Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 02:21
Behavioral task
behavioral1
Sample
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
Resource
win7-20240221-en
General
-
Target
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
-
Size
417KB
-
MD5
5323d5a77f6ce194a9023df2dccd6d19
-
SHA1
0a611ca0a52faedeca469c32d4e6d07365dcf373
-
SHA256
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb
-
SHA512
523bfafe538e7bd8499cfed1a97963878e726e582b75180124cb18fb8678504fa1417ab746621ca83971c3f8860212ba294021a08bc2bb40de6ee4832dc23544
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqD:eU7M5ijWh0XOW4sEfeObD
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral1/files/0x0004000000004ed7-26.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2644 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2992 qigiu.exe 832 unkul.exe -
Loads dropped DLL 3 IoCs
pid Process 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 2992 qigiu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe 832 unkul.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2992 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 28 PID 2036 wrote to memory of 2992 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 28 PID 2036 wrote to memory of 2992 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 28 PID 2036 wrote to memory of 2992 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 28 PID 2036 wrote to memory of 2644 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 29 PID 2036 wrote to memory of 2644 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 29 PID 2036 wrote to memory of 2644 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 29 PID 2036 wrote to memory of 2644 2036 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 29 PID 2992 wrote to memory of 832 2992 qigiu.exe 33 PID 2992 wrote to memory of 832 2992 qigiu.exe 33 PID 2992 wrote to memory of 832 2992 qigiu.exe 33 PID 2992 wrote to memory of 832 2992 qigiu.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\qigiu.exe"C:\Users\Admin\AppData\Local\Temp\qigiu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\unkul.exe"C:\Users\Admin\AppData\Local\Temp\unkul.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5f0d4c528db1a5a3deab717cc3f4844a9
SHA13b46c4d928e3dce0afff3ea5ed8425af472b4995
SHA2567a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389
SHA51268e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05
-
Filesize
512B
MD583b14cd481bad09a555912cfc128a031
SHA1acd195b2fde79865810790f8979860c4c478ee1c
SHA25642251923a6cffdde6d26dc66a4f3dc3f0d3de401fe74322927579dc67c42f28a
SHA512af2053842f2c8dcf3f9f6f4da2c80a1346b0d4dbc00fdcca68067fb6dc6e7e62beaffb9c34a1789ecb5007ff152007cc019d32c4a919dda7b61003d06b05f9fb
-
Filesize
417KB
MD5e47a42f1dcab0a85d467e53f0307ba82
SHA1f78548710301caeadc70da3c994e8028b3e5fb50
SHA256b5ac6b7336547481d2e7067c403b8768550128c956adcb5a85ea0a2fdacd8698
SHA512589bfb529c5ff9e3f61abe80d855d11a9b5e89453c8cef5f3d08340d1cee66770138464c4382ef371f8551d7dcc4f15cdba95472eef332d9570f984bd8a70ccd
-
Filesize
212KB
MD5d75ad696fd114a013a2caa8f75596329
SHA1eda724c207f338f062b1ee7866974462c3168744
SHA256bbaa393592596c1ecba268a7c0589797710495829e63b7c5f5c0d6a62a2e3337
SHA5129a6363a2d78989482ecdae0f63c3084b21c63d878ae6545af4226156c5953c74812af889d491865d68bb6a332f8921d2c8608abeb61f4e2ed46dc669fed0a32b