Analysis
-
max time kernel
120s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
7bb696b21442f4e664fd670f5529e370N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7bb696b21442f4e664fd670f5529e370N.exe
Resource
win10v2004-20240709-en
General
-
Target
7bb696b21442f4e664fd670f5529e370N.exe
-
Size
511KB
-
MD5
7bb696b21442f4e664fd670f5529e370
-
SHA1
56d6cd0c5fe64e3a489ad0ff5d7e76837b57bd22
-
SHA256
25558be34207ff07a5dd7dc508fd1f9e6b511748b3d5990239f0567c855b7f6e
-
SHA512
fc1592355261efc86c1c7e8cae9aab3501511087a75c740e4b67c25b93030730179176a5c7b05f3cd24190ba32ca90687973deef1e9ab503fbd64bd9387839cd
-
SSDEEP
12288:H1/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0urRPbOsC/M83Y0hjuXyl3b:H1/aGLDCM4D8ayGMydSnb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rvfgar.exepid process 4588 rvfgar.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rvfgar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\rvfgar.exe" rvfgar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7bb696b21442f4e664fd670f5529e370N.exervfgar.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bb696b21442f4e664fd670f5529e370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rvfgar.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7bb696b21442f4e664fd670f5529e370N.exedescription pid process target process PID 2536 wrote to memory of 4588 2536 7bb696b21442f4e664fd670f5529e370N.exe rvfgar.exe PID 2536 wrote to memory of 4588 2536 7bb696b21442f4e664fd670f5529e370N.exe rvfgar.exe PID 2536 wrote to memory of 4588 2536 7bb696b21442f4e664fd670f5529e370N.exe rvfgar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bb696b21442f4e664fd670f5529e370N.exe"C:\Users\Admin\AppData\Local\Temp\7bb696b21442f4e664fd670f5529e370N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\rvfgar.exe"C:\ProgramData\rvfgar.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings .exeFilesize
511KB
MD5cecd15acc70242fccc549b1ec6b462e4
SHA1aabc19fea1ccc6e05110085125a9a9b12b40f53e
SHA2567849ecc4c73dc98d213c6fc004af73eadf636fdd1244d0a11084cd23c4069c2f
SHA51260b1dcb72a4d9b1fbf745f1fe45e866ea593716b8a0330be75e75ac8ee30d64680618a1376d1102d3641b9f02ca7cc557c5c438a37d986742e6fb963ef99191b
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
255KB
MD5f351898b5ba2d709e4d73d3160071029
SHA15bddf9621650635913bea3f15cb0f7108a09079e
SHA25622972cfc5b13ea8cedef1adca83358f89fea716b3e775bd70553ed44ef04e668
SHA512c9c680f93577ca853d9db3d9b84d16a43c1986c95d3bfc4ff3bbbafaa585cf6ee6ada6da6e86cea529e817f39e4e98d78c1ad99069aa417514ef5bab735ccf88
-
C:\ProgramData\rvfgar.exeFilesize
256KB
MD57b0998730bdd10a26e43908747b0c688
SHA180b26d95e6818347264a439e6903748a39151597
SHA25666ac753d240815b4fe37c5a69894e66b81da54b70b981e687d9a1e70300ffb3e
SHA5125c5b5d38e116c3e73fa3d0059992a271b3800a41b5aa1c96df81e271aaabcbcdfb72cca614cd703ec0075fb62940a36941d9725ede8df15fc86c116a445041b5
-
memory/2536-7-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4588-96-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4588-189-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB