Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 05:01

General

  • Target

    9ce043c61f6bc3524581ab4e064895a0N.exe

  • Size

    894KB

  • MD5

    9ce043c61f6bc3524581ab4e064895a0

  • SHA1

    c51f5b9c868d5d04dd90a6722430c12b4bbb15db

  • SHA256

    d68b311b164166b7443bbfd4eb5dcd2e1e41405429f960c2be1e8b3168bb6962

  • SHA512

    caa2c3a73f79937c12d6036192d73600f7b6f852aee22c5834f41f367739d92a77faf5b6610d607c1d97f8f1662b85b3c908d30bcec2f44dea81b7b5ea63a34f

  • SSDEEP

    12288:4jauDReWCm+M5Pas4P98bffhKtWFC/bDFjKpuaCJ:4DD+m95C1P9Of7FC/b5jaCJ

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ce043c61f6bc3524581ab4e064895a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\9ce043c61f6bc3524581ab4e064895a0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\ProgramData\xagtd.exe
      "C:\ProgramData\xagtd.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1228
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
    1⤵
      PID:4592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Documents and Settings .exe

      Filesize

      894KB

      MD5

      f70d0cef318c8a566a12e17661d59d03

      SHA1

      e9492fcf45c7d6b5e0bc5b0ac937e347af3982f1

      SHA256

      2f577a3249061a67800468e016f7fc6c9df570cb43e6bee1807c8d50d9f9013d

      SHA512

      5c6bf7723a8933cabce644c0ca93606692a03f774d8b5c111e77a352d55b5ccb626c6f06b8e6ffae8cd0031e5addd67e11cd5512e26737dce6608a3cd1ec808c

    • C:\ProgramData\Saaaalamm\Mira.h

      Filesize

      136KB

      MD5

      cb4c442a26bb46671c638c794bf535af

      SHA1

      8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

      SHA256

      f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

      SHA512

      074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

    • C:\ProgramData\xagtd.exe

      Filesize

      757KB

      MD5

      a6f73265343a3819599bf22697746761

      SHA1

      a347dcc709c071f330d4f5433ff2180bca3da760

      SHA256

      714ab624a57ef37ea8fcead858264a3b474df797377787b52daf5b37a2c7abae

      SHA512

      bae1e5fb811ab381a504a292a2121131ab64773fe60dd051a16ec4d21d7410d679983a7a947f8225cb32020dc53feeb7fdf7cf2c70acbe1388cf415e1cd4d37b

    • memory/1228-103-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/3452-0-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

    • memory/3452-1-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

    • memory/3452-9-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB