Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 21:50
Behavioral task
behavioral1
Sample
8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
Resource
win7-20240221-en
General
-
Target
8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe
-
Size
999KB
-
MD5
804524de8c35e0f453cfccc83a5f4726
-
SHA1
6e476f64aeec26e3cefb02ed46d0cbbd6a48a60d
-
SHA256
8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61
-
SHA512
8c8549ee9e55bf4da6e8250c9fd5ae8cd92e0eee4a8ee1a7282360c8c9dc5e20beb8ce875581dd3246e7e017d9676054d53b962f03a91050977d16c55edb0ac3
-
SSDEEP
24576:1ydHl4Vi6qm7Aa1UaW7J5RzkF2o5x6RrAyB:wl4Viw7zUTNQF2o6xB
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1668 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1284 jupuh.exe 2956 asviz.exe -
Loads dropped DLL 3 IoCs
pid Process 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 1284 jupuh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 1284 jupuh.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe 2956 asviz.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1284 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 28 PID 2352 wrote to memory of 1284 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 28 PID 2352 wrote to memory of 1284 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 28 PID 2352 wrote to memory of 1284 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 28 PID 2352 wrote to memory of 1668 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 29 PID 2352 wrote to memory of 1668 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 29 PID 2352 wrote to memory of 1668 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 29 PID 2352 wrote to memory of 1668 2352 8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe 29 PID 1284 wrote to memory of 2956 1284 jupuh.exe 33 PID 1284 wrote to memory of 2956 1284 jupuh.exe 33 PID 1284 wrote to memory of 2956 1284 jupuh.exe 33 PID 1284 wrote to memory of 2956 1284 jupuh.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe"C:\Users\Admin\AppData\Local\Temp\8f62e85b6234086b2d8cdeff2eaaec891602d777d946a64c35f0a8831a4cbc61.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\jupuh.exe"C:\Users\Admin\AppData\Local\Temp\jupuh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\asviz.exe"C:\Users\Admin\AppData\Local\Temp\asviz.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵
- Deletes itself
PID:1668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5d73c5099a0625ad707388d0850968dd4
SHA151dab7198c7c6487dd6c1f25f9cec58119bab9a7
SHA25637b41dbd3c89e1d7b2828743bfac4cce87916cf671c59040cc5b7bc0ad4360bc
SHA512578b5b256ffac7474f36317531f8f445db18c517630df93f8048bbeabee5d17199c958978c03ba40124e86416fc75bb7c64729fa75e99bc4293909742148331d
-
Filesize
512B
MD565ffcfe14c2197009096dde8ef1b7bf8
SHA1450ee07aeb7e07cbac9f3a055daffd9fe2617d8f
SHA256c1c8fea3376b863bed0475312e6ce3773763a7280e1a2774b18fab0f2ac74b20
SHA512e5cedfca0bf2b84bef16ec07ef493bfd3ed8641dab161236f1ca06c7016f48ae4067834fd172c6bdbb042d8f0c60db6d260a41f9e9e39b24ac1dd96832bc4417
-
Filesize
999KB
MD595f2aafdc82e249caf03f40cf509e195
SHA1514f80394835f024b39cb8d1b92a0e65613f2f13
SHA256d622ce586a756635c9cddd2b2bfa10f7c6b2e8d0252b8d61330aeb6959dd7ef1
SHA512dff8af6b7d272fd2b4c192d16c6db376c507a936a825555e1a0b9d39a50410a286fbd4b26b0f6989de0eca1c8f9b9e2e8c694c3e2c72fdf9c38a1774e5fefe81
-
Filesize
416KB
MD569fc2f4e2135569db4ab676e199c1a5b
SHA17c659c36ac9b7e3eff0684af7c103c40f0bb9c3d
SHA2569da9fddf021fbb41c494df08024cb8b5810b1d508f0f38de6b3c0575a1065f33
SHA512c739ffbe92a722eb6e0365dcf75bd396313974ac2c6b74e609cfdb89bccd1ec7c119cc864c6347589125ff69aba5fa2fb7c15181de6aa5a0549d31df3d3f8038