Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 11:20
Behavioral task
behavioral1
Sample
c076766fce89bbd06b0a57633dd0863b.exe
Resource
win7-20231129-en
General
-
Target
c076766fce89bbd06b0a57633dd0863b.exe
-
Size
536KB
-
MD5
c076766fce89bbd06b0a57633dd0863b
-
SHA1
5b3bfe3bf94dacaefb932098c787f55fdb421cd9
-
SHA256
1a14dfc79b002101f64dda982c6ac8a8697fb4f88df8871b0ba7f44fbc7309dd
-
SHA512
cc1bda7983ebf5827f030d67bb6ce06d6bfc34e347f54a60785e7ffc75f34ce9520c219d30eb6cbe41178ac37a9eedb37e44724c9ea4296210beec8c0e2f93ff
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPT:q0P/k4lb2wKatT
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 3028 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2176 zeikk.exe 2020 onotc.exe -
Loads dropped DLL 2 IoCs
pid Process 1540 c076766fce89bbd06b0a57633dd0863b.exe 2176 zeikk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe 2020 onotc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2176 1540 c076766fce89bbd06b0a57633dd0863b.exe 28 PID 1540 wrote to memory of 2176 1540 c076766fce89bbd06b0a57633dd0863b.exe 28 PID 1540 wrote to memory of 2176 1540 c076766fce89bbd06b0a57633dd0863b.exe 28 PID 1540 wrote to memory of 2176 1540 c076766fce89bbd06b0a57633dd0863b.exe 28 PID 1540 wrote to memory of 3028 1540 c076766fce89bbd06b0a57633dd0863b.exe 29 PID 1540 wrote to memory of 3028 1540 c076766fce89bbd06b0a57633dd0863b.exe 29 PID 1540 wrote to memory of 3028 1540 c076766fce89bbd06b0a57633dd0863b.exe 29 PID 1540 wrote to memory of 3028 1540 c076766fce89bbd06b0a57633dd0863b.exe 29 PID 2176 wrote to memory of 2020 2176 zeikk.exe 33 PID 2176 wrote to memory of 2020 2176 zeikk.exe 33 PID 2176 wrote to memory of 2020 2176 zeikk.exe 33 PID 2176 wrote to memory of 2020 2176 zeikk.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c076766fce89bbd06b0a57633dd0863b.exe"C:\Users\Admin\AppData\Local\Temp\c076766fce89bbd06b0a57633dd0863b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\zeikk.exe"C:\Users\Admin\AppData\Local\Temp\zeikk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\onotc.exe"C:\Users\Admin\AppData\Local\Temp\onotc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:3028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5fb984991ea81f8ce3046df1b4b34c929
SHA150db6a8405a5a6e6aa16fa47bab8dacd284884dc
SHA256e7dc351791c947a541cdcfe4cbbdbae0813c63adc94e55728dcf5a8197e3eb3a
SHA5120a6d04128b955a77eb3e76cd25e1ab444275cd49352c1d0107aecdaa559163c0b3ad3f28d78a544d89f065f18693d730221b7790566087297639a288f3475e2a
-
Filesize
512B
MD5e049efa30b46093c9ea69ed704374c12
SHA17309083e482ac5d929c61a653838e6444f4b6aba
SHA256d847558798c58082efd7391834eeb555a837fabf81fc39e992cef0321cf89a04
SHA512a2321c59e4453b2eca6fcf64db3ec1567ccbd5e2a489c8bcaa75e35c6060fe714b3cf5d29b4ddc437a724394d9d36964c9b86b686fc16f02a9d375996bb7ee50
-
Filesize
236KB
MD5b6dda6335ede00f6b2b7eba380c3c6e3
SHA195ee8bc6c933ed804c44636e7f6c3c365d7022ad
SHA256f695214702fe04f0fadfbcbcb2d93514adb41b823c848c96d85d07c2160da55c
SHA5126a97284868e74697291cfaa59748621486fd0be75119b93a29b2ffaa56935333fc2f03056f728b2d714c40074e591ef4cdd52224e9050251380755dff1302012
-
Filesize
536KB
MD59a8c6f6333c71af89afb3e91506158f4
SHA141e88890d1879edb87690a4a2f22de81dc5ec8e2
SHA256c2c6cbe242637f111c352290537d3d2db2de42bb3869d05a02d21b16ebaf1a1d
SHA512fd217ab9a5c2d0c40e2ad805ebdcd0391e088fbefb2d3f592ed95e6086930250af19e2626b9ac30114e6a9c8c57951039ad953062bf2c5397b71f287df41f981