Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 00:07
Behavioral task
behavioral1
Sample
b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe
Resource
win7-20240221-en
General
-
Target
b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe
-
Size
470KB
-
MD5
4a5298ea39ded905fee91d92f993e5a8
-
SHA1
ea62984293b5717220f54f19269cfd856d481cbf
-
SHA256
b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263
-
SHA512
b57e3b8a759bd62a0462bde84659441b64db7c3a12e08a9b5f6363ea3f855c2a9dec2a5dea221a27230523d54e4b216894bc4b77c756f8a6326b1e1a4870e978
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6mwrxcvkzmSOphmYHa:PMpASIcWYx2U6kQnaHa
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2840 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1636 viofi.exe 2544 fuhipo.exe 1084 mezop.exe -
Loads dropped DLL 8 IoCs
pid Process 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 1636 viofi.exe 2544 fuhipo.exe 2544 fuhipo.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2336 1084 WerFault.exe 34 -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1636 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 28 PID 2972 wrote to memory of 1636 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 28 PID 2972 wrote to memory of 1636 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 28 PID 2972 wrote to memory of 1636 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 28 PID 2972 wrote to memory of 2840 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 29 PID 2972 wrote to memory of 2840 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 29 PID 2972 wrote to memory of 2840 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 29 PID 2972 wrote to memory of 2840 2972 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 29 PID 1636 wrote to memory of 2544 1636 viofi.exe 31 PID 1636 wrote to memory of 2544 1636 viofi.exe 31 PID 1636 wrote to memory of 2544 1636 viofi.exe 31 PID 1636 wrote to memory of 2544 1636 viofi.exe 31 PID 2544 wrote to memory of 1084 2544 fuhipo.exe 34 PID 2544 wrote to memory of 1084 2544 fuhipo.exe 34 PID 2544 wrote to memory of 1084 2544 fuhipo.exe 34 PID 2544 wrote to memory of 1084 2544 fuhipo.exe 34 PID 1084 wrote to memory of 2336 1084 mezop.exe 35 PID 1084 wrote to memory of 2336 1084 mezop.exe 35 PID 1084 wrote to memory of 2336 1084 mezop.exe 35 PID 1084 wrote to memory of 2336 1084 mezop.exe 35 PID 2544 wrote to memory of 628 2544 fuhipo.exe 36 PID 2544 wrote to memory of 628 2544 fuhipo.exe 36 PID 2544 wrote to memory of 628 2544 fuhipo.exe 36 PID 2544 wrote to memory of 628 2544 fuhipo.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\viofi.exe"C:\Users\Admin\AppData\Local\Temp\viofi.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\fuhipo.exe"C:\Users\Admin\AppData\Local\Temp\fuhipo.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\mezop.exe"C:\Users\Admin\AppData\Local\Temp\mezop.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 365⤵
- Loads dropped DLL
- Program crash
PID:2336
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:628
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD502695ff9e907714600ea970095692ee5
SHA13253a1eb99c691679c8d3932923fc005b7a29ddb
SHA256317656feaf0f4c54a6942d951c78670e2fc1817b2baeb764b2a64f5b21106b5f
SHA5129b2b57d0b015ab51462ffdeceeeba6561b53d383700fdcc94e6a84c65a549cd45f792fbc7f9ea9a42a8104cfcfc6290eeb3cfbc22de4ca70309fa55cdcc86c8e
-
Filesize
340B
MD5392fe03859a4f294d2c15cb4fd401002
SHA12dacf37e880afcbe94f8beb123cf64ca3571336e
SHA256c8c8530256248be7c054c1657b998440bc6b3371985033bcfdedd490dd14a99e
SHA512c7752051a881f0038ec9effe69d896f24264bba22dd189e8a59f328ed56bc2d285e3b96bafb7eb02ed4463923d451377960582fee4bb7c43ce8e950f4c8b2f03
-
Filesize
470KB
MD53f031f7b450e480fd854d12749502b64
SHA1805fcd65497c43e5ae850e095f9bd2464841c984
SHA256af26fa148413a176d76207b9803d02e936db98c58cba18b9cac09ebb3e0f3719
SHA5129a07490e93bc6b1ba49144956add686596d5183e564cffacadc07c85d628df6580a62a2e0a4ac350e190799e36765652501ea04c8e03833c4ab7d530d5f5f177
-
Filesize
512B
MD52479509c651c07d5e23f147c5fcac784
SHA1ed750be917a06e701feccdf614c23f49f4a05434
SHA256ef67909272efd389c1de437e3df6d3fd19a52cc7677900760de739ded58eef95
SHA512e876ec1826a2807c2b1e5d84be1580bf6aee20bf06cc06bf7b34c2db2631cb3813a18947f05e9d193016d85f11cc9a85f37920cbbe90a61537247ca4487734a6
-
Filesize
192KB
MD5e6733dbabea39f9fc4bfbf9b73861a48
SHA1ab4240c159575ccf03cdffd663e622c9669a52b0
SHA256252864403649af4c068981d73d1e36fefb1e5827b6f65b9f00424965577a5861
SHA51203ff82481b8cf8b663a2be89760693557b128210839eeed4e64ae24c39d93605de8a1688f578d03c1cc8aa49e84378036b3d782fdb540d74d52b1c5ce0bf1d29
-
Filesize
128KB
MD5252430541dcf49595c507492b4bf3d82
SHA1fc5fab48671cdecf2b8dffc4872fb791848c7886
SHA25686f224fe24c3b1d8af6a4651c404b97ab5a7374230d1dfb6eaa165511f7c1fcf
SHA512c0e097d94006d3c8a714c7dd1c51ca5c86ce20b0a8b609c0955fce79f67c18b2add46db829406ffa81bdb52bfd7aea9795805e38cbe318e28a663ae260da50de
-
Filesize
223KB
MD5594d722205671b61ec88c686879bfe21
SHA1d078eae3ca660178aaa4a5d1b33dfd3f6b8df8b2
SHA256acc50be9ad3f52a32cc8c5e628b18b3e657cbead7f4a50627db0db885b5fece7
SHA512c14f6061df8dbc1ff039a07507a989a318739ee7e8fdd63fda7f8716a18e444f88ab5ee90a2b67250e0aef073392db3e42747277d1b1804ad48dcdfca041dd09
-
Filesize
207KB
MD594b39f3d8b00282d5e264b06e599a3d6
SHA19c5b2c4955f6cd0453765bd531b21b9e4dcd72d0
SHA25627da15fd669491d4de5212ccf36cf44166baa5ec99edd50a2e157e35b9feec8d
SHA5123c9765d64ab0ebd5d33b31247ecd9a0e7c9a062be384b2f8a486a4c78e6cb2737c65bd0b789d125dbeac90d54fa29f86aa14d1f2ab9c4babb7339cf80790d815
-
Filesize
470KB
MD575d6a38d9ea3754cfe2f6c4d1f2eb8d1
SHA1239e8e3847da8311c422194a3505819e2856b96d
SHA25694f2fede29f8c3e7ccef323fc7e30a04573d9b4a83f69c517b351e52bb2a6012
SHA5128f991a2245ce6d8a9bcc61ccb9d721cda08295a4f14f28e4da719a2fc9e343f9b33c0ac202ff5bcbf28ced255a924c51fdb2db16aa4debd17317994ccc3d59ea