35ccc0a47617038ed4b6ce00af3df7ee0608b16f08b2c4f1395c156ccc45330d

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0518c8090da274cda5250678563f4ef0N.exe
Size

525KB
MD5

0518c8090da274cda5250678563f4ef0
SHA1

7b97920fd8e63ade1f82ce5173676d8592d82720
SHA256

35ccc0a47617038ed4b6ce00af3df7ee0608b16f08b2c4f1395c156ccc45330d
SHA512

1eff0ea17ecb1a9a9a60a803cceb7af16f7c4f9c12d856464bfccbc3d78dceb0ac473eae8316629c9db40a05d152c33d248a3c293d3d569c975de7aa8e2311cb
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0ditvWvb6o3mBWO+X+Ta2oavlc/BYbQ69:71/aGLDCM4D8ayGMpiRWvb6oi+Vw

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3360	uybhjl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uybhjl.exe"	uybhjl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0518c8090da274cda5250678563f4ef0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uybhjl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3360	2120	0518c8090da274cda5250678563f4ef0N.exe	85
PID 2120 wrote to memory of 3360	2120	0518c8090da274cda5250678563f4ef0N.exe	85
PID 2120 wrote to memory of 3360	2120	0518c8090da274cda5250678563f4ef0N.exe	85

C:\Users\Admin\AppData\Local\Temp\0518c8090da274cda5250678563f4ef0N.exe
"C:\Users\Admin\AppData\Local\Temp\0518c8090da274cda5250678563f4ef0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\ProgramData\uybhjl.exe
  "C:\ProgramData\uybhjl.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DDF.sys .exe

Filesize
525KB

MD5
c1e8cd9f542d4c7bc9e74ad00e6b2734

SHA1
69429de544188794c658da9457861c6add5a77f7

SHA256
6135422a2b5ee4752c82d2c974a8c991b737d87dc260c8e5d3fb86ddb3bff1be

SHA512
e0fd77c3f75ecb150b424ed6256b901a8bfdf5884a1396733a42d0568ca7b5c2f0069e6937af30133fb001f559fad9d51cfa9877e326fbabeb73a59bd060e57b

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\uybhjl.exe

Filesize
255KB

MD5
e95693ab3c7d0de5b143fde69b7afa5b

SHA1
65f9a50cf6b9b906c671d9e1b7746ed0622ac726

SHA256
3892191a3e908ac2754cfd0c6cca3c3ce89b9f21e6745fe5226208b19cf536e4

SHA512
226c78bc98e9d30ef790a33b7f846c5bd7b54ef1cadbe6165b83b4b1bf4e50e279469f62b35c23f68d280be19a478481a4ed83aa0ef24b9eade5e8c479ee083f

Download Submit
memory/2120-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2120-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3360-132-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads