Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 21:37
Behavioral task
behavioral1
Sample
8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe
Resource
win7-20240221-en
General
-
Target
8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe
-
Size
453KB
-
MD5
21b9b58fa2aa01359b6d84e2b402ea66
-
SHA1
486d4169c82b0574e3c8d65c67dd123d539f67ed
-
SHA256
8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793
-
SHA512
d2fe91817f56f74453d00d0eb4d49e4cca22960a51d7d9eaa2d59cb660e4b0207c429e53505a9630f7fb58a6cebc92b827b0f5727fcf65e5ae8d3dd5c9477468
-
SSDEEP
6144:Z8efQ6QPJGcLbjg0YSZK4UnUHOkb8734A2P6gt99Wvtxrpp29xSE3v/:c6QPJGcE0XKRg04zPZt9mtPON/
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Detects executables built or packed with MPress PE compressor 6 IoCs
resource yara_rule behavioral1/memory/2464-0-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x000b000000015bfc-4.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2348-9-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2464-17-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2348-20-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2348-27-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress -
Deletes itself 1 IoCs
pid Process 2088 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2348 xupon.exe 2796 xyqef.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 2348 xupon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe 2796 xyqef.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2348 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 28 PID 2464 wrote to memory of 2348 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 28 PID 2464 wrote to memory of 2348 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 28 PID 2464 wrote to memory of 2348 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 28 PID 2464 wrote to memory of 2088 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 29 PID 2464 wrote to memory of 2088 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 29 PID 2464 wrote to memory of 2088 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 29 PID 2464 wrote to memory of 2088 2464 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 29 PID 2348 wrote to memory of 2796 2348 xupon.exe 33 PID 2348 wrote to memory of 2796 2348 xupon.exe 33 PID 2348 wrote to memory of 2796 2348 xupon.exe 33 PID 2348 wrote to memory of 2796 2348 xupon.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\xupon.exe"C:\Users\Admin\AppData\Local\Temp\xupon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\xyqef.exe"C:\Users\Admin\AppData\Local\Temp\xyqef.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD52ed49363141b3a651ae2f19a7ce5004e
SHA10e602feeff46414a51675b0d0989c7bb5ea06a1f
SHA256b91b3d683ec592cae7c070a6ce8138d45bfbaa5b532fa4cebeee94cb2ad520e1
SHA5126685704ab2257d970b3ab298ced5fa46ca9840eadc7cae5ff1ad55d6529ceb9d5a91412f581c6f9c9ef794049e193ab03c83c7534bd78cec35d122f22a5e30c2
-
Filesize
512B
MD574e7082c044588dbce68ae476cabe877
SHA18b499a599712e58f4750218be2b06fc1cb930be1
SHA256af32c6ff201d313e2cf3487c23c01b030d906273d59632840208dce4e610b408
SHA512ea05c11a5c6f0ad41199660c4e51f96f76bb7e0953dc4130753422bc28457068341f94c291387bbbbd5c9bf65f98f0858ae88f7ff0572c27d557e02562bbe7ed
-
Filesize
453KB
MD5836ee57caf418ce58985cee1e87dcb5c
SHA18d92fe4fbe781f123c0ac3dbdfc314e052b1552f
SHA256669d614126b56a67d9ac7ba015f2555fd52e78ae3595b6402efc67bf683f1092
SHA512b369c9bc4ef8050577b77c0e36b3b4fae8655cb9b1e774bb2dec57fbd0b177827f9cdfd269f847b0fd51705d6a1a1dc74526c40d6701eed7b23f1e4229415c7c
-
Filesize
297KB
MD5ca613c2c27a4e66f6037d145bc27d394
SHA1c0cfc500d6e74a81cc24c1923b409343066512bf
SHA25691b16ff9ec83efb96c5ccd5ad508be2b137dda34d09f0cc43624c6b5bcd73692
SHA51272530a492fadfd7e25057f925281fc9a9aacadbb6e34bffd321d423814de821aceb9e2e4f32e517e101148236f885610e8476f5498cbe6518022e8b36cfd6a62