Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 22:17
Behavioral task
behavioral1
Sample
92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe
Resource
win7-20240215-en
General
-
Target
92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe
-
Size
453KB
-
MD5
7cf19309574d5bf7a7e8fd72cda93f93
-
SHA1
4c5194df07a8625883204ccaf9b9f1a5e550d1f2
-
SHA256
92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25
-
SHA512
6428fa21509b031e36c4336c80e541fbeb07818a17f4435de203b88e239cc4fc1ec1020b97f3c663e7fbab4c9addf57f8f28f6cfe7717a7549b43acfcd476590
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoz:PMpASIcWYx2U6hAJQn3
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2612 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2264 miwyw.exe 2676 kebezo.exe 2352 xypey.exe -
Loads dropped DLL 3 IoCs
pid Process 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 2264 miwyw.exe 2676 kebezo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe 2352 xypey.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2264 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 28 PID 1804 wrote to memory of 2264 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 28 PID 1804 wrote to memory of 2264 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 28 PID 1804 wrote to memory of 2264 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 28 PID 1804 wrote to memory of 2612 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 29 PID 1804 wrote to memory of 2612 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 29 PID 1804 wrote to memory of 2612 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 29 PID 1804 wrote to memory of 2612 1804 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 29 PID 2264 wrote to memory of 2676 2264 miwyw.exe 31 PID 2264 wrote to memory of 2676 2264 miwyw.exe 31 PID 2264 wrote to memory of 2676 2264 miwyw.exe 31 PID 2264 wrote to memory of 2676 2264 miwyw.exe 31 PID 2676 wrote to memory of 2352 2676 kebezo.exe 34 PID 2676 wrote to memory of 2352 2676 kebezo.exe 34 PID 2676 wrote to memory of 2352 2676 kebezo.exe 34 PID 2676 wrote to memory of 2352 2676 kebezo.exe 34 PID 2676 wrote to memory of 2536 2676 kebezo.exe 35 PID 2676 wrote to memory of 2536 2676 kebezo.exe 35 PID 2676 wrote to memory of 2536 2676 kebezo.exe 35 PID 2676 wrote to memory of 2536 2676 kebezo.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\miwyw.exe"C:\Users\Admin\AppData\Local\Temp\miwyw.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\kebezo.exe"C:\Users\Admin\AppData\Local\Temp\kebezo.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\xypey.exe"C:\Users\Admin\AppData\Local\Temp\xypey.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2536
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5a76e13bcc28ddab8b9f29db5cd0076a3
SHA11e86f77dbb2e8d033d56706203025ee77c844b61
SHA256e1111640a0361091a433c072374681be71bd0b725e9a8082ff2a5d531b49c22f
SHA512e131daf47e86ea2a08e4d8bafcaba04d2c5ef2c7853d9589f50b5c912e1a4c825739c170d32475d8e29e44d777e74042027d05d87431851923f7e02a07d41075
-
Filesize
224B
MD571149f47209dc9823bb14e0457040965
SHA1e859c46a88aabcecf1cda83ba378bd451922ffc4
SHA256ce3d1ba67b85e83a8ec8a03eaaa4bb9920d6fd3ccaa1e9e3f5bc5f8a04dd9532
SHA5121c5b1875eb1ff3e439b0b9ef37cd3285c280281a374e508d81a69cd0dfc3750c436fd323002f9c674fc0bc22ff847c0ce4fafb2e22790e9505f8dbd53eb0edb6
-
Filesize
512B
MD5d8b82ac2cbe7c30e9010c1abd7407965
SHA1558ca5440ad4a26539f72e186c1d9a6cb3824a71
SHA256c7e444e1f48284c3725ff0fbb5c44fa7c40a75820491272bc703ac4151f010c0
SHA512cdcc590b3b70b98ecea3c4828d2258edbd9aaf7e20e5833160ce5de1a22abd4ed73258aa15991ca504d3496ad62bd51848536730a461152da6fe1f95deea25b1
-
Filesize
453KB
MD5516509699f1077360818f37aad972051
SHA10a6a01f8e32a0f7fea5c12b3a5f54a127af85362
SHA2562d15570ebcd4b9b994488bcd982e0cf7a67cac553bfc49875054d1b5cfcfb387
SHA512808e8469023671e46522b0217c541eb24802eb6f003070231438c252e5af515daf70924839a2e73d88e83ba67220841f97d83198c63e11b25f42f05f154c0d41
-
Filesize
223KB
MD51e823155e12b2d1d3ef2653eb50a09f2
SHA14d352d62ac020a61f962e24a64935f1deea36be5
SHA256c13f5b9f47be5e7bcbf5cbaa126b86108a12aeae6a008acbc8afae7e1f2f3692
SHA512e68cb97a72bdbb40ac3da7abd436c1e77226a8abd269a09e61f4d5bf07b8bdfd27d5cc0205ad2441d8750308da32b6cca08bdb9f60e408a5f406328447b2836a
-
Filesize
453KB
MD55edf145e67106382102275e7b67aa923
SHA1c277d946fa3e532f82ba82a632a54fa95b719b35
SHA256510f14316e1a8d5aa787d7231df864fe7eca69fafb995f8c906b3d92c9cc016c
SHA5121826e029c14f091186c23d7410bd9185c4c8af44fcbbcad659ed26d3378a1af126e8755fa6769c5e6130a1f1c9c1ca48c1020832304d52bc6b8768cee8b6750d