Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 22:01
Behavioral task
behavioral1
Sample
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
Resource
win10v2004-20240226-en
General
-
Target
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
-
Size
368KB
-
MD5
7155ede202bea542dd5674130785011e
-
SHA1
b9d0c3e42de4894deefcd28518e6797739fe66c4
-
SHA256
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11
-
SHA512
7218603790fc4cf9e8ecde2be320d623e1cde26ba1b7bc2fc293647662b42c03616848e4cbfa7ecc7ae291bfa33948cb54bae0df83f6b81c37b48ecad5f6dcdf
-
SSDEEP
6144:CcKp6l030ly3Li2pmzGqGsl5lvyRn3uXdu0ua8RiVpJ7T:CrAM0ly3O2A9GApq3uJ0i5T
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2580 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1212 afvit.exe 2568 gokue.exe -
Loads dropped DLL 3 IoCs
pid Process 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 1212 afvit.exe 1212 afvit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe 2568 gokue.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1212 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 28 PID 2320 wrote to memory of 1212 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 28 PID 2320 wrote to memory of 1212 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 28 PID 2320 wrote to memory of 1212 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 28 PID 2320 wrote to memory of 2580 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 29 PID 2320 wrote to memory of 2580 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 29 PID 2320 wrote to memory of 2580 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 29 PID 2320 wrote to memory of 2580 2320 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 29 PID 1212 wrote to memory of 2568 1212 afvit.exe 33 PID 1212 wrote to memory of 2568 1212 afvit.exe 33 PID 1212 wrote to memory of 2568 1212 afvit.exe 33 PID 1212 wrote to memory of 2568 1212 afvit.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe"C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\afvit.exe"C:\Users\Admin\AppData\Local\Temp\afvit.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\gokue.exe"C:\Users\Admin\AppData\Local\Temp\gokue.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5c36cc7a66bee5343f965f727b38c9c21
SHA1f2dcc3f6eeabb7fa708a0b1c20e445f281aa6205
SHA2560cc44b6266b52cb1d945f0d24d6ad2b77654381859a9791c7bc2c449295da5c8
SHA5125c3cfa31e36a8e83314d5d6f9c009cbb1ecc54bafa78eb1e196558502a36476db16fe69c742473c4fcf8d4fa2a0edc7d723929cbb9e742f31cc50717f219b780
-
Filesize
512B
MD5ba4b53657b875ec1664fd1236e9f9f4a
SHA1474d9285d0a0147c9152de2ee357c882ffb6299f
SHA25688f3c52573d2e6fb1e3b49fed430e926b067fc1fb5e384d2874c6f13dce0df82
SHA51278cdb4a10261e229c0efb5675e2b67838658047a618c30c79df73d4f6ebe49250c81c01ccce38e20b9b3e89ca3a5b4b8eb08f326fa069ba20536a18438d1412b
-
Filesize
368KB
MD5c51cc273264e0c1d5d1891a89afb64fe
SHA17a26168f44ce5ad566906ad899c3ffb3d036baa8
SHA256b6351cbeb2658c2a29f594e2a651b8b26792c0d5c08f82cb7b08d5416aa00ce9
SHA512bf9a158bd8a0044b528627a4a025894b462458a55f3f627c8e7ce9dd9c105c6910f00c907bf6a4072bbaf0c17a515c797d344ac4407ad3ee81123e404d1a8d13
-
Filesize
193KB
MD5e70be8762384cd0ad00d70d0f9d5e2aa
SHA111aa4b5f339c7a131b8c780b1567fd6c9dd33854
SHA256f13c9f96627ff12b3ae4d569d28f3999c2c88550dc4616af1ec3d3e51108ac55
SHA5125fba4bf592595c9c8e8fe25be461613c38433d1ee89a7d4222a530bf3a6437a524941e478d361ed747b5915e968834e5b18666806a3eb38b5f8088ca825086e2