Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 01:41
Behavioral task
behavioral1
Sample
eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe
Resource
win7-20240221-en
General
-
Target
eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe
-
Size
373KB
-
MD5
55eda1ca8ed336f54e1d9846abece7ec
-
SHA1
7510064da4f0992ce1a8f0a7e3ad95d46512a559
-
SHA256
eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748
-
SHA512
02ad56ebe494a76ba75a214e680e9ad9eeba46fd84da938b96d4c352ead751ece83d5ceb64fe333660d0818c5035c99c0336bad04cd274d831bfde753ab9990b
-
SSDEEP
6144:LlwArTEDSCs5wL0q/mdwoJgugiIX9Ghal1qU/YagPOl6xVrprI3F:LKmQDSCs5woMmd9axVNG4qugPO+V8
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral1/memory/1964-0-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral1/files/0x000d00000001232c-4.dat UPX behavioral1/memory/2892-10-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral1/memory/1964-18-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral1/memory/2892-21-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral1/memory/2892-28-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral1/files/0x000e00000001232c-32.dat UPX -
Deletes itself 1 IoCs
pid Process 2616 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2892 colim.exe 2332 ivhie.exe -
Loads dropped DLL 2 IoCs
pid Process 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 2892 colim.exe -
resource yara_rule behavioral1/memory/1964-0-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral1/files/0x000d00000001232c-4.dat upx behavioral1/memory/2892-10-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral1/memory/1964-18-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral1/memory/2892-21-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral1/memory/2892-28-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral1/files/0x000e00000001232c-32.dat upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe 2332 ivhie.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2892 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 28 PID 1964 wrote to memory of 2892 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 28 PID 1964 wrote to memory of 2892 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 28 PID 1964 wrote to memory of 2892 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 28 PID 1964 wrote to memory of 2616 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 29 PID 1964 wrote to memory of 2616 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 29 PID 1964 wrote to memory of 2616 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 29 PID 1964 wrote to memory of 2616 1964 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 29 PID 2892 wrote to memory of 2332 2892 colim.exe 33 PID 2892 wrote to memory of 2332 2892 colim.exe 33 PID 2892 wrote to memory of 2332 2892 colim.exe 33 PID 2892 wrote to memory of 2332 2892 colim.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe"C:\Users\Admin\AppData\Local\Temp\eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\colim.exe"C:\Users\Admin\AppData\Local\Temp\colim.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\ivhie.exe"C:\Users\Admin\AppData\Local\Temp\ivhie.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD525bd150d109fb53389a2cf661df68153
SHA1e91680efee4cc527c342cddecd48a36a82103403
SHA256dd59bd7184b5c42ece2f987a4b1c1364dbdf49d167cd5801aed11bfa3fe2edf1
SHA5121c6278dc3ac0557cd2702f3afbd447add58431f20c4ae90366417cbfd99e444b23edca02e099a5b3330d41a49089ca97478931cc262b8795866445645cc822ea
-
Filesize
373KB
MD557cd01ba0b9f5d5dc3575ce4efbfcf47
SHA15264d61dc7ef2a2fec71ce4c895aeba140640476
SHA2569c0bbc23a2bba42d3454545fc88b9932abda40c4acb2188ed123640694a5b1ba
SHA512cd9e9b83314e2680e7f34a2e2aec59e9ed8e1a2fc85717a504000b0efe470bf0e6343aa3da3f2d9c7ecefa709145d798a161421276bc185c46928fa73e9a738f
-
Filesize
512B
MD5e6e2b05c43942798e29d08b08dcdd2df
SHA1e3ed619628ec585d1b58e1fafb5c5f2553648d1d
SHA256d41f9f1c8a10f8e7b9d4606093cd9294369e6d1e4e10ffee93211b9180a77b54
SHA512fe06c5dd5241a561b770510295761a686e502a5add072da43824e2c1dc4768bab5e82055939aa94a9322dc9f15c5970778f074245d59290594cf275a0e359098
-
Filesize
373KB
MD5f8363ac97200d9510cbf196077ce8c69
SHA110959b9d6c193ca3b16387fced5b8c2ec80925d9
SHA2563d59ea2d464459d8f790ec5b78dc01e4a4f66cdf4aca53cd4814d21f23ec83f2
SHA512c982c215c20942680a7a481de38a5d9bb0dfe28780bff3751138003cd6fce6f1075b6e4048275b3aed53cabff0c6f7f750a4d0b74d71a9e629d14404c50beb2a
-
Filesize
161KB
MD5bb51fd87f0bd6aa94faa659e618ba842
SHA1fb962a05671efd8028b49ec7bccc28f43701add0
SHA2561028ee3236a778f673f6ef83874cf6047a36cbe529a60b2dde535b19fb85f5b5
SHA51219fb72a3a6f580cc083d2e9a0e57cf209d76c76efe5625dd1aa9cc40de85a719289515eddafad6a2db7948dd7cab8c4b6b160ff69c75d8e4a6677107e2cb42c8