Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe
Resource
win7-20240215-en
General
-
Target
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe
-
Size
329KB
-
MD5
e530079cb433d24463b761dded0368a0
-
SHA1
ecb67cf4344d633d423aa0cc61893af7485a438a
-
SHA256
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e
-
SHA512
f1d912114240d2379590b321375cf48594cb4dc382d06c882e9622f97f728f2c76c9ddcfa0d41716dd2acecf9a95504f6e7a5f2ba662c9568595f93a5655a534
-
SSDEEP
6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpD:PkXpd6jqiOIHZAy
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2484 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2908 cisyz.exe 2576 nigowi.exe 1752 gyrol.exe -
Loads dropped DLL 3 IoCs
pid Process 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 2908 cisyz.exe 2576 nigowi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe 1752 gyrol.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2908 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 28 PID 2896 wrote to memory of 2908 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 28 PID 2896 wrote to memory of 2908 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 28 PID 2896 wrote to memory of 2908 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 28 PID 2896 wrote to memory of 2484 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 29 PID 2896 wrote to memory of 2484 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 29 PID 2896 wrote to memory of 2484 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 29 PID 2896 wrote to memory of 2484 2896 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 29 PID 2908 wrote to memory of 2576 2908 cisyz.exe 31 PID 2908 wrote to memory of 2576 2908 cisyz.exe 31 PID 2908 wrote to memory of 2576 2908 cisyz.exe 31 PID 2908 wrote to memory of 2576 2908 cisyz.exe 31 PID 2576 wrote to memory of 1752 2576 nigowi.exe 34 PID 2576 wrote to memory of 1752 2576 nigowi.exe 34 PID 2576 wrote to memory of 1752 2576 nigowi.exe 34 PID 2576 wrote to memory of 1752 2576 nigowi.exe 34 PID 2576 wrote to memory of 2612 2576 nigowi.exe 35 PID 2576 wrote to memory of 2612 2576 nigowi.exe 35 PID 2576 wrote to memory of 2612 2576 nigowi.exe 35 PID 2576 wrote to memory of 2612 2576 nigowi.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\cisyz.exe"C:\Users\Admin\AppData\Local\Temp\cisyz.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\nigowi.exe"C:\Users\Admin\AppData\Local\Temp\nigowi.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\gyrol.exe"C:\Users\Admin\AppData\Local\Temp\gyrol.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2612
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5633205ec749975506223464132d91c15
SHA165a767479594aedf26b17ab0252bf06f45020cb3
SHA256ca36527edbcf227f7d06d1b784ff170bc82363fe534c78e4d9272b7d8104b221
SHA5122a4c72d658e2dc1a859101e1e7be378179a71545b6e839fe9c362cdf6c766eb6459ce6c8ac77406018e77e96cf717dd0c200a09f02bd95bdc59ce4a9f7fe1ed3
-
Filesize
224B
MD5f96e79f0f7d92f772bf4e0fbc999fabb
SHA11af182ceb066ba43d67a1022aba478709f052dab
SHA256320a7deae8a910faaef321244610135053e32bd1d370962e9498ba7b77119e0d
SHA5120ed67bc433d8000b152d8de6854de72533b827a16e90a5fdf34a0e8a52e0ef89dcaad14102065b68b706d84c50b11fb37af2d2e3c4b56b06183c764da3235729
-
Filesize
512B
MD5e5df67d153f327d244f3c05fa5485889
SHA1340597a9037191a48fd76df4f8daa36de8b78845
SHA25616c4af27114a1542e008ce519e0cbcdcacefc348e269425b130125200996fa16
SHA5121aeb136bd3e3d0c851ef760ac2ace10cb74bde0be3598ec754c89bb9536966835126e2f333c26d5d7684c68bb03d041d420728a69669cffe6e69b94bfb0e4816
-
Filesize
329KB
MD5caa1b7ddcee696a9c6ae78566f2abb88
SHA10797d8cc0f822fe575ea291d88d570016657ca17
SHA25640b738aeecf59c400db2861eb14f2692ca8a468b3ce493f32f88721c8777982d
SHA512a855fe013d9c8ab8409db9a48b022e6f07b9812f39f4bd5cff3ea83a9258dd58ec5ca592bbbf0af7b77aebebe65d826cf3d8680825c1372f3ba0a03bc6070445
-
Filesize
329KB
MD53305ec17a2c8583f6ad04f0c35f05966
SHA1f8bc33baeb6ca433724af114384cb17957bbd520
SHA2561326aae1549af67915a388060b6db22cfe68057fe0abbb3b0b0c3263e8cf56c7
SHA512936dd276cf320cf2737c8a36bd1f41d4f80324e17d20308f9ac5efddda4f35b8d742633eee97c1217143ea8dd529faa6d81d0c165e68d573eae110e49275bcbe
-
Filesize
223KB
MD5df61975e83ef564c718326d68b5dd40d
SHA18c7928857586025512a66cf0d0a51c21cd3f1e15
SHA256d38c6b1313a305a92c8d50a37ebd8e03bef0b7508daaa9633f16f308a64935f0
SHA51223bbeb76a4f5c58fce400b0fbd13960e9b777f656737b499c55d9df384388fddac84e9e99583f5fb7dcab309274779b263f8dedc8f2610c5b068d0dc87dfe1ec