Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 23:11
Behavioral task
behavioral1
Sample
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe
Resource
win7-20240221-en
General
-
Target
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe
-
Size
458KB
-
MD5
12291085d34f6891999bb3bb470aaa5b
-
SHA1
5e1eaa82e8ee1e170cd8f51b77aa31acd8cfeefd
-
SHA256
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de
-
SHA512
dba1fd5853182300356a0e618331cf69283787491fdb47d78b1ce85dbeff5a5555794dba003a004e4c3824f851c949d9b780ebef5c2277efb15d255e0be59fc1
-
SSDEEP
6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTWHl:CMpASIcWYx2U6hAJQnjF
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 3040 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1064 nyese.exe 2676 daqyhu.exe 1620 itjil.exe -
Loads dropped DLL 3 IoCs
pid Process 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 1064 nyese.exe 2676 daqyhu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe 1620 itjil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1064 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 28 PID 2240 wrote to memory of 1064 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 28 PID 2240 wrote to memory of 1064 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 28 PID 2240 wrote to memory of 1064 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 28 PID 2240 wrote to memory of 3040 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 29 PID 2240 wrote to memory of 3040 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 29 PID 2240 wrote to memory of 3040 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 29 PID 2240 wrote to memory of 3040 2240 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 29 PID 1064 wrote to memory of 2676 1064 nyese.exe 31 PID 1064 wrote to memory of 2676 1064 nyese.exe 31 PID 1064 wrote to memory of 2676 1064 nyese.exe 31 PID 1064 wrote to memory of 2676 1064 nyese.exe 31 PID 2676 wrote to memory of 1620 2676 daqyhu.exe 34 PID 2676 wrote to memory of 1620 2676 daqyhu.exe 34 PID 2676 wrote to memory of 1620 2676 daqyhu.exe 34 PID 2676 wrote to memory of 1620 2676 daqyhu.exe 34 PID 2676 wrote to memory of 1664 2676 daqyhu.exe 35 PID 2676 wrote to memory of 1664 2676 daqyhu.exe 35 PID 2676 wrote to memory of 1664 2676 daqyhu.exe 35 PID 2676 wrote to memory of 1664 2676 daqyhu.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe"C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\nyese.exe"C:\Users\Admin\AppData\Local\Temp\nyese.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\daqyhu.exe"C:\Users\Admin\AppData\Local\Temp\daqyhu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\itjil.exe"C:\Users\Admin\AppData\Local\Temp\itjil.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1664
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5f60f7740cefc537f50fa1e2615ff83c3
SHA1c445d737ce4842defa1a379b729e6d257f9eefee
SHA2568ef33ac7a6718fd5c3cc58f4677b61d7cf43c8e46a8bd86985a1f12b4c07dd3b
SHA512bb24c62c4b7e6eb665bf1b1093b75722c7a53dc181f58114681ce41e41f1607bc709590e3ac1ef86d9b64d692fb8425836ad60e990bd42769e284e287e93bedb
-
Filesize
340B
MD55daa47aaa9e4aa03e4df4bc7da3889dc
SHA1eb5f15e7e4c3d65d15060d7e2f49ca8dfd1db34e
SHA25610548c39cb9c5647a3d737d12104a09c0b9c669aa02ade016c7e650d52bdec10
SHA51214224f828891d7baf6bf91bf6cdae3e2ccfbcd454c6ea59fe830d6dfa2e03d4474cd957e958585f23743279dae542de2dfff883e7d20e23cd1c9be3f235b70cf
-
Filesize
458KB
MD51560522260d9173969f0904ab3901513
SHA13526984c2dc8606bc985b9be8b9e9a8dac5fe6fd
SHA256388d964b8a13d0a803aa16545b405cf492b32253c2731b43d1bbe8628a6e876f
SHA51286765dc1707e05240b2971cb194fbe78524ac335de438098e4cb42557505ffcdaf3163c4cde473d215962c3624efd1636c30bd0b43dcb67399210577371b9dea
-
Filesize
512B
MD543f42de9af0c02a250a217edf5fee2c2
SHA1ea8a2611d1f2ccd4e81b23092ce671613fec179e
SHA256dfd2099c5cf4d56f417d186bb6924c7d17c17d73b99c74b173f146b69e72380f
SHA512f6cb49cad1245a92496d01caae804c01e32227f1f4c902abe053c466214ff9e67191848a2708ed16814fa91615d3c840ec7aadf2ca3bd7125ac534e820ffc29b
-
Filesize
223KB
MD540922bf2c7508623f5b64147191bf8ff
SHA1ad944542967434ba74b918b0fc0f640ebecb9c4c
SHA256873dfe2bb6aacf14a62b0518e1ebe6f8100361a64037fcd5dc905c0c7b5d6ca2
SHA512d377d55942a6b94095b8074508be14cd24c05ecd5e3764502a75852e6faa4ea0edb9262621c6db860fd477d7bb33283fc85acc1854f37c10eb652f255d61cc21
-
Filesize
458KB
MD5447ff945d5bb27deda72ee0a5f87c710
SHA1581227c3b71a0cf160a51aba9deecd762b74a737
SHA2560ed3dfc7ba1a61dae27512ab4887cf40cff45b07c152ffadf92cfb1f1b93d48e
SHA5129d3d2e7f8be6356a524da56a2b8d9db022df56f4cfd75bc11443a2086e985cc162757b27637ed3ac2fcff262b21df8191b448d38a807a817be077946912cbc47