Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 05:44
Behavioral task
behavioral1
Sample
bffd92387ce2f42ec3bef3676dc450c5.exe
Resource
win7-20240221-en
General
-
Target
bffd92387ce2f42ec3bef3676dc450c5.exe
-
Size
403KB
-
MD5
bffd92387ce2f42ec3bef3676dc450c5
-
SHA1
c084cba4905f8930d67938a4cc939b3e78a18b3a
-
SHA256
14f8f5e1845ef3a5e480b4d8eb1d6927cdebb85bb149c7c5f4bab48e913e9004
-
SHA512
e8a1ae160ccc1bf89aa1987af2f65da25b78737d71b1b5dec6a89ec5598433fb7a51506da44e8d76811a32822f3ca1bd6d5644c8d911749513ecae073a23ad22
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohI:8IfBoDWoyFblU6hAJQnO6
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2088 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2948 jifyi.exe 2684 juboce.exe 2496 huiqt.exe -
Loads dropped DLL 5 IoCs
pid Process 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 2948 jifyi.exe 2948 jifyi.exe 2684 juboce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe 2496 huiqt.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2948 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 28 PID 2920 wrote to memory of 2948 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 28 PID 2920 wrote to memory of 2948 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 28 PID 2920 wrote to memory of 2948 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 28 PID 2920 wrote to memory of 2088 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 29 PID 2920 wrote to memory of 2088 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 29 PID 2920 wrote to memory of 2088 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 29 PID 2920 wrote to memory of 2088 2920 bffd92387ce2f42ec3bef3676dc450c5.exe 29 PID 2948 wrote to memory of 2684 2948 jifyi.exe 31 PID 2948 wrote to memory of 2684 2948 jifyi.exe 31 PID 2948 wrote to memory of 2684 2948 jifyi.exe 31 PID 2948 wrote to memory of 2684 2948 jifyi.exe 31 PID 2684 wrote to memory of 2496 2684 juboce.exe 34 PID 2684 wrote to memory of 2496 2684 juboce.exe 34 PID 2684 wrote to memory of 2496 2684 juboce.exe 34 PID 2684 wrote to memory of 2496 2684 juboce.exe 34 PID 2684 wrote to memory of 2652 2684 juboce.exe 35 PID 2684 wrote to memory of 2652 2684 juboce.exe 35 PID 2684 wrote to memory of 2652 2684 juboce.exe 35 PID 2684 wrote to memory of 2652 2684 juboce.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\jifyi.exe"C:\Users\Admin\AppData\Local\Temp\jifyi.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\juboce.exe"C:\Users\Admin\AppData\Local\Temp\juboce.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\huiqt.exe"C:\Users\Admin\AppData\Local\Temp\huiqt.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2652
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD56eff6bacee80448346f6332df43a9b76
SHA1f7b7c8b9b9b8943ac907cfae58299941819d30ed
SHA2565d75fa2e2104684e6300dccc103f0e7af138556d95b5f9d0d260ec89153b4fef
SHA51272f6d1c1fab34124172db8a44740e725418b0bbddb91d37d12523f5c7c1cc9041d05745089f8d6d6ae8e76f22fba27ad6dd182637834cd3aa95565814e4b5f01
-
Filesize
276B
MD5f847b5d9d2475fb8fa19d0287199e436
SHA1bd25e1e5bbddc343e6233ce1051d979dac880002
SHA2562e4736cae2231b7b9583c1e768aec1712bc99247eff4662152c7eac6a3ad8b68
SHA512c6a19eb2e99857c697a3c71b04ecc9ec1751d4785d753e59c69cb3891821ecc09451814ed23aa5571e39bbcd69b4e0b7fe47a7c69e9c8b2f312412dc3638fb14
-
Filesize
512B
MD56bc18f939cb5b9b400e5b7fdc296bc0b
SHA17cf463319130f8c24bf224a45639313182e829b6
SHA256a40dde9a81a24cb3d72c661a1b8077b76a3a6371149213833efc179a67404620
SHA512043274de024d9284b07bf6ab4c63967e090e19792090d6a9c372b4b044c6e1d02f3c8411162c3141ed8af9513657e92a0e813ad4c0a04ef79654052548d77320
-
Filesize
223KB
MD5685da7bd1286817247ce5b1d32e90428
SHA11d4cf39b8144e58a9024cc7d809140368ae4ddc2
SHA25617e4f1128f7a48b679328629d521e8595ad37935683406574ce387294303a5da
SHA51224c6e2ec6580fe85119528d4bf8b1eb86da0f089a61f14a50ceacf31781734fe96d0edc4368e2e41681afc0136dd75ee4c21aaaf49106f057baf17b030189386
-
Filesize
403KB
MD58e799cd1ede1ce2da654b9ebe4e96872
SHA10d5e2d90e0550e0d255076667ec604be33c66ed5
SHA256d098c1fb0714634603d50bbdaec0bd9f70ab9baecf5869b6521bbf83f6cfbe8e
SHA512581e6c1cbe936a9c1e0e7f9ff3567f2eef04617e4aa6162a7f34b10475def5bd1202e9a5e786d3e95b40fb8dd3c30ae8c387d31a7b8c9e0ab0cdb9135fcd24e1
-
Filesize
403KB
MD553791e86a69b6433ea0b7eb63e7ba3d1
SHA174bfbfa87010bf79db162146a295f720bca0c263
SHA256045a11efe0bf7ec498ee4efdf7d27c0ee9d9d01aab07f4946df595aabd7a9f22
SHA512543d9daaf957c304c9ff8d8be05a08669a3e9ad8eb54c584be934460fde9c7ddef1892fd6dc78ffbfc4a330a2b48f2bcf420d96d58a5604b3acd81df93b13223