Analysis
-
max time kernel
153s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 21:14
Behavioral task
behavioral1
Sample
750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe
Resource
win7-20240221-en
General
-
Target
750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe
-
Size
369KB
-
MD5
0b524fc54b4e624bdfd780d36da697c4
-
SHA1
8f091a1d18120e94b70338dab5cdec817a5a08de
-
SHA256
750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b
-
SHA512
bf8e7719cb627ba5b41a031235cfe720f1fa1e7e909f6072601cfdc2e0185896f0e3020725c0b3eb354a1e9c118f5706495b1b632ef02a11013adbabdfb5a4b7
-
SSDEEP
6144:QYml0tyeXfs81owi4yoshiGGrcxV8HkaIHkvxDzU+0md/XAKqTr:NmXEfs81VJbryVYkaIHkvx/UX0AV/
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral1/memory/1252-0-0x00000000013D0000-0x0000000001461000-memory.dmp UPX behavioral1/files/0x000900000001227d-4.dat UPX behavioral1/memory/3052-10-0x0000000000BF0000-0x0000000000C81000-memory.dmp UPX behavioral1/memory/1252-18-0x00000000013D0000-0x0000000001461000-memory.dmp UPX behavioral1/memory/3052-21-0x0000000000BF0000-0x0000000000C81000-memory.dmp UPX behavioral1/memory/3052-34-0x0000000002DC0000-0x0000000002E7B000-memory.dmp UPX behavioral1/memory/3052-36-0x0000000000BF0000-0x0000000000C81000-memory.dmp UPX -
Deletes itself 1 IoCs
pid Process 2636 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3052 pygoc.exe 1888 ohkir.exe -
Loads dropped DLL 2 IoCs
pid Process 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 3052 pygoc.exe -
resource yara_rule behavioral1/memory/1252-0-0x00000000013D0000-0x0000000001461000-memory.dmp upx behavioral1/files/0x000900000001227d-4.dat upx behavioral1/memory/3052-10-0x0000000000BF0000-0x0000000000C81000-memory.dmp upx behavioral1/memory/1252-18-0x00000000013D0000-0x0000000001461000-memory.dmp upx behavioral1/memory/3052-21-0x0000000000BF0000-0x0000000000C81000-memory.dmp upx behavioral1/memory/3052-34-0x0000000002DC0000-0x0000000002E7B000-memory.dmp upx behavioral1/memory/3052-36-0x0000000000BF0000-0x0000000000C81000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe 1888 ohkir.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1252 wrote to memory of 3052 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 28 PID 1252 wrote to memory of 3052 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 28 PID 1252 wrote to memory of 3052 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 28 PID 1252 wrote to memory of 3052 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 28 PID 1252 wrote to memory of 2636 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 29 PID 1252 wrote to memory of 2636 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 29 PID 1252 wrote to memory of 2636 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 29 PID 1252 wrote to memory of 2636 1252 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 29 PID 3052 wrote to memory of 1888 3052 pygoc.exe 33 PID 3052 wrote to memory of 1888 3052 pygoc.exe 33 PID 3052 wrote to memory of 1888 3052 pygoc.exe 33 PID 3052 wrote to memory of 1888 3052 pygoc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe"C:\Users\Admin\AppData\Local\Temp\750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\pygoc.exe"C:\Users\Admin\AppData\Local\Temp\pygoc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\ohkir.exe"C:\Users\Admin\AppData\Local\Temp\ohkir.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD59eb0662062290c9925510552d7049754
SHA1f9c1f3c9b51d68a50f51e4b2d39302d95f5263ff
SHA25649c60b3efcd404aead3541b79d0f9eb19f05d5461726ca5000a13123fde8f1df
SHA5123d879450fda5c8543405fffabc01c091d293217aabe82c1ac85af440d5e18356418dc78caae227e3fb425e792c9aec6ffe094cf424e2b0b9b7fbfafaa042cce3
-
Filesize
512B
MD504574147939b1cae56bfbb43774102f6
SHA1e41702d1c5c3543b9e0bb092c579729b17688ded
SHA256637b7c17a2710c2d4fe1177375346420fb792601f74b22f1e861b8fefadecb6d
SHA5127c91c840fa19c6cf5b3534a670f8fc748b9dd377d1db15bc335d9f5b933ca679969a272442cd135aa1c680e21aa50891bed76c71d034ecef91ea0ab9b21eade4
-
Filesize
218KB
MD53e2c3fcbe665bd3e3a1b1a8728db28a0
SHA111cb41fef079acf33a425a6df62c1546ad7c4fc8
SHA25608706903c691ff14b5fb5a509988ed039a51311d2ce1b463c624dad007881804
SHA512464c9acf7fdf670559e7b6d7178a8a4e3e597c1da0bbe2c77ea5e982fff2e0aec9a94c5a09fa244c5a467aac60d4035a357d869b793f23f8b7c3c250fd63ae1d
-
Filesize
369KB
MD5a52f173724a7b0b0a6d71dda0b8c1b09
SHA11239fcf121521f5efdcd5cacc84385c3aa7517c5
SHA256ff940db8cefeb58fe3ff1da8436fced49bc1a50e4c6fb6d46543ef9baaadcd69
SHA51266accd631a7a569c7b3d0a64b248d75a25f2ce2d6bb9b7c89326cf9bd1960b7c6670746d0b63eb595be5cc3e42cfd0b1d61e2092de35fef18931335a9f2c6878