ca19610711a443d36e179c9e001e9969e681e0bd9eda696d5ff0bbc7709d49a2

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd35258710af62ad543cbc1dde775f30N.exe
Size

724KB
MD5

bd35258710af62ad543cbc1dde775f30
SHA1

a864e7b451c2976fef14495a7c3fbdb98b22b6f5
SHA256

ca19610711a443d36e179c9e001e9969e681e0bd9eda696d5ff0bbc7709d49a2
SHA512

e3694624ee0f2043523e6e44a066c8af40c21d3a417b2ba114968580b16b54a214160c23d8e90d59cb115b6441379d78df48d19fdbb62205afe874aeccd0c37d
SSDEEP

12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0pXhAqNmlN3aniHpDv7/gqeCQ5xAAOy:71/aGLDCM4D8ayGMFXhAqNmX3aniHpDa

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3236	sdoom.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\sdoom.exe"	sdoom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd35258710af62ad543cbc1dde775f30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdoom.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 3236	1308	bd35258710af62ad543cbc1dde775f30N.exe	85
PID 1308 wrote to memory of 3236	1308	bd35258710af62ad543cbc1dde775f30N.exe	85
PID 1308 wrote to memory of 3236	1308	bd35258710af62ad543cbc1dde775f30N.exe	85

C:\Users\Admin\AppData\Local\Temp\bd35258710af62ad543cbc1dde775f30N.exe
"C:\Users\Admin\AppData\Local\Temp\bd35258710af62ad543cbc1dde775f30N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\ProgramData\sdoom.exe
  "C:\ProgramData\sdoom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
724KB

MD5
4935e411455b42427f3771a485a72ba5

SHA1
7b7a6f9ada21078ee4ac2c4cf040a3ec50d882d4

SHA256
9b1755fc16c42a77ab24bf0e1b091546285afbdc69767362745767f145cd6ea8

SHA512
68e964b619ce49ee9e3371355dbbe5162f0a662fc15aefd1c92c22be76750b0e228073fddd2eae8a29de2cd933b0bfcb39ff53b609dc7f5ff6d59c99c99bef40

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
269KB

MD5
d882647ae95e92c82bd66478d7043df3

SHA1
52f1b2c5ff9fe97ade8a034c1df965b21b6f2008

SHA256
93ba5be8e47ad44f8d31ff6b142e6c21de473b5c725e8b798279f8b0f31d4232

SHA512
ec1416cd7b9d251d6c687c87d3626a4b1879debd50d69050a8be6f01475d53f022919aa1a0cb56e14bd6eae316259c2681eb5bc9ad0e01ed909d9aba0a52dce2

Download Submit
C:\ProgramData\sdoom.exe

Filesize
454KB

MD5
6cec368435b90542c1c6c46aae6f3f16

SHA1
503e9fdc609d892055e8fa1f11dbfbc9367b1fcf

SHA256
087983d13970ae14de23c8710e67b18278fa1a0896cc7cc8c17a3745c488021f

SHA512
2db59d4407f9037dc1e193d9a4cfd2cbb9bd218e1165edb0e3994b0b618b4b087014413f53a22c5639207e1a57ee62d4a0185efedc243f5ea04c9caaae9a03d8

Download Submit
memory/1308-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1308-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3236-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads