5f55226ad993ca4941a48f970c36e64e0c6566b3c975e6f57898d59ee04eaea2

Analysis

max time kernel
122s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9587bcbb93f8074e7777fc4a3bc73b90N.exe
Size

912KB
MD5

9587bcbb93f8074e7777fc4a3bc73b90
SHA1

ed78248f2da2717b92fd75c8db36c1e7c2e7a75d
SHA256

5f55226ad993ca4941a48f970c36e64e0c6566b3c975e6f57898d59ee04eaea2
SHA512

0ae2c4407f31c65261170186adac5235580807074d905d222e0aac38d6ce28e6a67eededfff6c80552151ec15fb501e3dea3e7b254a3723003aa302d3aca692e
SSDEEP

12288:4jauDReWqM+rIoLf5Un3PzQtPk/teVt2/rkAHHQKGa+NR:4DD2oh3P8P8Euk0D9+NR

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	ebacy.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	9587bcbb93f8074e7777fc4a3bc73b90N.exe
3044	9587bcbb93f8074e7777fc4a3bc73b90N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ebacy.exe"	ebacy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebacy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9587bcbb93f8074e7777fc4a3bc73b90N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2332	3044	9587bcbb93f8074e7777fc4a3bc73b90N.exe	29
PID 3044 wrote to memory of 2332	3044	9587bcbb93f8074e7777fc4a3bc73b90N.exe	29
PID 3044 wrote to memory of 2332	3044	9587bcbb93f8074e7777fc4a3bc73b90N.exe	29
PID 3044 wrote to memory of 2332	3044	9587bcbb93f8074e7777fc4a3bc73b90N.exe	29

C:\Users\Admin\AppData\Local\Temp\9587bcbb93f8074e7777fc4a3bc73b90N.exe
"C:\Users\Admin\AppData\Local\Temp\9587bcbb93f8074e7777fc4a3bc73b90N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\ProgramData\ebacy.exe
  "C:\ProgramData\ebacy.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
912KB

MD5
dc819ab901be973aa2547c53eed22f26

SHA1
2f0f4e9d02867b9c48f5538819c4f5b31f5a466e

SHA256
7a63615ef6317c62b756ef28528804cc4848b62c5cb60e01de792fed6926530a

SHA512
3deca814422a8baa6c73d5db1cf7186b5e6f2ffab79568f5f7f03a1cb6d5d9765cfdd2f751bb3a3dc8000a6f4894102caf651648523551b258ae2bb7f7770050

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\ebacy.exe

Filesize
775KB

MD5
60d41214db27184f94f55e14d7bc32a2

SHA1
e640b3895155261a98c5bed75dbef2e9d6fdca94

SHA256
301d436786bb61bdb2c5ce9f76b8f4d20df4f365117765485a317e6040b59c6a

SHA512
a25cb8ff9aa4fc2b9c3b4b708ca3d95ba22d5d276673dac9358b179d3dda6374bd5112b849d758b8bb38a4ce149e9d94d0305ccb9386739ffead3965eefd2408

Download Submit
memory/2332-46-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2332-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3044-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3044-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3044-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads