Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 02:40
Behavioral task
behavioral1
Sample
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe
Resource
win7-20240221-en
General
-
Target
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe
-
Size
458KB
-
MD5
65121c8732d9066d3cff3f11d787d6ca
-
SHA1
fbb3e172674180908626f42eb0bf6e18658c6927
-
SHA256
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020
-
SHA512
1aa4f8496eeef242043a625b5a0b5cec97cb69527bb42c4fbef26e4057819bd9879d0c255b87b4d47d4b2141cc7ae24b0138dc7bfaf048b31ec5d6b13352c87b
-
SSDEEP
6144:l+89tuc2/zrVhVa2H6jkEgAnLjCyl5afu/KQw3hwglo8uBqjnv6D3WwhD5RzC91q:lJYH6jkEgAnieafuzQTlhuwv6Dd9C9E
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000900000000f6f2-23.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 3016 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2196 epnun.exe 2724 gilyv.exe -
Loads dropped DLL 2 IoCs
pid Process 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 2196 epnun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 2196 epnun.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe 2724 gilyv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2196 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 28 PID 2216 wrote to memory of 2196 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 28 PID 2216 wrote to memory of 2196 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 28 PID 2216 wrote to memory of 2196 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 28 PID 2216 wrote to memory of 3016 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 29 PID 2216 wrote to memory of 3016 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 29 PID 2216 wrote to memory of 3016 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 29 PID 2216 wrote to memory of 3016 2216 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 29 PID 2196 wrote to memory of 2724 2196 epnun.exe 33 PID 2196 wrote to memory of 2724 2196 epnun.exe 33 PID 2196 wrote to memory of 2724 2196 epnun.exe 33 PID 2196 wrote to memory of 2724 2196 epnun.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe"C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\epnun.exe"C:\Users\Admin\AppData\Local\Temp\epnun.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\gilyv.exe"C:\Users\Admin\AppData\Local\Temp\gilyv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵
- Deletes itself
PID:3016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56d12b4699b3df740d86485f6c3b6b25f
SHA190e3e4003955350d1fc0b0c6affef3e7ea826bc7
SHA256544a41366f7ce75d214612e3437e198ca3f24f3363c9730f3aaf58a470ec68ed
SHA512e96ebb59f27364d6cf37e83dd328abc0b8b6a990a6717e8264889c55d82c31ecd5b3e9eafa26a53f70938603ea001391d95cef6e69ba4958398eae3c0675773e
-
Filesize
55KB
MD537d9aa2aba44d37586fb0364a64872ec
SHA14a4959f94f07dc586eacda48a42f5f9470a6567c
SHA2564f17946b0d1f4e90be4f4a76bc455c53ccf94290ab7b1a60e725862cb27e1aec
SHA51209396ba872ee717c5bf04f8ef51306fa0c817978fdf2a3740df9fbe27c19204cd97ad618942a802352a96311618d2612e61aa2bee4da44546f10964d5a791816
-
Filesize
458KB
MD5d7c572e8c6082d60017a2a8f0966a97a
SHA10b0261c71bf9971147f89eae504571f93ea5a14d
SHA256e9da3f52c668bb2ae8187fdf12f53917eb631fc494ffede98d0dcad3d504c2ca
SHA51270ca285456d1bf22fb77a73f1489f26f36208ad241064034a12183a9e4890b3e0fe00e0446fa21fba843b3a2f5964ab08308b83b31f4adedafbf22356937b047
-
Filesize
512B
MD560a58a39db9471f7885d5e977715a6ae
SHA11f467441bd71818faf71eb640d8395d06449438e
SHA2564d6b45a8e266664d641535dcc1f099e61a57ff45d6995b79a74acbadd8d87587
SHA5124b7036e71775ffae2312460289b0363bfb4cb75d2067fe8d5c034210505ef81c6c287face8170a4b3df11ca6b966daab03d53d5292e91f556c025b4bd35b34ef
-
Filesize
458KB
MD55233a3a5ac9ab833f6c39f002703b5da
SHA12757233b1af01edd99303e7df97752c368a12321
SHA256199775cc3320d98cdadd6f817df9c0166e55e29ec3a1b1ffd67abb7528e725f1
SHA5124c985bdd75b09ca660821e6a87d5bfb6cfde6a54be48e7ffeb4d82e1a21febd719232b800f62efc9803bd30c78188fe1d1790005010ffe14274a15d4a63973b0
-
Filesize
211KB
MD5bb29925cbdedd09a788ceea3a7e86f73
SHA186d28254bef214f4706dca24072ac72df9d71123
SHA256093e63f82802d237c7f994912fad258dc54989130fe5124f3a0140cf658e2d97
SHA512be6ff3d82c703f2dc7bf7de20ca4cd24dc956ed4843f0ba7074df5b0cf9fd6a05ad14836b9842cd18c621af45337d61237abe050b8d5f366dad21cbe0590162f