Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe
Resource
win7-20240221-en
General
-
Target
d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe
-
Size
339KB
-
MD5
9458e8269e981283386b04277dc91776
-
SHA1
512499b1a5884ec2b32074f9fde4683c6eb6f0e7
-
SHA256
d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968
-
SHA512
f6f9eb7d66f0ab8d358d5217651ec9fa984b6fc40d5f1e210656c8cb1e71d51a40ba400f2aeaa04b0af24d75be8539dfb9d604bceb4633626d8e35a9148b1047
-
SSDEEP
6144:i5tYTzqklVw910CIWrC9foCChVN6XCLWk6aMWgziMV1AXj16NYuLDuUcOibi5EBb:iUPTCBC9A/VIXCCkMWguMcj0vbd5E0/Y
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2992 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2956 zujid.exe 2620 foykn.exe -
Loads dropped DLL 2 IoCs
pid Process 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 2956 zujid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe 2620 foykn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2956 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 28 PID 2320 wrote to memory of 2956 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 28 PID 2320 wrote to memory of 2956 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 28 PID 2320 wrote to memory of 2956 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 28 PID 2320 wrote to memory of 2992 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 29 PID 2320 wrote to memory of 2992 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 29 PID 2320 wrote to memory of 2992 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 29 PID 2320 wrote to memory of 2992 2320 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 29 PID 2956 wrote to memory of 2620 2956 zujid.exe 33 PID 2956 wrote to memory of 2620 2956 zujid.exe 33 PID 2956 wrote to memory of 2620 2956 zujid.exe 33 PID 2956 wrote to memory of 2620 2956 zujid.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe"C:\Users\Admin\AppData\Local\Temp\d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\zujid.exe"C:\Users\Admin\AppData\Local\Temp\zujid.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\foykn.exe"C:\Users\Admin\AppData\Local\Temp\foykn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56c989d40332ecbec37ef36c1ebb87052
SHA1ad28ab74a59dcf6480d984813775f1bdb93d2bd6
SHA256807ae5e7038f6247122ddbb681e8fac69cb6f0816dda032631be396024a06769
SHA512f53a4facda108a72db41daedd14a78655810d65445c14dbb2f869980728e6fd358c822eb73ef6bb22da16baf360d5223c78b80f4f5c40d80756a27a980e45f20
-
Filesize
512B
MD5b72b4dd03476bb02f216c46f061048cd
SHA18098dcd2c40f7a95cba34ed97411617a9b9c5ff4
SHA25664c49a903fba8d28b68f95717b1b7f834d7060550aae38db07992d2e9ebc8aa7
SHA51214e8e50b441db0260c0f0491838df418b72682c11cda1f68b7dcbbca4a76f7dee5b16f2dbf2bd713ea37a5034ca69f9b75a47b648e39205333a52d89399b9514
-
Filesize
226KB
MD536ba7820d561cfc5ad273c7f0dc33488
SHA1285ff766188a294aca60630e7043ae89726b5e28
SHA2569b00b16c3d95336feea37dd3c7f2cd2fb171839a97d6eacd617a58df26de7ee8
SHA5125f0f078c1000f760464a0691d15fc0ef99df3023a52dbd06203011f29ba98e26a30c7719eac110ec2658ff2c96dafe08e3867d11e62eafe83afbf969d80bd8c3
-
Filesize
339KB
MD599dbeccf5824dcb7eab1f37a4542dd9c
SHA1eca512937bbefdc6dadf0d8d360edc884134a7fe
SHA256b22e662c1c296d931f19485fd93ded1f4844b5c85a8910f94f565c5a95e936b7
SHA512b42dd0f445d05d206f78977152b6724c0df9ff1152f1929aabd5768c352bb4d3a90aa125cb9dc827bc6a53f9d5cc74b3f84be112b16165a6dc6c749286013da8