Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 21:56
Behavioral task
behavioral1
Sample
6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe
Resource
win7-20231129-en
General
-
Target
6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe
-
Size
487KB
-
MD5
5992f18b0da0a0c2622f890a14a278be
-
SHA1
cfcb2c1ad64418c209aa71f3be827d79582f3cd7
-
SHA256
6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee
-
SHA512
b7f711a0fb80e20b0b5a696c399afae5ab790e3c4cbcaf272e45d35965d269641189310b7856df557b8896ce8954423eb4246ed55c9ba85f849063f3f34f29e6
-
SSDEEP
12288:Vpbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbeP:VpbXi5xzFUBaazsiofx8K
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2736 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2340 dyrea.exe 1708 noguh.exe -
Loads dropped DLL 2 IoCs
pid Process 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 2340 dyrea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe 1708 noguh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 948 wrote to memory of 2340 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 28 PID 948 wrote to memory of 2340 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 28 PID 948 wrote to memory of 2340 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 28 PID 948 wrote to memory of 2340 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 28 PID 948 wrote to memory of 2736 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 29 PID 948 wrote to memory of 2736 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 29 PID 948 wrote to memory of 2736 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 29 PID 948 wrote to memory of 2736 948 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 29 PID 2340 wrote to memory of 1708 2340 dyrea.exe 33 PID 2340 wrote to memory of 1708 2340 dyrea.exe 33 PID 2340 wrote to memory of 1708 2340 dyrea.exe 33 PID 2340 wrote to memory of 1708 2340 dyrea.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe"C:\Users\Admin\AppData\Local\Temp\6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\dyrea.exe"C:\Users\Admin\AppData\Local\Temp\dyrea.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\noguh.exe"C:\Users\Admin\AppData\Local\Temp\noguh.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5fbb9e6fa9d9aba36212379a340f155a0
SHA117c9a13635ed2e164f34eb277b2956e25e1b3104
SHA256d0f4d264decea9079ac02fa1e07785d1045be65ee8fb063666b020853bf85eff
SHA512f375ca7e85339e85139e3a940b38c0af14c1ae19e694481dade54055f2361b01b2bfe4badc9b5d0ffa834b29dc882d3dc690e28bd9031ba1d48bfd03a24d6bac
-
Filesize
487KB
MD50b4ffa8532abc8e9b14b205eff6bcbc0
SHA1b4a2add593a2da09a9575356b5591c9933618783
SHA256a812d315086e74ba49063bcb6b621fbe8a68164dc4ea3b047ab7636be26d502c
SHA512e4bfb04bcb2306cfda8c29a72d0e345a1525805d4a4afe22408fb83bd62b062369869334fae9952657f76df5be4b36c0fcf4188719bfe6c6bdbb223d81c810a1
-
Filesize
512B
MD5ac4451cdaed6b118005cb283e5450f4d
SHA195d7f96d06b9b4123a5a68cc8773aa9e0213743b
SHA2566697531f92a344acd8bac120bb5322e8f21d0ea65480a5ecd99313d268598a27
SHA512a38236b908d47be11e062b35d555bf4a738d358d7ae73cf5030f6f3118ca543bb03d62c2e41d11f219367f15f3596695b91082839c09b127fdda7397a6e11ad4
-
Filesize
217KB
MD535ca41b3c4c54d5261258259a81439a2
SHA116027a2792d9b0a5faca514b389327539782c496
SHA25650f48939c8697cc5662255d233ddeacfb6a4703acc9b8a0fd71ecae55536e43c
SHA5123cc3870be2a1eb2ef006efc91fdf9ec1e3ac86848b0b944effb5d85abf4cbf26140691fb5b1716d595a6e2c3b2acf389a9d697e173b5dc001f91d355de49c47d
-
Filesize
487KB
MD570031312a8db672b51804bfe2af57cf0
SHA16f630a7e16fab19bbd7c419a57e3ba5244200c42
SHA256b9e39ce25d28d62d43dda2847f32cd2eaac737564c2f2d8aec91660bdb87d68c
SHA512a36ccd055f51871afdee64aeb29005ab2d7e4043e99e8271ffbb7f5a87fefbfb185f765bc0d30bb9594876a02735b829701679982a7f63c9af54078be18d473c