Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 22:50
Behavioral task
behavioral1
Sample
cf45b2e62fb61b7f2757cf2d1beb08a6.exe
Resource
win7-20240215-en
General
-
Target
cf45b2e62fb61b7f2757cf2d1beb08a6.exe
-
Size
1.1MB
-
MD5
cf45b2e62fb61b7f2757cf2d1beb08a6
-
SHA1
4d8223aea1671969511f00dca8bf4569753fd8f2
-
SHA256
af464d9f2c1bb1caf81f3cb1dc3d67c7d577fdca066d0c650b995c54e9d74e70
-
SHA512
aca24448c04e3917525ca1aa0b50193feaabeb409d164f427be44ea37c1b813ae7b4d1622d152828df92927b65bd2d05aac95c76b99ba155fc0716ea1656050a
-
SSDEEP
12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Yh:tcykpY5852j6aJGl5cqBQ
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2476 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1244 joyfv.exe 2772 jirodo.exe 292 juzol.exe -
Loads dropped DLL 5 IoCs
pid Process 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 1244 joyfv.exe 1244 joyfv.exe 2772 jirodo.exe -
resource yara_rule behavioral1/files/0x0033000000015cbd-44.dat upx behavioral1/memory/292-54-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/292-59-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe 292 juzol.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2836 wrote to memory of 1244 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 28 PID 2836 wrote to memory of 1244 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 28 PID 2836 wrote to memory of 1244 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 28 PID 2836 wrote to memory of 1244 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 28 PID 2836 wrote to memory of 2476 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 29 PID 2836 wrote to memory of 2476 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 29 PID 2836 wrote to memory of 2476 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 29 PID 2836 wrote to memory of 2476 2836 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 29 PID 1244 wrote to memory of 2772 1244 joyfv.exe 31 PID 1244 wrote to memory of 2772 1244 joyfv.exe 31 PID 1244 wrote to memory of 2772 1244 joyfv.exe 31 PID 1244 wrote to memory of 2772 1244 joyfv.exe 31 PID 2772 wrote to memory of 292 2772 jirodo.exe 34 PID 2772 wrote to memory of 292 2772 jirodo.exe 34 PID 2772 wrote to memory of 292 2772 jirodo.exe 34 PID 2772 wrote to memory of 292 2772 jirodo.exe 34 PID 2772 wrote to memory of 2504 2772 jirodo.exe 35 PID 2772 wrote to memory of 2504 2772 jirodo.exe 35 PID 2772 wrote to memory of 2504 2772 jirodo.exe 35 PID 2772 wrote to memory of 2504 2772 jirodo.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe"C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\joyfv.exe"C:\Users\Admin\AppData\Local\Temp\joyfv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\jirodo.exe"C:\Users\Admin\AppData\Local\Temp\jirodo.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\juzol.exe"C:\Users\Admin\AppData\Local\Temp\juzol.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:292
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2504
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD548ff01f7b66b7b85248117aa627359b4
SHA1968ab16d95eb4dc6ac5863a8868a652b78015e61
SHA256303a26b3e5398ced0eaa717cbe5d1aa73d7fba78e24145173463969686548059
SHA512922b7d665cfdac62463e36a732119c649bf3ba1d40495e457362df17978c23914f6d47351cf9286d9260e7b5fd370b0676c238181f5681d191c0dcfd49dcfcf9
-
Filesize
276B
MD594af0bedc86fabfb20a3ac847dbc48fe
SHA1aae6b2f051fd7a13dbde66b6d4823ea6d8b8c154
SHA2567bae0ce2061162e445660ee0454ccdd5e8e5aab39ab213ef74287135d46b77df
SHA5122d2c80174c4a281ffb8686e808f24fa1a6ee7283bfe7c32f8506b84bb9c0aa611ba3c404945fb1031a3704e2dff784d48704103d0596085072544d4b28963b95
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5631a185b769cb4bdf45a58d813301eb0
SHA13cb647176f9e53be55d08f21999adbc924153c4e
SHA25612369188820b2923beca0771dea9f539ac2e27bb4745d9083eb733a3a2eb3799
SHA51237e50e60659df586080e126d49e412f908931eda58a4e95878ea2e9efc851460145d53c889aec9016d2653e4742709624b10b698da60eb3b9db510d840927e12
-
Filesize
459KB
MD5878fad572893a0d39105db1311a6f1ad
SHA11a3e05fe236cf12f9ea7aecc790f28bc677ec2e7
SHA256f2b2371d2cfeb5604e3b17545ef5e8e9d7525c60a2287fb0225a21f855e2f107
SHA5120749e433191218242f5bd5aa4fa4da62016fe6debe46576157370f1740209c455c91b9ec44cd646b797cf44e10556e09035625ee73d6149fe8708ec2415ee743
-
Filesize
64KB
MD5973b29841de25f207b530337264cf6f2
SHA18b388d50370c2d811d906a116d74f7e1bef508e3
SHA256695caedf41fc24f0bba407d4aaa9799b3d6ff74853d3d4c1d913e4f5c2995721
SHA512c4643bf47c6223fbf1dbf7f3318ef01666b4cdb8d12cf10e14e879bd3c2144ee25cf65f0980148b60e340db4bd501ba039a626eb219afc96952fd0c8e8daa3ea
-
Filesize
1.1MB
MD5ea985d70a6187270f676151b533816dc
SHA172ca94cc4431a8d466db70002cdc408630cfd694
SHA25640e5b437c904b825f7a60a4fef6035cd9b74dbe23857003f87c9f08cbec42498
SHA5127940d27fd2975ed2e1276de27e4f2f0248dac245575753f07e41a07693024eb213087805a8a3e0272ce5c49d143e4ba11690ea68cb864726003d2754d74bd3fe