a8108b6d8b89188c8b86a071ab6edc4595632e7c205d7959159cd47863a65a57

Analysis

max time kernel
118s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9b061820835e9c904fd5052814bc40N.exe
Size

416KB
MD5

cf9b061820835e9c904fd5052814bc40
SHA1

def057dac9c12c9066a85a6ad4535271c0cc9eca
SHA256

a8108b6d8b89188c8b86a071ab6edc4595632e7c205d7959159cd47863a65a57
SHA512

bf96ca105690307e9b8b0f8c9dbef39dbda178d29d59fdf050ac2efb04883e4b09e9caabd56667f72d0d6a16f942b2e8f6ca617c9767250e40ab85059b54ff47
SSDEEP

6144:6jlYKRF/LReWAsUyj/k3A+BV+Nr6ME/LpGGRYV9NY5LblkDEKzz:6jauDReWZw7cY5pKzz

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
320	cftiu.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	cf9b061820835e9c904fd5052814bc40N.exe
2112	cf9b061820835e9c904fd5052814bc40N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\cftiu.exe"	cftiu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9b061820835e9c904fd5052814bc40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cftiu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 320	2112	cf9b061820835e9c904fd5052814bc40N.exe	30
PID 2112 wrote to memory of 320	2112	cf9b061820835e9c904fd5052814bc40N.exe	30
PID 2112 wrote to memory of 320	2112	cf9b061820835e9c904fd5052814bc40N.exe	30
PID 2112 wrote to memory of 320	2112	cf9b061820835e9c904fd5052814bc40N.exe	30

C:\Users\Admin\AppData\Local\Temp\cf9b061820835e9c904fd5052814bc40N.exe
"C:\Users\Admin\AppData\Local\Temp\cf9b061820835e9c904fd5052814bc40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\ProgramData\cftiu.exe
  "C:\ProgramData\cftiu.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
416KB

MD5
94bbd79a7819d2031aa9d595091270fb

SHA1
b5c0e3cb988d60af7022636de93ab9e1313b3648

SHA256
1df2a212ea0cc53920c6923d41521b5f82c86104b5fb9045d35025a476c272b1

SHA512
c167bc6b594c49e928f379c07d67a9b42a98a39660bff764663f070375e73d4a232c2f9935bb0fcf1c921ebb0d65e7a7efe739a203cb0da70b86f42d012544af

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
7994b2a531033f244ab2b17072600b13

SHA1
bbda6c5505e6605179db97823fb633a0ce2d804b

SHA256
15b3aa78a1ee45583980713850310e2ca155046d382867c9a6df42d286129994

SHA512
1d5a088012aa927aa4fbeb04e015b80a5fe711c5da8a3e5d0e0c8032c3937003a48faff676d0736ff79fc24aa1e79746eca516c0d61692704175b52e56a9a530

Download Submit
\ProgramData\cftiu.exe

Filesize
279KB

MD5
1d8646155c5f91550b2b19b789c8bedf

SHA1
9e26cfb169ec49f45c4f8519b03175ca1b805d06

SHA256
0b076c97ed22e45f7669c4f3c5258d3f8190c2aae361e24e8a9609dcf25cc677

SHA512
1279d547ca33c6e9abe6ffc92c2e83d2220ac98363218e4af7897d4a1962fc5abce057cb559ecfd952375fc1be83c949f9647b8068560ea954d5007358103ebf

Download Submit
memory/320-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2112-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2112-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2112-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads