4d91ea18d4937e35935b0c8ec5edd82378fa67a44b3018c81ec70b9ecfaf4aca

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f3559bba2413b3f15e778cc6a4199c0N.exe
Size

395KB
MD5

9f3559bba2413b3f15e778cc6a4199c0
SHA1

3cfa079a81b25a1a2911e08a5139169870b83dca
SHA256

4d91ea18d4937e35935b0c8ec5edd82378fa67a44b3018c81ec70b9ecfaf4aca
SHA512

a78e2b7ddc8ff510a485735b675ecc7a5fcb6ca46367680405bedd954358f42681500eff26198abd3c4d3585e9e40f4eb2035028c280552ad1f7d845ebd87ff0
SSDEEP

6144:4jlYKRF/LReWAsUyH0nHiAhNXQ7pNaAVXSeLHpwyUDZfWvP:4jauDReWAC/N5VXzHpwDyP

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4052	wiysm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\wiysm.exe"	wiysm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f3559bba2413b3f15e778cc6a4199c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiysm.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 4052	1040	9f3559bba2413b3f15e778cc6a4199c0N.exe	83
PID 1040 wrote to memory of 4052	1040	9f3559bba2413b3f15e778cc6a4199c0N.exe	83
PID 1040 wrote to memory of 4052	1040	9f3559bba2413b3f15e778cc6a4199c0N.exe	83

C:\Users\Admin\AppData\Local\Temp\9f3559bba2413b3f15e778cc6a4199c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9f3559bba2413b3f15e778cc6a4199c0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040
- C:\ProgramData\wiysm.exe
  "C:\ProgramData\wiysm.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
395KB

MD5
7b65246d7c3233b8abccfb14498fee49

SHA1
5db94ba0f35e1a70c79150f13dfd43bea2cd6e46

SHA256
5f1009ce52ed6fb2e94f08d59a2b7914fac20fcc2255bd0ad84f7d692417b775

SHA512
5b900252dea56815eebff0d15cc4ba4901a80194b124c7d5dcd703c697c5796e447164f5c8a3bb98153a3ac6997488087712f4a88ee81a984d826187c217cfe7

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\wiysm.exe

Filesize
258KB

MD5
3df5bd448d0831fe31a38765becb920c

SHA1
4ae629b086cd1b41d5e732bf47e3833f6396e378

SHA256
3a3a48b4eca34e8984891c7bbdeec07d14dade3b5dab98fa1f00308829f39ed9

SHA512
b1de0863c393b6de61d47188be7f1254e6fb230890ceedc593ad87752f0fb25637a06af9269b7de8ff17cbbe7a000b46176dc465ff4360f373cb70ccfdde6606

Download Submit
memory/1040-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1040-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1040-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4052-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads