Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 01:25
Behavioral task
behavioral1
Sample
bf7a5db5b56489321d405dccc39b0f58.exe
Resource
win7-20231129-en
General
-
Target
bf7a5db5b56489321d405dccc39b0f58.exe
-
Size
465KB
-
MD5
bf7a5db5b56489321d405dccc39b0f58
-
SHA1
76c90577e132541b4f53928d04bf7fa10b508699
-
SHA256
2360ff4b08c781ca8bad30e528d943ad791611cc26a9df276043423b0566ad5e
-
SHA512
de132c95ab1a31e84e32ec0626a500142609a9dd4fdf7b333dd156dbfa0b623f9a39f500df604ffd6a23e498eeafa2013f63dd695bb11f986fdff79cdefbf128
-
SSDEEP
12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uo:m6tQCG0UUPzEkTn4AC1+7
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
Signatures
-
Deletes itself 1 IoCs
pid Process 2560 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2976 bekii.exe 2736 teqyi.exe -
Loads dropped DLL 2 IoCs
pid Process 2548 bf7a5db5b56489321d405dccc39b0f58.exe 2976 bekii.exe -
resource yara_rule behavioral1/memory/2736-28-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral1/files/0x0006000000005a59-26.dat upx behavioral1/files/0x0006000000005a59-23.dat upx behavioral1/memory/2736-30-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral1/memory/2736-31-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral1/memory/2736-32-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral1/memory/2736-33-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral1/memory/2736-34-0x0000000000400000-0x000000000049F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe 2736 teqyi.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2976 2548 bf7a5db5b56489321d405dccc39b0f58.exe 28 PID 2548 wrote to memory of 2976 2548 bf7a5db5b56489321d405dccc39b0f58.exe 28 PID 2548 wrote to memory of 2976 2548 bf7a5db5b56489321d405dccc39b0f58.exe 28 PID 2548 wrote to memory of 2976 2548 bf7a5db5b56489321d405dccc39b0f58.exe 28 PID 2548 wrote to memory of 2560 2548 bf7a5db5b56489321d405dccc39b0f58.exe 29 PID 2548 wrote to memory of 2560 2548 bf7a5db5b56489321d405dccc39b0f58.exe 29 PID 2548 wrote to memory of 2560 2548 bf7a5db5b56489321d405dccc39b0f58.exe 29 PID 2548 wrote to memory of 2560 2548 bf7a5db5b56489321d405dccc39b0f58.exe 29 PID 2976 wrote to memory of 2736 2976 bekii.exe 33 PID 2976 wrote to memory of 2736 2976 bekii.exe 33 PID 2976 wrote to memory of 2736 2976 bekii.exe 33 PID 2976 wrote to memory of 2736 2976 bekii.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\bekii.exe"C:\Users\Admin\AppData\Local\Temp\bekii.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\teqyi.exe"C:\Users\Admin\AppData\Local\Temp\teqyi.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵
- Deletes itself
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD51e0d50a82fc10397abbb7ec39a3b9f44
SHA116253bb940e51d513f8b6605bfb58c1f10bc8e9a
SHA256e8ca7f9eafcf0ac65bc881697efb9310becf7f810c0589d9baf5c798b088ce9e
SHA512980aca66c367ca6e227c28a3e95cd06f3c91a1f237cdff37f0909af2f4bb3a3e74dac72420c4947e1a3c4c383d79d8ba132161510406216b6a1967afc1db8088
-
Filesize
512B
MD5da1f514f060eafa56c086982b4caeb98
SHA1fcacce7545fd1198496dad498d8a613d4e30b7d0
SHA256d92c7974b6ce6d3426a7a8b5b5baff885ab9e94f8b6e494abe1a3821fadb6c03
SHA5124678df3b43fff60f2f23ef385036ee3b3d557aefba120f543a7e0fe7cad58984f8c3e34cce45adf0159834bc53a2e5f5d10d76ce318e10dd284efd94f4041b35
-
Filesize
45KB
MD5f6198fd5546226b2d9010ed9ca67ae1f
SHA168fd4133035a2e06c9663f3edc306b0b53be16bb
SHA256853347edf57123ea2bf27589e581c6ee37bb4785d350a8d770fa19b7a0eeb042
SHA512bc70424d1de11e38f904a634d1efb0782819b461cb067e8ba244ab50ea482dfecf3920fa7effd960469558e85331e743bdb90569fded1e31ac4c59cf52ec595c
-
Filesize
466KB
MD572bdd977088251f8edf5387ba8235ed3
SHA1fd7ddd74f7128a227122e995f0e000c6c9807461
SHA25672b2fa4a3478f49f84cef51e65a98f91a42dce89780dc68df791a8698dbb944f
SHA5124bb26c3c4fa2989508d47e678851d2f6e161f5e091d8f2b44f85e35d56b62cf4d3b0be9026565cc84e94ce990b14659a6dc139b3edf4b32247dca604bd93addc
-
Filesize
198KB
MD519f3cb8899a6f01da4b9ead509b758b3
SHA1011eb917e7b98db1c008436ac3f45002005c01d6
SHA256c6c06f215b48b9406481ff073ab4fdacaf95b477b50437f611c01c9edd6ee3b9
SHA512f55adfe6337ac24f3772c9768522333e31ccbe4f87e57afa012e04643f6434172eeb4a6fbdc2a3745108d2cd849d6b24abad44ac746601765c3e09296a2b9a1e