Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 23:47
Behavioral task
behavioral1
Sample
c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe
Resource
win7-20240221-en
General
-
Target
c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe
-
Size
487KB
-
MD5
7b4680c1c19a6d291953f25d24e76b45
-
SHA1
43ce5530346df5fe3bcb773bc00a40b934ad2a1c
-
SHA256
c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0
-
SHA512
8394837fd731945faad3c593a7b85e1220bd0fb048fae25fa04551a3f64e5dd33c4d99f07d8c15d9b33f36c7161466e18763b9cb629ec99d11a6c32276ea5834
-
SSDEEP
12288:Vpbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbe+:VpbXi5xzFUBaazsiofx83
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2084 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1596 onwyx.exe 1704 riduj.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 1596 onwyx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe 1704 riduj.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1596 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 28 PID 2276 wrote to memory of 1596 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 28 PID 2276 wrote to memory of 1596 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 28 PID 2276 wrote to memory of 1596 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 28 PID 2276 wrote to memory of 2084 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 29 PID 2276 wrote to memory of 2084 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 29 PID 2276 wrote to memory of 2084 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 29 PID 2276 wrote to memory of 2084 2276 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 29 PID 1596 wrote to memory of 1704 1596 onwyx.exe 33 PID 1596 wrote to memory of 1704 1596 onwyx.exe 33 PID 1596 wrote to memory of 1704 1596 onwyx.exe 33 PID 1596 wrote to memory of 1704 1596 onwyx.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe"C:\Users\Admin\AppData\Local\Temp\c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\onwyx.exe"C:\Users\Admin\AppData\Local\Temp\onwyx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\riduj.exe"C:\Users\Admin\AppData\Local\Temp\riduj.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD558350343aa0b4f8f67a75c5b2c5c133a
SHA1e1fd6002d93954622545031b127c7ec30fc898de
SHA256768c43becf6daa0bfea4b94d194f9b090b67ac32e5ebfba43ebf7f379e1f1039
SHA512baf33270115d230ef01f8579661bc1d6d8db2ac9bac4cb215f0d1d915360e53fee8dde2e66ec2d841fcb70ac8ec2c1d7560aa83a35841e77c744fefeb28bd09f
-
Filesize
512B
MD58c7306a2041836d13210aea78af39c53
SHA1b7080f4175e56926175f58590295e7cd42d7678f
SHA256b5571589ab0fc06aff1ed55624c5b88eb52def6e5469004d4290821c5632e630
SHA51258eecfded9a5dbc3546e53d666a8835bbb93b7da564b5616f768d254a397805809ebefc2399ec74c46f1959b73c671e2ae881d7819a7418a190549fe766b84b3
-
Filesize
217KB
MD5195c49a5724b31ef3caee94c83696655
SHA1b8ccf58c8fc75ad4fdc49694c89da107a29b7f9a
SHA256d39631c1f117e47db01a05ea2cca7fed2ef4ec5a23bf7f908a32f1e11a7113f5
SHA51294a5d92a4ab1dc236f03d9d1e15f558a72376f7760ab052a1234f7a63771dd6e131139d721371a9c7d4f8877b934c162d7a12fff6dd93f62e5ea80b66bfef647
-
Filesize
487KB
MD558bb2e6d125fed516ca688e5a0786dad
SHA11b21da6c00b526ca4f08bbea15991a7b3c3804d6
SHA256689cd59cb0c9abc0fea97674299f078d724b8eecf7994968a59490796fb09bf1
SHA51200f5bf0c319f7b778593d5955dc937d5d6b2f7a6f50ffa875ff9a80b5b6f07732da4ffb373bcc492f1641e66a870ab615211ede169693a47f114d7985da4b60e