17dca52298e5dd246712748388782d5148968f38110f01e750cb54357d0b905c

Analysis

max time kernel
118s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78f22e440ddb8377d2d31782a718ac40N.exe
Size

395KB
MD5

78f22e440ddb8377d2d31782a718ac40
SHA1

3bc34e9129e6b9dea1ab519fbc42f908d0c2d027
SHA256

17dca52298e5dd246712748388782d5148968f38110f01e750cb54357d0b905c
SHA512

da18c41548688ef9d46f52d0da7ab62f6b19f6a05c9e06a499b74655f245a10e012b72f6ff194c6cea8d28055f595549a39f20822ffcec2d049483286fbbb0f5
SSDEEP

12288:4jauDReW2Bsxe2kUIYH3zh2GTj+bxhDRCE49ra6er271:4DDMxhFtIra6ery1

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	ocflsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	78f22e440ddb8377d2d31782a718ac40N.exe
3032	78f22e440ddb8377d2d31782a718ac40N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ocflsv.exe"	ocflsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78f22e440ddb8377d2d31782a718ac40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocflsv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1892	3032	78f22e440ddb8377d2d31782a718ac40N.exe	30
PID 3032 wrote to memory of 1892	3032	78f22e440ddb8377d2d31782a718ac40N.exe	30
PID 3032 wrote to memory of 1892	3032	78f22e440ddb8377d2d31782a718ac40N.exe	30
PID 3032 wrote to memory of 1892	3032	78f22e440ddb8377d2d31782a718ac40N.exe	30

C:\Users\Admin\AppData\Local\Temp\78f22e440ddb8377d2d31782a718ac40N.exe
"C:\Users\Admin\AppData\Local\Temp\78f22e440ddb8377d2d31782a718ac40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\ProgramData\ocflsv.exe
  "C:\ProgramData\ocflsv.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
395KB

MD5
b8e18b6ea52984a82599ef89371b2c44

SHA1
c8b7e6968507fac498f0e10172b00c0cb34b2025

SHA256
99df5cc49dc5014bbf5928694b0ef7ebbaffce6e9f6ed4020720c406e578b308

SHA512
bcff2c7815b4d357f95d173fb2661106c6c0d97c9794ebaf5d9bb23bda91623d58775cb1bdfe5dffd9e2962d374a4aa335d90dc77eb0172fe6110a37517aeb32

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\ocflsv.exe

Filesize
258KB

MD5
21d269c186ca351dae5827fb11d74f83

SHA1
37f42905a57dc900cebd293f2b6349afdcec9d35

SHA256
07a3f06320b05b9e8829c7016de846c274dd6f9205dfa4eabb70dfe7d490bbe9

SHA512
ceff70b007472ee30fdd30ab3036f42da4112bd10f7107a3edd8aac78f0164159dc692eaaabb0a26dc7f40c16c0789c0796cc00b86b23443e21d2322f886249c

Download Submit
memory/1892-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3032-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3032-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3032-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads