cc29a8a3b7737a8a9c78aad20e59f716853c38149b5c7b67a158618ea493a1a4

Analysis

max time kernel
118s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 07:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a17a6fde80d9b590b011d8ce3798a90N.exe
Size

432KB
MD5

6a17a6fde80d9b590b011d8ce3798a90
SHA1

fcde43841e499c91eb5f8edf0efe46e89e415f80
SHA256

cc29a8a3b7737a8a9c78aad20e59f716853c38149b5c7b67a158618ea493a1a4
SHA512

50e8d6a272add78d7cf1b13739456f9c6c121f3955b295f4cd99e7d0d6fddb00f55ad4a01d4994691c507a8d5c622a267802115ed798563352677d8a0fec623a
SSDEEP

6144:4jlYKRF/LReWAsUy0Wo6tGihDiYjN7GqOrdyp25qpmFPUtvD1JaJaJJJJYRVQSnt:4jauDReWaj6tGihor04RRBt

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2252	pfbsnt.exe

Loads dropped DLL 2 IoCs

pid	Process
708	6a17a6fde80d9b590b011d8ce3798a90N.exe
708	6a17a6fde80d9b590b011d8ce3798a90N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\pfbsnt.exe"	pfbsnt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a17a6fde80d9b590b011d8ce3798a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfbsnt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2252	708	6a17a6fde80d9b590b011d8ce3798a90N.exe	29
PID 708 wrote to memory of 2252	708	6a17a6fde80d9b590b011d8ce3798a90N.exe	29
PID 708 wrote to memory of 2252	708	6a17a6fde80d9b590b011d8ce3798a90N.exe	29
PID 708 wrote to memory of 2252	708	6a17a6fde80d9b590b011d8ce3798a90N.exe	29

C:\Users\Admin\AppData\Local\Temp\6a17a6fde80d9b590b011d8ce3798a90N.exe
"C:\Users\Admin\AppData\Local\Temp\6a17a6fde80d9b590b011d8ce3798a90N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708
- C:\ProgramData\pfbsnt.exe
  "C:\ProgramData\pfbsnt.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
432KB

MD5
d7366f4439bd6d44789618d347d40718

SHA1
aa6323d8e9a12d305799199a0e463b26cb766db1

SHA256
ee7cc002a34e3cfceedae6e0d975da3ffed43f644abb1f3c7b7afd20df40c8b6

SHA512
3e445c28fb42b9b18bc8ccef7f0d51aa5aca789277572efd0a3332b9876c4c761a3eba77878095a20dc7955b57234ee80bdb7885238f131e032e848e65d59b43

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\pfbsnt.exe

Filesize
295KB

MD5
0b3ae78bf4315851173792117ea5e945

SHA1
90ec1fec001eabe518ebc189502f68dfdbea116d

SHA256
46c2eac5f352f4947b89204f4e21f915a10cf47de5fe005e09984b5faa969aa6

SHA512
3e5ba67131bf3914ee80fcb1b0e136d8b89b24c1a6c2575da281e68ddde527c99344753048252cb6524669c0233aa5be23e828652f75502ddfe82770be7d14d3

Download Submit
memory/708-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/708-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/708-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2252-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2252-688-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads