Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 01:23
Behavioral task
behavioral1
Sample
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
Resource
win10v2004-20240226-en
General
-
Target
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
-
Size
368KB
-
MD5
5865754070c52488a9d6a4d6bbc1aa8f
-
SHA1
4981a3119b99a5c7f415cb7e1376b73f4b42e2c1
-
SHA256
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83
-
SHA512
e4c98eb29093dde36532baad3056e4089501975351ed9289a78da6b01f9b0182484b20a3e560dec07115fec8a20f37e90d85a3ee13d65c0436836a2f10f4e4bb
-
SSDEEP
6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pih:CzGL2C2aZ2/F1WHHUaveOHjTeh
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2792 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2192 feorw.exe 348 awdio.exe -
Loads dropped DLL 3 IoCs
pid Process 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 2192 feorw.exe 2192 feorw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe 348 awdio.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2192 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 28 PID 1740 wrote to memory of 2192 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 28 PID 1740 wrote to memory of 2192 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 28 PID 1740 wrote to memory of 2192 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 28 PID 1740 wrote to memory of 2792 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 29 PID 1740 wrote to memory of 2792 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 29 PID 1740 wrote to memory of 2792 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 29 PID 1740 wrote to memory of 2792 1740 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 29 PID 2192 wrote to memory of 348 2192 feorw.exe 33 PID 2192 wrote to memory of 348 2192 feorw.exe 33 PID 2192 wrote to memory of 348 2192 feorw.exe 33 PID 2192 wrote to memory of 348 2192 feorw.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\feorw.exe"C:\Users\Admin\AppData\Local\Temp\feorw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\awdio.exe"C:\Users\Admin\AppData\Local\Temp\awdio.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b3f3a09e69a384384dee5a7aab5b1eb9
SHA1c824ef2a85127360a79c6f9e05cb17dbe3487482
SHA2560096b4fb55ac09fbad09fe5de526ebd1eee8fc9a93d42d78c7e75e1fadc846ce
SHA5126c65782abbef3f0034dc1d7c2f6d79597a8fa502dcda529e4c4811770a677a72c02c561643045af92a3570c5f2a89c33da94c70e562998e82eb708285defdda7
-
Filesize
512B
MD511025d3ee0e292dcc6b9635c688b1e84
SHA16523501aedef0956ea3ebb77b743a054b380443f
SHA256f765ba0311a3a07705238be8e94a7f782b82cd2b986134a4e84c8ef0bdcbfe44
SHA512aeb4266f6f99d44944d13f58670be19c02e1d5e8fa26a335d6b5c068e555fdad453258e5208fcdc654213a7ca23d1b9ffa6f9a2e371d46f206a366614ee8492b
-
Filesize
303KB
MD580122baeb27b1b184b7d83f040dfe3c1
SHA15f22f47907188bff50185e9c4d64311c5f06cf98
SHA256b345558ba27baa6e91b2d030160acbd3886e6ae5d8954a597f23986fe293847d
SHA5128305f96e2231b8f14fcbc90d4162d0b0822f3dacf8fad3b2a6b6e8ae4e58bf90d9e526a059c484fc4d293ccb2fc4147a9ef04d801662004e3b7714eb3071a50f
-
Filesize
368KB
MD5065b727f2141881b1e93946fc3f50539
SHA1eae211b112a0f64718885e4a1222413e7be0cbfa
SHA256c7d31cacc05532ab36c6754a2d333500022d0cb1f2316223ebfc084dc5718c64
SHA51298ba68cfd71fdf39ecd958864c3a2640c4dbe8d48d88f79a14e30cf4ab11b13804f7b8b21c56d772af4e29b249d8d6bc1e66400c97bad4cd6abf1d25021bc785