Analysis
-
max time kernel
155s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe
Resource
win7-20240221-en
General
-
Target
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe
-
Size
334KB
-
MD5
f520c018ae79683da76d189c76bda553
-
SHA1
ec4334a04befb29467285e5e443ef284c6535fca
-
SHA256
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a
-
SHA512
acc50cfaa6c185007381d9e32a8ee8d9a6100f378784499eea9a3d5bde9c398e0e67c683ec482abef3b2cc30e0adc54a0a69e1a906d2fcb84bb6e87a16f4484b
-
SSDEEP
6144:DX+psoWJ+IvLI7BziS3qoJGd2Gegu8JKSFGbJ+7+3LdfoPZmxMcVp0XFGK:ymoWkI094og2GXfJKnbkS3LdAPZki1N
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2660 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2288 nygei.exe 1968 quzip.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 2288 nygei.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe 1968 quzip.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2288 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 27 PID 2228 wrote to memory of 2288 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 27 PID 2228 wrote to memory of 2288 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 27 PID 2228 wrote to memory of 2288 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 27 PID 2228 wrote to memory of 2660 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 28 PID 2228 wrote to memory of 2660 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 28 PID 2228 wrote to memory of 2660 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 28 PID 2228 wrote to memory of 2660 2228 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 28 PID 2288 wrote to memory of 1968 2288 nygei.exe 32 PID 2288 wrote to memory of 1968 2288 nygei.exe 32 PID 2288 wrote to memory of 1968 2288 nygei.exe 32 PID 2288 wrote to memory of 1968 2288 nygei.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\nygei.exe"C:\Users\Admin\AppData\Local\Temp\nygei.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\quzip.exe"C:\Users\Admin\AppData\Local\Temp\quzip.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b578d81e6d8a659877eec06c889f404d
SHA10aaa73802f52d360dab41648e193e1ae018800e6
SHA256ceee0e409d840995b1dad0b8672930433b60c91755ae2eccc384a718e3d67acb
SHA51224d03f93441094c6e0aa72135af914b1c7492009670679c71e0d38659fbcf048ad5a995ce0c1987d333627268cba43415cd526e8d3d3b459693949b9bf12c329
-
Filesize
512B
MD5d8820b97004f80843d137983ddd1a598
SHA134caaa0f9f21b6362aab17aa95c64f06a7e9870c
SHA256d601b0ec48a7585ab76c89cabb6512817048af8795c02d7c4c52da9f6b104309
SHA5124492f56c2fdce91b53670307193966c003167eeaf71ac56cf019c4626d43779c23405cccf9041f1dc91173695a78c15a7834d0f0082ea4302e6017c56ac65f52
-
Filesize
334KB
MD543d3e90a93c04d31fb52ee433b440fbf
SHA175f06bf883297c31f8e487246206d093b7497093
SHA256cf2efedccaf37742f77209e3ffbd04f49cd14298246ee3c0cb660cfd711a96f1
SHA5129f64d26db25d6137ce7516d422ffc3db3ff8de30bcbef7c54874282afa3d929751d74cc0cef333ae01b6714755320d4d6386b856bd578d9b5a4a28e1fc8857b8
-
Filesize
176KB
MD506324984245bdd928b5b45c50aaa235e
SHA1a0fc9c9e65624c4e6deadd773edfef5b21cb1234
SHA256e9c7214c2cc7e5d7ca95fa670c9ddadc4043ee7f72e69b135d66bd8d838cf7f1
SHA5124af47427e80d3a12692f74c314df585df260495ffca619402f2eb63b1fc83f7a296de041835a9a84e7e1a870882ffc003d1a198993d653719e58fe811ea2987f