Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 22:22
Behavioral task
behavioral1
Sample
cf389a6edfd132de5bfeb2deb343d5e2.exe
Resource
win7-20240221-en
General
-
Target
cf389a6edfd132de5bfeb2deb343d5e2.exe
-
Size
401KB
-
MD5
cf389a6edfd132de5bfeb2deb343d5e2
-
SHA1
42a47204b264bf4c1bc00f38fb8a9b345dc40028
-
SHA256
614c3bbd21decd89fa9045ef7960de748ddd0ab3574645441ca014f81e1002d9
-
SHA512
92044df4ae0004069efe3ac598ad3dcc4414d5c4736143398200499d44c6402e0728dfcb8a9593a6f8e14ce96a9ac9f774451ae509a5d2eda724bbc523c9cfbd
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohCR:8IfBoDWoyFblU6hAJQnOC
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2532 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2376 exizj.exe 2624 quneah.exe 1904 higov.exe -
Loads dropped DLL 5 IoCs
pid Process 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 2376 exizj.exe 2376 exizj.exe 2624 quneah.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe 1904 higov.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2376 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 28 PID 2612 wrote to memory of 2376 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 28 PID 2612 wrote to memory of 2376 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 28 PID 2612 wrote to memory of 2376 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 28 PID 2612 wrote to memory of 2532 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 29 PID 2612 wrote to memory of 2532 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 29 PID 2612 wrote to memory of 2532 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 29 PID 2612 wrote to memory of 2532 2612 cf389a6edfd132de5bfeb2deb343d5e2.exe 29 PID 2376 wrote to memory of 2624 2376 exizj.exe 31 PID 2376 wrote to memory of 2624 2376 exizj.exe 31 PID 2376 wrote to memory of 2624 2376 exizj.exe 31 PID 2376 wrote to memory of 2624 2376 exizj.exe 31 PID 2624 wrote to memory of 1904 2624 quneah.exe 34 PID 2624 wrote to memory of 1904 2624 quneah.exe 34 PID 2624 wrote to memory of 1904 2624 quneah.exe 34 PID 2624 wrote to memory of 1904 2624 quneah.exe 34 PID 2624 wrote to memory of 2412 2624 quneah.exe 35 PID 2624 wrote to memory of 2412 2624 quneah.exe 35 PID 2624 wrote to memory of 2412 2624 quneah.exe 35 PID 2624 wrote to memory of 2412 2624 quneah.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\exizj.exe"C:\Users\Admin\AppData\Local\Temp\exizj.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\quneah.exe"C:\Users\Admin\AppData\Local\Temp\quneah.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\higov.exe"C:\Users\Admin\AppData\Local\Temp\higov.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2412
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5f0a542051f587925e773aed510551c0a
SHA1bd0f7fe15646e1bb9b381ce964be431b56c83189
SHA256ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90
SHA512c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26
-
Filesize
224B
MD5dfecc9686f56f40bd7bd79b69f9c43bb
SHA13e94767cb5d7bd7cfc00965fd32041a99fa6822e
SHA256038d99a8b5b0141f780250a1a86cd7c969263ebf18dc8539b89f0b6dff6cf2e2
SHA5122b12fb561bc6005424da26dbacff65c1d9ff2de249b4d7255ad35152a63c95cf3571faee0752b90793bb11ef97087aaac5648913bd374f13cdda24a001cfa116
-
Filesize
401KB
MD55a9568a8db95af832bac7903cdab2eea
SHA1133e36356ebc3c99808fb6c21ffbfaee52605ecf
SHA256afb89bfe1d09cae0e9c0c8265aabcd9f05dedd1428730467ef7ee3227efc02eb
SHA512b0c177b2603b652ee36cfb1824e5c654df5be1ab288bc750ec693528ebdb83756a2714d696f150f0004c118ddfbec4b7f2adc8098ce0ca07536b3620df84e794
-
Filesize
512B
MD58597b27c3ba89aac3aec691f8ef9d237
SHA18ee9089671609eb1d4eaabe1b0786abccbfedf2b
SHA2562acfe09400322b1389b8e2c1a6ffe3734aaae6835bd1ac6839956fab25ef3337
SHA512a351f0be3182d9a8ebf80676ea9408ba54fff9abcc9f6970f62d4f3d94717a55a35802291cd82d7b0bd513f8e3eb162fe6773a3d65380ed9345d8557f0b95921
-
Filesize
401KB
MD5e704188fe23337989ae3292c82c8bbfe
SHA1635a70acc93d1946f921750eadf9ceb1a21d86cc
SHA256481d648b2f1bcadb3dd7fee44a1872369690e15218ad829876fdcdb27716bb59
SHA512a832b1a179894444403f7a911f8606507096061d3fe100d32e7accd4b7983942857ecbdb44f5a8b9255cc4466490a97e650285e6a332b2b175ca4be6b65a23ab
-
Filesize
223KB
MD5fe3af1797945ecdb8528731f06d57fcc
SHA101bbfcd082ecde962e4db36013e068f3465a8f63
SHA25688c665becd36e6dfb4673e9f8fc6389506304ae2e8baab095acecdd71c2a98dd
SHA512fe171a3d4d704ddae7906e36c330d257cc2081f193f14e39af94886288999ddb87c7eb500ed2afc66e19310867bfc5b4f4218741c8f470d74dc58b37065c8468