00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf

Analysis

max time kernel
151s
max time network
116s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 13:40

Target

00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe
Size

148KB
MD5

92e2c42fd4680024562463d48ebc3518
SHA1

322e3c9ce8799657a5f6890b428b7581d97e87b3
SHA256

00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf
SHA512

eb5be2c6b05e2a130a32cfd5b70961bcc68c10d6e30a328888cc2b575c025c3f5096e1117232adc1b299495b7c9686b724e2af5c4ea9d553c20e09c8893c2875
SSDEEP

3072:p/D0o/sla9yRKRbjA+X2BIm2JMGhj4f88iVAvO+reE+1xFIy:5Y7a9yI22DuoAvnreb1z

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
912	Wsilya.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Wsilya.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Wsilya.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe
File created	C:\Windows\Wsilya.exe	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe
File opened for modification	C:\Windows\Wsilya.exe	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Wsilya.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International	Wsilya.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 912	960	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe	27
PID 960 wrote to memory of 912	960	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe	27
PID 960 wrote to memory of 912	960	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe	27
PID 960 wrote to memory of 912	960	00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf.exe	27

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
408B

MD5
6634776de553179da43794ca9f9fc70d

SHA1
4268666623d8f2f11c222c4331d204de3d52e479

SHA256
a4fa4c8dd38ed7abcf29eef49e118f6e7e7631a2676ab6637e7957d9af3bd462

SHA512
23ef4a803d528a026041d756208418e65b87c84d27d74478df4b796ebea573c8b923581775f19aa8e8d6fc3b4944935a6da42e35508ae78c037ff0daf8eae7f8

Download Submit
C:\Windows\Wsilya.exe

Filesize
148KB

MD5
92e2c42fd4680024562463d48ebc3518

SHA1
322e3c9ce8799657a5f6890b428b7581d97e87b3

SHA256
00e2b3374344e2f41953ba9b10ac30175c15d1c5bca9c669672f58c8ca88d8cf

SHA512
eb5be2c6b05e2a130a32cfd5b70961bcc68c10d6e30a328888cc2b575c025c3f5096e1117232adc1b299495b7c9686b724e2af5c4ea9d553c20e09c8893c2875

Download Submit
memory/912-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/912-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/960-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/960-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download