Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 22:20
Behavioral task
behavioral1
Sample
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe
Resource
win7-20240221-en
General
-
Target
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe
-
Size
428KB
-
MD5
8dfd25cb85377d10a473147aa08ca6cf
-
SHA1
0c6f6aa8dcb847a14c86eb4b9ff8ab865524918d
-
SHA256
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8
-
SHA512
2f2324d1107242e897025823aec86071f8d9db9882ff166e06ea75596085e1b48c187bff6da3f720880fedfd86fa4ee941a88d10ce20639f4320711ca7f4b61b
-
SSDEEP
6144:to3wRi+1Py3V0a2WkQ6P9N2Y/Op9eXQ6fU//BFuHt07Vx9Ul8:w6f1PyKa2u6P9N2y3U/mHyU8
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2640 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2508 duodt.exe 1668 zuzem.exe -
Loads dropped DLL 2 IoCs
pid Process 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 2508 duodt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe 1668 zuzem.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2508 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 28 PID 2196 wrote to memory of 2508 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 28 PID 2196 wrote to memory of 2508 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 28 PID 2196 wrote to memory of 2508 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 28 PID 2196 wrote to memory of 2640 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 29 PID 2196 wrote to memory of 2640 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 29 PID 2196 wrote to memory of 2640 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 29 PID 2196 wrote to memory of 2640 2196 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 29 PID 2508 wrote to memory of 1668 2508 duodt.exe 33 PID 2508 wrote to memory of 1668 2508 duodt.exe 33 PID 2508 wrote to memory of 1668 2508 duodt.exe 33 PID 2508 wrote to memory of 1668 2508 duodt.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\duodt.exe"C:\Users\Admin\AppData\Local\Temp\duodt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\zuzem.exe"C:\Users\Admin\AppData\Local\Temp\zuzem.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5ac3bd8d778a3d9b13118e5436129ec4e
SHA1f3f56fc870cfc346232a18e9002bb39195a8d205
SHA25686e389c79054b75bd858cd6af1d29986b4f1c16ddad6115530e661c25ba75ec2
SHA512145e3d20fd17e56f7e079339df760d76b163c2da5978c5b6967536cd998fa4fde5e53149462c4802125b7d0001532dc8f510ee552c4896d89f301a8f1a15567b
-
Filesize
512B
MD5035ca531a4e0a839c67e7900a6af7b8e
SHA1d6c6348ca3156fcc6cabeec771199eec95d988a7
SHA256e48ce32dc15ef2ca696e8db23db7b0179476d58ed109131bc01ea3d8f72cb54b
SHA5125d762e537583d29e926f07006fcc446364e4fe742fc3891c63e8fa9c7351ecd8d88412e1e510f642bff12db1f3e31f68d245abd0c1bf0049b6e5643ed478f2e7
-
Filesize
428KB
MD572c768068f99bdf8e842fef6a69d6177
SHA186a5236161a29739a22f0a9e1235704d012b7d6f
SHA25690955741a3d20bbf2855f56854bbf9214657822e9ee3ca814cdeede05c6cf0a6
SHA5123589973f70eb65a4b07b54a0dfdb2f190c8e19a7f16606fb3d068b6cca8879f1632229dc09704ca4ee1843f2a8c9dfa259b1a5cfac290d3ae51d6dcfca843295
-
Filesize
208KB
MD5a2cbb3b7d44451e2e34255e983330839
SHA16c2954a0671a8b12e5afa8d55cd16952ea0635d2
SHA256c5205c71cc8177c14caa47ee659c0133d09ce746bc9b7db06766cf90a3bfe690
SHA5129f999f83e0248657c1d775b79942c36593a65536e453cb6bac036b093f21855d14c063add41933be369f671eca8bf7e1ad173098c1fb8fba5a10068d0c583341