696b214...0N.exe

windows7-x64

7

7bb696b214...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7bb696b21442f4e664fd670f5529e370N.exe

  • Size

    511KB

  • MD5

    7bb696b21442f4e664fd670f5529e370

  • SHA1

    56d6cd0c5fe64e3a489ad0ff5d7e76837b57bd22

  • SHA256

    25558be34207ff07a5dd7dc508fd1f9e6b511748b3d5990239f0567c855b7f6e

  • SHA512

    fc1592355261efc86c1c7e8cae9aab3501511087a75c740e4b67c25b93030730179176a5c7b05f3cd24190ba32ca90687973deef1e9ab503fbd64bd9387839cd

  • SSDEEP

    12288:H1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0urRPbOsC/M83Y0hjuXyl3b:H1/aGLDCM4D8ayGMydSnb

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bb696b21442f4e664fd670f5529e370N.exe
    "C:\Users\Admin\AppData\Local\Temp\7bb696b21442f4e664fd670f5529e370N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\ProgramData\rvfgar.exe
      "C:\ProgramData\rvfgar.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:4588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings .exe
    Filesize

    511KB

    MD5

    cecd15acc70242fccc549b1ec6b462e4

    SHA1

    aabc19fea1ccc6e05110085125a9a9b12b40f53e

    SHA256

    7849ecc4c73dc98d213c6fc004af73eadf636fdd1244d0a11084cd23c4069c2f

    SHA512

    60b1dcb72a4d9b1fbf745f1fe45e866ea593716b8a0330be75e75ac8ee30d64680618a1376d1102d3641b9f02ca7cc557c5c438a37d986742e6fb963ef99191b

    Download Submit
  • C:\ProgramData\Saaaalamm\Mira.h
    Filesize

    255KB

    MD5

    f351898b5ba2d709e4d73d3160071029

    SHA1

    5bddf9621650635913bea3f15cb0f7108a09079e

    SHA256

    22972cfc5b13ea8cedef1adca83358f89fea716b3e775bd70553ed44ef04e668

    SHA512

    c9c680f93577ca853d9db3d9b84d16a43c1986c95d3bfc4ff3bbbafaa585cf6ee6ada6da6e86cea529e817f39e4e98d78c1ad99069aa417514ef5bab735ccf88

    Download Submit
  • C:\ProgramData\rvfgar.exe
    Filesize

    256KB

    MD5

    7b0998730bdd10a26e43908747b0c688

    SHA1

    80b26d95e6818347264a439e6903748a39151597

    SHA256

    66ac753d240815b4fe37c5a69894e66b81da54b70b981e687d9a1e70300ffb3e

    SHA512

    5c5b5d38e116c3e73fa3d0059992a271b3800a41b5aa1c96df81e271aaabcbcdfb72cca614cd703ec0075fb62940a36941d9725ede8df15fc86c116a445041b5

    Download Submit
  • memory/2536-7-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/4588-96-0x0000000000400000-0x0000000000448000-memory.dmp
    Filesize

    288KB

    Download
  • memory/4588-189-0x0000000000400000-0x0000000000448000-memory.dmp
    Filesize

    288KB

    Download