Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/10/2023, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
aa387482fde8b6558331be3e65e21d30_exe32.exe
Resource
win7-20230831-en
General
-
Target
aa387482fde8b6558331be3e65e21d30_exe32.exe
-
Size
340KB
-
MD5
aa387482fde8b6558331be3e65e21d30
-
SHA1
3ea1348a718b0486f56e70a961e87ed9fddf2ec6
-
SHA256
255545ed1bd0d5209873370cc88901ad114fe8ce04fc3250bfb145153c562ac4
-
SHA512
ed00ef26f5d786ee76c479ae757c8eb6781af9e1586d2c68e52dedc4acfb69409f9d8b39d6dc3ea38f06d1383ea0f43ff35aa67681f1d43f116d5e77217b9ca7
-
SSDEEP
6144:DX+psoWJ+IvLI7BziS3qoJGd2GexPZmxMcVp0Xps:ymoWkI094og2GgPZkiu
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2580 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1956 qavoq.exe -
Loads dropped DLL 1 IoCs
pid Process 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1076 wrote to memory of 1956 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 28 PID 1076 wrote to memory of 1956 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 28 PID 1076 wrote to memory of 1956 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 28 PID 1076 wrote to memory of 1956 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 28 PID 1076 wrote to memory of 2580 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 30 PID 1076 wrote to memory of 2580 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 30 PID 1076 wrote to memory of 2580 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 30 PID 1076 wrote to memory of 2580 1076 aa387482fde8b6558331be3e65e21d30_exe32.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa387482fde8b6558331be3e65e21d30_exe32.exe"C:\Users\Admin\AppData\Local\Temp\aa387482fde8b6558331be3e65e21d30_exe32.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\qavoq.exe"C:\Users\Admin\AppData\Local\Temp\qavoq.exe"2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288B
MD5444d2d50e005c2993eae56608f486a27
SHA139275fc9963ea604495179fa88cdcd0ae853979a
SHA2568ad22721e12c8330dfa8e1e6455ed8da11b13f2517fe285d1f2f8837672ca989
SHA512caeace56f25e5ddae5f3239bdc6b7a0dd958ffe803b7f800a03ca711b9e835e03442b1a81a886ee99db4f1e854b19548bbf105146c3925cb7419f8a606369402
-
Filesize
288B
MD5444d2d50e005c2993eae56608f486a27
SHA139275fc9963ea604495179fa88cdcd0ae853979a
SHA2568ad22721e12c8330dfa8e1e6455ed8da11b13f2517fe285d1f2f8837672ca989
SHA512caeace56f25e5ddae5f3239bdc6b7a0dd958ffe803b7f800a03ca711b9e835e03442b1a81a886ee99db4f1e854b19548bbf105146c3925cb7419f8a606369402
-
Filesize
512B
MD59f6234af5012a781333995b1fd1caf95
SHA1bd31099106069c74c761fb4cdd01445e80b45ab3
SHA2569cb73c0a3a777bae8c11d1396099dbca34db8c4f7702efc3960c44ad296cdb9a
SHA51291363d3a779f1bc49209f4c99a92740f3290117dee2dc2aeae39ac41183e1f60b8833d65c705c71b68c03cea2ac8f803d7637f573041d260e189839f7859f0d0
-
Filesize
340KB
MD534a7321b9c186e1cef71f723254774eb
SHA1ea2212bb18cabe067c804931081e979f73d21c89
SHA256409b2e3a3132ce68d44ba063c09e0f7e7ef2069822c5489b5c8d951dea41a7f2
SHA51216e2913c29b13daf15f6c75fcb87447ebf8d69571515231edbc6173a752c2b195db986cdebc2959dd6a68d6b83e7d8c56534f6ca83f3a06da38752b6eb3c2daa
-
Filesize
340KB
MD534a7321b9c186e1cef71f723254774eb
SHA1ea2212bb18cabe067c804931081e979f73d21c89
SHA256409b2e3a3132ce68d44ba063c09e0f7e7ef2069822c5489b5c8d951dea41a7f2
SHA51216e2913c29b13daf15f6c75fcb87447ebf8d69571515231edbc6173a752c2b195db986cdebc2959dd6a68d6b83e7d8c56534f6ca83f3a06da38752b6eb3c2daa