Analysis
-
max time kernel
2s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 18:58
Static task
static1
Behavioral task
behavioral1
Sample
6147359b5dc9aef6b8b948aee2518010.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6147359b5dc9aef6b8b948aee2518010.exe
Resource
win10v2004-20231222-en
General
-
Target
6147359b5dc9aef6b8b948aee2518010.exe
-
Size
355KB
-
MD5
6147359b5dc9aef6b8b948aee2518010
-
SHA1
e505ffe55c7182bf8c5bb16c04f36bc6a997fbde
-
SHA256
aecad675efd1e945a63d7854bca237b76b3deee96333a344d7d737a110d00384
-
SHA512
e350b4184cf41deb94c45c384bf6e8c588aa7c3b2beba995b4544fcf66716f7c06f5814f7e5a5da6e86d171e7d8a2665bfd8132f24648e28edd434bfcba0bb2e
-
SSDEEP
6144:AmSxoGPeQ+tIOrOgFtFlBooGV8JI9PTdCfhS7rk2IEuFXV3WATRZ8HqRL8:lSxJ2OcDi2i9PjftuFXVGAMqF8
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2084 nenaf.exe -
Loads dropped DLL 1 IoCs
pid Process 2212 6147359b5dc9aef6b8b948aee2518010.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2084 2212 6147359b5dc9aef6b8b948aee2518010.exe 30 PID 2212 wrote to memory of 2084 2212 6147359b5dc9aef6b8b948aee2518010.exe 30 PID 2212 wrote to memory of 2084 2212 6147359b5dc9aef6b8b948aee2518010.exe 30 PID 2212 wrote to memory of 2084 2212 6147359b5dc9aef6b8b948aee2518010.exe 30 PID 2212 wrote to memory of 2680 2212 6147359b5dc9aef6b8b948aee2518010.exe 29 PID 2212 wrote to memory of 2680 2212 6147359b5dc9aef6b8b948aee2518010.exe 29 PID 2212 wrote to memory of 2680 2212 6147359b5dc9aef6b8b948aee2518010.exe 29 PID 2212 wrote to memory of 2680 2212 6147359b5dc9aef6b8b948aee2518010.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\6147359b5dc9aef6b8b948aee2518010.exe"C:\Users\Admin\AppData\Local\Temp\6147359b5dc9aef6b8b948aee2518010.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\nenaf.exe"C:\Users\Admin\AppData\Local\Temp\nenaf.exe"2⤵
- Executes dropped EXE
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\sicov.exe"C:\Users\Admin\AppData\Local\Temp\sicov.exe"3⤵PID:2008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5050b3ca4c68fd35b5fef007c8de0a01d
SHA1c5f5996c1e79a4c633f888b18245292b33513a76
SHA2560a1349330e8d382aa080aa9a1b85763103a572e75158bc0faf05ede11361140e
SHA512f100781191323cdf2b0a0a0ce5680d65e7bcfc5e1d643ebb9855190b520cab70356b3dfde53dfe1018be4a6fbf53ccd8e3618847cacd0455961ac632945f0232