Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 22:09
Behavioral task
behavioral1
Sample
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
Resource
win7-20240221-en
General
-
Target
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
-
Size
367KB
-
MD5
55e2b28e5b61d0269ad3e4c5c0e05180
-
SHA1
9bdeca964f12f062832e82d3d2bf9847a274040a
-
SHA256
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36
-
SHA512
3218ab53f7391bfc625d074babc05c56c2948f78920793bb25febdfb55c2334edb422e7db52907cdd45891a49130ab6a6ae94d9ea742a3c317d47b41409d9410
-
SSDEEP
6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pL:OzGL2C2aZ2/F1WHHUaveOHjT3
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2620 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2836 zybon.exe 632 mylow.exe -
Loads dropped DLL 3 IoCs
pid Process 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 2836 zybon.exe 2836 zybon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe 632 mylow.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2836 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 28 PID 2364 wrote to memory of 2836 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 28 PID 2364 wrote to memory of 2836 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 28 PID 2364 wrote to memory of 2836 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 28 PID 2364 wrote to memory of 2620 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 29 PID 2364 wrote to memory of 2620 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 29 PID 2364 wrote to memory of 2620 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 29 PID 2364 wrote to memory of 2620 2364 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 29 PID 2836 wrote to memory of 632 2836 zybon.exe 33 PID 2836 wrote to memory of 632 2836 zybon.exe 33 PID 2836 wrote to memory of 632 2836 zybon.exe 33 PID 2836 wrote to memory of 632 2836 zybon.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\zybon.exe"C:\Users\Admin\AppData\Local\Temp\zybon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\mylow.exe"C:\Users\Admin\AppData\Local\Temp\mylow.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b652ce937e0c122bd97f3d0ce6dca2cc
SHA19d2d5ae6790eb024997332be1601baebae93d698
SHA256079f20efb72e006948103e222c1ab454336f81a4a155a23d02d4b0eab67e4500
SHA512628c2a75afcec7499bc103fc3cec36c9eb9d9e98f8b4c0fff4ca40ee63172fea098ebe7acc72adb3cabfdf941424abb4e98ae4e7db65127e8cc3b6af706438a9
-
Filesize
512B
MD59616e57dd48c5c3fe324766d21a64cf6
SHA122a7bbdb894d8d555b8a12bb3183f8d5e079f27b
SHA2563e96daf233e34a7ae604a68164724ed4ea5571df9f95d847cccf60412008de0d
SHA51210e3f663bb908e4bd9c88a83891cd0d1249cbcfd062839105f0dd8d5803107602e178aae9c5e9abbc93297a9762b92f5ad4a9e1f05e0398496b7ab51ae557ebf
-
Filesize
44KB
MD57bab6a396207ce7ca9a7284e8a4d2ef0
SHA1de0380e89df31e2ad348bff69773885cfe6e20d6
SHA25608e0780631515ce83bc71661e4dfa67d1e82ee83428faf847e6bdb8f8eb56107
SHA51289cef161ce1e36ec53607a1cfcd09b30a2d38e07bc69accbace74d2c5516739740ad20363acb68efa0d164f3ae36becbb91b56548188dd5c35a599290c5c8188
-
Filesize
367KB
MD5b90cabdce11eafd910a7bf9ec8a3ba4b
SHA1cabfe274186858d82ec957f62ad9729d6cc4d3cc
SHA256d4bd89ac0bacafc4cd1f72809b5e9ee7a677bd3ac9c576f66f09653ea92b99df
SHA512fbda802152c4cf1a1b2b29568bf267f0e35b8fe85b57186d41d7b9a552d3755b28ee6bf69eabbd7cb3ce352738ab70e8efe83ed68a573f185956664a582269ad
-
Filesize
303KB
MD5e229b37bbdb6f72168884cab28b02be4
SHA128c6beb1c82e6928023dc3f131b37434de711439
SHA256dacb1a8ae43e9cde31e3aa20327321cefe772f6ebde2fe412a9049db650321ea
SHA512aa7cdcccdd2695bd0138e4feed7ce6df37dd3b947f65cb40320ddde8551a41ebe5aca078210fba2603de1e29702af6b953da1eff3b4ee0501731f0d37d6a7fa7
-
Filesize
367KB
MD54336d443b29538c747bae73fb2f3d3a1
SHA1f00690a10f9ee4b5eeda7682f5e253c47d0ff4c3
SHA256f782775be0e407d240d03f74f57eea5fcb367dfdcea868f68b83f4b1f851703b
SHA51289857223f5b52f6c7551c4ea03deeeac43222a166c35387a2eca82fbb5b36c97c27ef4b9304b004276ff8752ed0a3c6be2372f2ea029a85fb42190746a14dc08