Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 23:28
Behavioral task
behavioral1
Sample
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe
Resource
win7-20240221-en
General
-
Target
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe
-
Size
483KB
-
MD5
eadc232be0040abee0332d39feb2c056
-
SHA1
b59b6366246015d41fd15f96dff30e3cd15c63b9
-
SHA256
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa
-
SHA512
0068689d8e5b72182c6c9db3820369bf25ffc180c9270d0291dcec6589ee3d480549a7255497e337ec2741f910c9132526e37bb008eefacea1595e492fd684a6
-
SSDEEP
12288:k2PxDgZo3ijniea8Xih9abyNK95ZA9u3y2XWbW:k2SLi7oih9abvcet
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2620 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1304 vebaz.exe 1852 acziv.exe -
Loads dropped DLL 2 IoCs
pid Process 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 1304 vebaz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe 1852 acziv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2908 wrote to memory of 1304 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 28 PID 2908 wrote to memory of 1304 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 28 PID 2908 wrote to memory of 1304 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 28 PID 2908 wrote to memory of 1304 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 28 PID 2908 wrote to memory of 2620 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 29 PID 2908 wrote to memory of 2620 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 29 PID 2908 wrote to memory of 2620 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 29 PID 2908 wrote to memory of 2620 2908 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 29 PID 1304 wrote to memory of 1852 1304 vebaz.exe 33 PID 1304 wrote to memory of 1852 1304 vebaz.exe 33 PID 1304 wrote to memory of 1852 1304 vebaz.exe 33 PID 1304 wrote to memory of 1852 1304 vebaz.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\vebaz.exe"C:\Users\Admin\AppData\Local\Temp\vebaz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\acziv.exe"C:\Users\Admin\AppData\Local\Temp\acziv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD51c505d0bca466dac41c60aaffcc4998a
SHA14e38ad56df8f28c47eb7ea8fc2bf5014a80d669a
SHA256118208fb8df7fda363c09ec165ec6e3bcc33e1f15eaa05a5221d8b8b98b32ce2
SHA512c2da05ccc4a3fc4f536705f29d0b733bd5f9d0268d919ca285c2ba1e04165a06e8403f2f3633b7b8b98fc56ecfd6435e3eefdf6afe75d42c627b612cb85ff522
-
Filesize
512B
MD5282c7b52c77debc45eb5e421090b3ca4
SHA15f5c73a9760436f773f5adafaf59bb374b10764a
SHA256399eb00b2ad200275d3b9aa266ff9d2a5425e01af946210ced14f2981b31a8ab
SHA512a24fa5450ab47bb6290655e51a28d3f97e149dbbca2b8bc94f14fd3badf6321dbfbee2c75acdcc8d40ed4cd481fc1dd3383bc5758677ae112578422cd6126eb8
-
Filesize
200KB
MD56735778949012ce94581ba1e2ef15ca2
SHA1c584d34d2860f269df26c40dbb178781bf2fcbaf
SHA256e783545b45189b5e2b74fec73984f4a6c7ab6c2eb682ac41734a2bc1cc11746a
SHA512a5da9ff86035140b4f31be39208408b06d4e59817ccd1fca87ea6245da846a08fcfa636227a386be3a821afe764aa7d9c4beee93c4baef5c14a94d7236ff80ef
-
Filesize
483KB
MD53d58b9d6a4ffd41235c5fc8d5f98abd1
SHA1189038a5c58218d1ca3309f0d70c4f8a5df44851
SHA256e801ced563ac2a074a14dc2480ef30b4b030a13446de22a4653d8b564c8420ca
SHA51250e19884aaafd69b620cc7815872fbfef014de491895489424020b4df61a318619c0e8382e773b031e3123022c59611d43aa7e17ff2eeac4ef67cd0f55aa072c