Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 06:55
Behavioral task
behavioral1
Sample
Backdoor.Win32.Plite.exe
Resource
win7-20240221-en
General
-
Target
Backdoor.Win32.Plite.exe
-
Size
433KB
-
MD5
95e4c82cdab9f3f29e5db343148855a6
-
SHA1
4ccfbc92609a4311f52d04c87e3fc9f2c0b85513
-
SHA256
045b4bb4a2914bf91607a617516731dd3317c74a701a38749a1fc0930d225680
-
SHA512
2ab7072e50bd1d79e167220387327799c79f4816092caac4a56d4da7e043567b0c0972521d60f03ad11a0342e2f6aa1402925a484550d7b0eae954fdc3585939
-
SSDEEP
6144:DKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fk5U:OANxU3VH1t19MsAlpXy
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral1/files/0x000f00000000f680-30.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2436 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1896 bytur.exe 1316 fuxya.exe -
Loads dropped DLL 3 IoCs
pid Process 1136 Backdoor.Win32.Plite.exe 1136 Backdoor.Win32.Plite.exe 1896 bytur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe 1316 fuxya.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1136 wrote to memory of 1896 1136 Backdoor.Win32.Plite.exe 28 PID 1136 wrote to memory of 1896 1136 Backdoor.Win32.Plite.exe 28 PID 1136 wrote to memory of 1896 1136 Backdoor.Win32.Plite.exe 28 PID 1136 wrote to memory of 1896 1136 Backdoor.Win32.Plite.exe 28 PID 1136 wrote to memory of 2436 1136 Backdoor.Win32.Plite.exe 29 PID 1136 wrote to memory of 2436 1136 Backdoor.Win32.Plite.exe 29 PID 1136 wrote to memory of 2436 1136 Backdoor.Win32.Plite.exe 29 PID 1136 wrote to memory of 2436 1136 Backdoor.Win32.Plite.exe 29 PID 1896 wrote to memory of 1316 1896 bytur.exe 33 PID 1896 wrote to memory of 1316 1896 bytur.exe 33 PID 1896 wrote to memory of 1316 1896 bytur.exe 33 PID 1896 wrote to memory of 1316 1896 bytur.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\bytur.exe"C:\Users\Admin\AppData\Local\Temp\bytur.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\fuxya.exe"C:\Users\Admin\AppData\Local\Temp\fuxya.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252B
MD597fc87a02a4d6b9e3c84b60d8c043bfe
SHA1766c62bed33c6c7aabf6e27099702bcd584dcccb
SHA256a3196284add063a8e6090efbb24a11a92af85d7257bc6b583299ff5df53806cc
SHA5124462f2d9275882358de182cf3984fdde74e8430ea85212efa2c579c618c6cab10c867e7a2d6fd3dfd0400b7918a9d03de37eb5c5296abefa53846a8e126e6938
-
Filesize
216KB
MD57e4f24618313c32066dc7a1dfd5c0c58
SHA1ba3b4353960413533f30a6b574e50a3593364326
SHA2565a8e99af7c0167e3b9ae1f9f07ef3117981f6fc2273e3db6a550e2efb60c10e2
SHA51252407dc38558115a86d8f1361d4c1ba808b3a77a98858414ac0829459bba02ec5312e1b2834e734f24facce1878cd0fc97b83e97aa26dce3d1cac10a4f444af8
-
Filesize
512B
MD5b0eb3d58daa59ca15164d998af721e23
SHA11fae3b65d2174d0b9b1d4d3923ca50ad220e65f2
SHA256af68cd422eb11a2b4d53509ac4c358d40c7cd1b937389d448df24eb5e85b50f4
SHA512c9f724fe91f6f3c945794f68cff1ae9b8480a5d959adc3a6cb0f0e72f3d512df4cb94282b2a8e46ad65fd82f3da2dace5c60b73c1058ff05ce2b26b7463bb44a
-
Filesize
433KB
MD5dd87d57c7f06b4a342e80ae413a045ff
SHA18f6a39dff19d93c468cd1947476219e41c9016aa
SHA2562378e7e2f0e8cec74aa756faf2c1d696fd5f6c92ec78bc9b8caa7facb74e0560
SHA512ec66d72779ba18be82d688a68c2c538f81d81ad4883edf30150ed9cc98a5666e21fc087898e4102e6dbc97923452e917a84d0c2de9afeb4dd3234dc1165e3b0a