3a577c1f05a76a432c3811eb5c65ca71b3e08106f6d52d5b1357ebc2e78b0da6

Analysis

max time kernel
119s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 01:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b8599c3f3b018f8a5cab193fba0af150N.exe
Size

995KB
MD5

b8599c3f3b018f8a5cab193fba0af150
SHA1

4ad1d799ffda3a787854e3eeb416b06b1034f1db
SHA256

3a577c1f05a76a432c3811eb5c65ca71b3e08106f6d52d5b1357ebc2e78b0da6
SHA512

19707fb9a7ad1c5511925afdd6a3f025345d56f2bb36828d189fbd7b72ed6080efe81909ec7801772f8db8de8d04950664a4b63f97c5427e8843384012bab310
SSDEEP

24576:4DD/3cVwxu0I/nCkHdXMsHAVI5GJIZCupCfpSI5CVJQGC2DKIxMP:i3cK9AHgVI5GJIZCupCfpSI5CVJ/DKn

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1620	scwvbg.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	b8599c3f3b018f8a5cab193fba0af150N.exe
2348	b8599c3f3b018f8a5cab193fba0af150N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\scwvbg.exe"	scwvbg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8599c3f3b018f8a5cab193fba0af150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scwvbg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1620	2348	b8599c3f3b018f8a5cab193fba0af150N.exe	30
PID 2348 wrote to memory of 1620	2348	b8599c3f3b018f8a5cab193fba0af150N.exe	30
PID 2348 wrote to memory of 1620	2348	b8599c3f3b018f8a5cab193fba0af150N.exe	30
PID 2348 wrote to memory of 1620	2348	b8599c3f3b018f8a5cab193fba0af150N.exe	30

C:\Users\Admin\AppData\Local\Temp\b8599c3f3b018f8a5cab193fba0af150N.exe
"C:\Users\Admin\AppData\Local\Temp\b8599c3f3b018f8a5cab193fba0af150N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\ProgramData\scwvbg.exe
  "C:\ProgramData\scwvbg.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
995KB

MD5
879d26a6a08b8e9baf3b3f4f3af47bd4

SHA1
b02d540a82a768832428f24b1f0b94ae0d4443dc

SHA256
5d90726888f3ed2005f9cec39dc592e9c05b994e01912a2fd92b7afbb092e9a9

SHA512
fa61367e95f68d154d339b07bc2e7f3b8d1ce785e8a53f7d8d8c7a2a396d734f8e4c26d2e6e02ab517e57092b8d80baff3097e8046a3c08d3ee7a6e217e7898d

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\scwvbg.exe

Filesize
858KB

MD5
5ff7afdcdc4db46d0918906c25c4b5be

SHA1
44b02c4a8ed4ceae66cc09ea7e294f34f4e71811

SHA256
211b4ca9bca1655b27954c4796ecd29e8943b40a04a24276b38e7074e718fcb7

SHA512
06df2504fef46421e5ea671b8373ff733b2c3f81de9fd2721223155562cbf7b2e396981b72da8dfa94010dbfdd458fc4aaba9d229c7b92ce605e250bbad2fe2c

Download Submit
memory/1620-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2348-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2348-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2348-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads