Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 23:28
Behavioral task
behavioral1
Sample
b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe
Resource
win7-20240221-en
General
-
Target
b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe
-
Size
312KB
-
MD5
d1de47776076580de4d6dbd71acfbebd
-
SHA1
31708125cd48b6774a79c6be4af524eaae040819
-
SHA256
b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8
-
SHA512
d171f0be0037cca1dae457da0d4fe4a5d278377a30952ef43773728821250c31706d8d872f1415964b38946c3c98264e13ec1b939d572ff4a4538f45d85b2774
-
SSDEEP
6144:AvJHbHWEQyhCmhVAc4RgCM1GxVAOCIr7nAFHxtKWJZ6PwLusisAzKTyr:uJHbH1QwlARgCCySf47AFHLJ4uusCzZr
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Detects executables built or packed with MPress PE compressor 8 IoCs
resource yara_rule behavioral1/files/0x000f00000000f680-34.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-38-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-40-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-41-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-42-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-43-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-44-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1228-45-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral1/memory/2876-0-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral1/files/0x000e000000015a98-4.dat UPX behavioral1/memory/2876-17-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral1/memory/3036-18-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral1/memory/3036-21-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral1/memory/3036-36-0x0000000000400000-0x000000000047E000-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 3064 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3036 udcob.exe 1228 osmop.exe -
Loads dropped DLL 2 IoCs
pid Process 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 3036 udcob.exe -
resource yara_rule behavioral1/memory/2876-0-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral1/files/0x000e000000015a98-4.dat upx behavioral1/memory/2876-17-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral1/memory/3036-18-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral1/memory/3036-21-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral1/memory/3036-36-0x0000000000400000-0x000000000047E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe 1228 osmop.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2876 wrote to memory of 3036 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 28 PID 2876 wrote to memory of 3036 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 28 PID 2876 wrote to memory of 3036 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 28 PID 2876 wrote to memory of 3036 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 28 PID 2876 wrote to memory of 3064 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 29 PID 2876 wrote to memory of 3064 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 29 PID 2876 wrote to memory of 3064 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 29 PID 2876 wrote to memory of 3064 2876 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 29 PID 3036 wrote to memory of 1228 3036 udcob.exe 33 PID 3036 wrote to memory of 1228 3036 udcob.exe 33 PID 3036 wrote to memory of 1228 3036 udcob.exe 33 PID 3036 wrote to memory of 1228 3036 udcob.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe"C:\Users\Admin\AppData\Local\Temp\b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\udcob.exe"C:\Users\Admin\AppData\Local\Temp\udcob.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\osmop.exe"C:\Users\Admin\AppData\Local\Temp\osmop.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1228
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD508e43bba9c06ed96ff729585579b94b4
SHA1052a467d049282d5759e6d5bd7469adfa88e3e07
SHA25660d3d18edacb0caf0a089c7de9d5e30ee2e00dd9332f82c72282c8c1d8fdc773
SHA512bb17882ac258e50d99be40b2724ed41071c4b22151de259ca3b2137bea742e61536068169dd7b0a0a2f81571d0ccb928147ede90d07b1a63fa472ed8a0e58001
-
Filesize
512B
MD5abea7a1dd4e1b042b74ae4e46408fcba
SHA16f5551b28ff8169df7a98a5bbfdde139f6958363
SHA2566335694bcf60aa975085cb3ac758d7cfc58940a1752fdcb2accb636f911357e4
SHA512867265c5d033abe49805dbedc64f65c8355f78bcd5777d56989f9ed36a75939f3c90ee4e9af05771267143cf5380e3991f49c9b223c9fafe4c3333011da53d37
-
Filesize
223KB
MD5fab53c81b620722a144f35bc23c97605
SHA169ae25c3a0828835de0610d89120b6fe901c1287
SHA2568ffc31af2c7905bbcb0149f4fee1201d12e7bd974d3e1a8645ef8754c9e9a514
SHA51215a9c97bc55dc1e77b0fffb9629e11f30367fb18bf95f6f35ffac0f01e948108614aa7970872d10403068df9ba983a1e4c8af7f1e99357d9a5b406b990459d3b
-
Filesize
312KB
MD557e451eb91e28a7cec675ba5aca354eb
SHA12c2a5fad06f8e50dcaebe7da9f5d8994d287e1cc
SHA25676ac64ce057ced44886a2f952f60f62e7ca3bd20a78ec46134d32d1e44f2f117
SHA5126467fe5adce91e80d1d769b752cb1efe39b3e7f79f5470736339bd2327f68fd8807755c7720c4224a856ddeeba9a18f0584c67d02bc2b10c3aa9968669a66746