Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 21:33
Behavioral task
behavioral1
Sample
5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe
Resource
win7-20240221-en
General
-
Target
5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe
-
Size
466KB
-
MD5
78fc62e55e06943e83f4f22eede88966
-
SHA1
0004be510b718d9f8e1d59cccde7b92696380775
-
SHA256
5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd
-
SHA512
e910115a511162739a8dfef794371aef551486c63dced8310a293c5d653bfaf2a84156a4a2fe46c1b2785975b7990dcb7852ad7aa488e946bd66a6b16d270ca0
-
SSDEEP
6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmi:LMpASIcWYx2U6hAJVs
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2688 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2056 nypyi.exe 2732 wacoce.exe 1048 zoerv.exe -
Loads dropped DLL 4 IoCs
pid Process 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 2056 nypyi.exe 2732 wacoce.exe 2732 wacoce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2056 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 28 PID 2160 wrote to memory of 2056 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 28 PID 2160 wrote to memory of 2056 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 28 PID 2160 wrote to memory of 2056 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 28 PID 2160 wrote to memory of 2688 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 29 PID 2160 wrote to memory of 2688 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 29 PID 2160 wrote to memory of 2688 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 29 PID 2160 wrote to memory of 2688 2160 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 29 PID 2056 wrote to memory of 2732 2056 nypyi.exe 31 PID 2056 wrote to memory of 2732 2056 nypyi.exe 31 PID 2056 wrote to memory of 2732 2056 nypyi.exe 31 PID 2056 wrote to memory of 2732 2056 nypyi.exe 31 PID 2732 wrote to memory of 1048 2732 wacoce.exe 34 PID 2732 wrote to memory of 1048 2732 wacoce.exe 34 PID 2732 wrote to memory of 1048 2732 wacoce.exe 34 PID 2732 wrote to memory of 1048 2732 wacoce.exe 34 PID 2732 wrote to memory of 1116 2732 wacoce.exe 35 PID 2732 wrote to memory of 1116 2732 wacoce.exe 35 PID 2732 wrote to memory of 1116 2732 wacoce.exe 35 PID 2732 wrote to memory of 1116 2732 wacoce.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\nypyi.exe"C:\Users\Admin\AppData\Local\Temp\nypyi.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\wacoce.exe"C:\Users\Admin\AppData\Local\Temp\wacoce.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\zoerv.exe"C:\Users\Admin\AppData\Local\Temp\zoerv.exe"4⤵
- Executes dropped EXE
PID:1048
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1116
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD547516a89dce61abc3ba1899a0307ea7a
SHA186b7046c9bb96a0d3de71302ca8a8fa11af86683
SHA2566fe98643eff0b3107434aefae69fc34eeb8401d6103479331a4bbcb7ada59318
SHA5129de3fd325ea7324acfefd03a622f7755a7a823340f5e831808c7f50d8b3e2192b75856d25837ed38b616d86f5a3b0c473e1da90151b050b6da49da0a2965e5d8
-
Filesize
340B
MD5859e8ddea4d18da5ec5e50cc770b8ddd
SHA14ca1a12961c54ab94119940e141f0b48ad4e65b8
SHA256138493c37190810d388269dcde50ff3ef51c9e33739a0b82e2491e11c6ca03b7
SHA512e061b81062c49280f11af67813047de655027d19fe22c14e8522e5cd22b83b41b5fd77aa77baecef6d66cd207b1fc4ec1b25ad1649b78fcbbfd3c0c22a967e01
-
Filesize
512B
MD53bb3c45b0f6568746658b0623d93dede
SHA191cf8e0ba4dcb7217e1d561df32a4ff288bbaa04
SHA256c5ddb2ae90c4f32427abaaf2c3b11957a1b38074b0db47e680da0ec5c5f342a2
SHA51206a1712a4e9355ca4254e1ea403f2cc42dfc65aa268a7ae726f4c0663f5556a0204f82b95d9f86ad715d6ac0bb2e47d3bd1375625d0bf2ab588b914cb06df7d4
-
Filesize
466KB
MD5e4c657701f54c67afe20dca141a87c34
SHA17872606463daf25632a6db6be97d8a2cabd57dc2
SHA256e57078c57a9bda166acac8a0fffd73b25dcc012e245ec49b665ade52fb70fa85
SHA512e587742b7fdc645d49daf58674bb41ebba02799ad17c0ddb735ed201fc8b8dbdf2d2fa820e5f8191e88d6130d2688844a869823ab6b576e919e9e4de5189fc0c
-
Filesize
223KB
MD5999e719b136207014df57c9cb02314ae
SHA1014d33bb07a8c8ca4c6600466680d0ea6a830bc3
SHA2560a5a15d6e4bb35d25d2bca417911971814193066d7dbb481806f47be58b283ad
SHA512c4afe067cab9ea820d870061fb6c9b264042a8a84a7ff55494695e64db6418794744fe5df0b583e725e4baa09c9332cf1b93962b88349885a13f0c63d905e9b3
-
Filesize
466KB
MD51e525cded488101081f6dee303d82755
SHA1a472c1f205d124a32ed0cf5015f5c4b2ec64ce00
SHA25664c2166259bee4a1266f89ea0c427dcaf957f06c137421168ea2673ae20c30b4
SHA5129855f0cad8093b2ca16276d3b9456ae71255c7d49c65e9aa430deb2bb12396e2a8f6c5332117dc329e754f61be69102907aba5d93d3f73ff4f8e7755f32aaf1d