Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe
Resource
win10v2004-20220901-en
General
-
Target
caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe
-
Size
170KB
-
MD5
1278821e57216c73df687e35c1e78714
-
SHA1
f886c54b552b0c7cddcdc2bc9ac0f5b12c1a7268
-
SHA256
caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1
-
SHA512
9f3ba0a93501affe8a356199d6605d848c34c3a56564d8b09ada07b7627de29e1966dc3d00cf742d5c2b210910ab7899aadbf9c9e85af9b725001e4f225b6ad4
-
SSDEEP
3072:T7zy6o1J5KnjGO+uMqlSYAbnHyZKcZ0idKGSQQRbABg:faO+uMqMnHyYKdU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4060 Ewujea.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe File created C:\Windows\Ewujea.exe caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe File opened for modification C:\Windows\Ewujea.exe caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Ewujea.exe File opened for modification C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Ewujea.exe File created C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\International Ewujea.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe 4060 Ewujea.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3804 caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe 4060 Ewujea.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3804 wrote to memory of 4060 3804 caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe 84 PID 3804 wrote to memory of 4060 3804 caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe 84 PID 3804 wrote to memory of 4060 3804 caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe"C:\Users\Admin\AppData\Local\Temp\caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\Ewujea.exeC:\Windows\Ewujea.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4060
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD51278821e57216c73df687e35c1e78714
SHA1f886c54b552b0c7cddcdc2bc9ac0f5b12c1a7268
SHA256caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1
SHA5129f3ba0a93501affe8a356199d6605d848c34c3a56564d8b09ada07b7627de29e1966dc3d00cf742d5c2b210910ab7899aadbf9c9e85af9b725001e4f225b6ad4
-
Filesize
170KB
MD51278821e57216c73df687e35c1e78714
SHA1f886c54b552b0c7cddcdc2bc9ac0f5b12c1a7268
SHA256caa28fd404cf139d5c8205a36a7764e45c49d60a257a7b5cf3e170c1dc3c56f1
SHA5129f3ba0a93501affe8a356199d6605d848c34c3a56564d8b09ada07b7627de29e1966dc3d00cf742d5c2b210910ab7899aadbf9c9e85af9b725001e4f225b6ad4
-
Filesize
426B
MD558f7426efcb313b113ac2c28485a1c5a
SHA1e310664b00c5bcb941f537833f85546a9697ae08
SHA256e97e85159a9988c360ed2321f564e4d7a15ce9e08ef3a9678fe9489c41081312
SHA512073ea10a88644e8bd7f6bdd260d55e15e20e64b5243d4fea66f98e735957005920e5718c37ddac53088af7ac0d93faa1c3868795e832f897534a24d8f37a19d9