Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 01:50
Behavioral task
behavioral1
Sample
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe
Resource
win7-20240221-en
General
-
Target
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe
-
Size
417KB
-
MD5
00724a083da6b4a83fdd91bb2bd99ca9
-
SHA1
0d4183c1360bb304ea26dd9b89ebda0d433db1a7
-
SHA256
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f
-
SHA512
936a64fdcc9e8dc6af1c0b1c9693743d01275c539f074d86bab0b633601bdb591e2c572cb4ce967a974550a232e8defeed74b359dba89b59aa2946c9e4b490b9
-
SSDEEP
6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrBw/i1:yIfBoDWoyFboU6hAJQnrMK
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2604 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 3048 kogym.exe 2220 tohila.exe 2760 woabo.exe -
Loads dropped DLL 5 IoCs
pid Process 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 3048 kogym.exe 3048 kogym.exe 2220 tohila.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe 2760 woabo.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3048 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 28 PID 2100 wrote to memory of 3048 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 28 PID 2100 wrote to memory of 3048 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 28 PID 2100 wrote to memory of 3048 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 28 PID 2100 wrote to memory of 2604 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 29 PID 2100 wrote to memory of 2604 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 29 PID 2100 wrote to memory of 2604 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 29 PID 2100 wrote to memory of 2604 2100 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 29 PID 3048 wrote to memory of 2220 3048 kogym.exe 31 PID 3048 wrote to memory of 2220 3048 kogym.exe 31 PID 3048 wrote to memory of 2220 3048 kogym.exe 31 PID 3048 wrote to memory of 2220 3048 kogym.exe 31 PID 2220 wrote to memory of 2760 2220 tohila.exe 34 PID 2220 wrote to memory of 2760 2220 tohila.exe 34 PID 2220 wrote to memory of 2760 2220 tohila.exe 34 PID 2220 wrote to memory of 2760 2220 tohila.exe 34 PID 2220 wrote to memory of 1224 2220 tohila.exe 35 PID 2220 wrote to memory of 1224 2220 tohila.exe 35 PID 2220 wrote to memory of 1224 2220 tohila.exe 35 PID 2220 wrote to memory of 1224 2220 tohila.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe"C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\kogym.exe"C:\Users\Admin\AppData\Local\Temp\kogym.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\tohila.exe"C:\Users\Admin\AppData\Local\Temp\tohila.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\woabo.exe"C:\Users\Admin\AppData\Local\Temp\woabo.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2760
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1224
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5a6b30500fb174ccfc632f67210cec8e2
SHA1b8b9e2126592d3cc1d84b55f243646d9e236afd1
SHA256419b28765f51d96e6fc7024a750aebfa33361cbc13a635db623150b2c1fcd1bf
SHA51242e1fe10173d262834a2d3c00949640a840e4b17fc38d4d63a90eb5b129a6172ee1cdfd99be0fcb5d3db4316bd915223233f866f1c593e357121bd703d86e8dc
-
Filesize
340B
MD5a65cffa3f9e4bd1aacd4d90db2c6bae6
SHA1ab3ef5fe18dc0f4353c5f04dd72e62b52fb14aa8
SHA256797d4c939a4bf6d97f3375d70afe1036ca8902cd94ddf8bc94a190e4383481e2
SHA512dab3b8439c0131a5fda0dbee08bd8c5a307717ec53a24eded50ed667505f6b236d4e9720bf0b3d8ced9699e3601f10a9d36d82cde6133492bfa4e5e6cd3602bf
-
Filesize
512B
MD59025a1b469b436d5ace14b11db8f9320
SHA18e8c547cc5f9e8b607eace99825ee51dbb45ecfa
SHA2564fa268c98094fac2710247b27f250a1c45ee80f82cd9e73eb8fc542c55d82a6f
SHA512e13bfab6d24775133cd048f0891a09ccfec1ef21d19888a01938c764c7cac640d094a16395835853869c507f6b673923ef8c1844bec9b568d5df6f3d72acfe7e
-
Filesize
417KB
MD5b68eddd384fab07bd291ec48ee95a869
SHA1da3ed821b1e37384c80d1b80d5f0c760de3a75d6
SHA25685e593e2dd99f55a1e9c7de741320c5f897557934a319444acb4f55cc26a348e
SHA51280c00edc26ba34fbc5be25b07494dfd9580be4a7bd1e75ab0e94aa3da393342b74d2ce2d3373a9456ac72d0c164950a3e5c34951322905bd778afb9af9d7bc1a
-
Filesize
417KB
MD525f3fbe899e1b8bc5adc425387651e2f
SHA1ac9886742c808b7cc01a9795a8c5eb4c19488c46
SHA2564f3b99256846ea458008e33af829433df1cce1dfd3fc905d8b2f5fd39dfad143
SHA512af7fcfa8ffba5532a1e1a5533263d0431adc780f1c4df0a43fb97002b1786a37e724a7a88d880b22fdf63ab5bf49ea402196f4c72f731eb06ebb62b6e71daa7e
-
Filesize
223KB
MD5c80ab196cc1a05158e6e636f5bf9964d
SHA16fd66410f6be5e5bf7ebe1496ce7d8a314ba2b17
SHA256985b79d220f30caafa99b5b5e6a9e8bb09e6e605901e2421265499622a341a3e
SHA512eae99f87f8eb58095b2f697655028ff6724980f1ba0d7984e40fcd15070e4b5343c6d276749e7622df28f6da52fd953183e006c4d8774cfde26657d9c83280fc