Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 00:15
Behavioral task
behavioral1
Sample
d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe
Resource
win7-20240221-en
General
-
Target
d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe
-
Size
260KB
-
MD5
07d5270febab755b5234260f8d4b5744
-
SHA1
82b0db40bfb8dab500edc1f81712334fa546c5e0
-
SHA256
d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610
-
SHA512
8944fcc7c63e98407e41dcc9b46b526ef075f7bcd0cc475b1cf37d838e9c1243f4b124f2bea1412388a4b1975639e4087793756d5e64fa641edfbe6a4ba3018d
-
SSDEEP
1536:DuhL7dKJY/aTztv1UF7+RcbpP/iOOaDXl32oNIVelT2r9ZLzi/4kgg57lmKwrr5n:GBKBy7+8pCOH1ch9ZLqrwrr58VX7C
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2628 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 nyrin.exe -
Loads dropped DLL 2 IoCs
pid Process 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1380 wrote to memory of 2956 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 28 PID 1380 wrote to memory of 2956 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 28 PID 1380 wrote to memory of 2956 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 28 PID 1380 wrote to memory of 2956 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 28 PID 1380 wrote to memory of 2628 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 29 PID 1380 wrote to memory of 2628 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 29 PID 1380 wrote to memory of 2628 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 29 PID 1380 wrote to memory of 2628 1380 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\nyrin.exe"C:\Users\Admin\AppData\Local\Temp\nyrin.exe"2⤵
- Executes dropped EXE
PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5efe3a284e74e73225b2f37295f7f8c32
SHA1b66161ff254687c688abcf92338a38f7b1caf0fe
SHA25671d5c10547bba70a33b5ef3ce30d69ccd639a9a667e465214db686a83b00309a
SHA512dc2811b0477b9d8d5afeda41cc93aa7dd3225da067e99e16aefbe236c9d9f8478667869f5d7d5d2230e87f7699c89e2bd128d77ed635928730eb23d080f55928
-
Filesize
512B
MD570c39d5317c368dc065cf2572ab555ee
SHA1e6608ee151cd5a0d512afebd7c1ff1f5559cc936
SHA2563a65468115898a153bd2aa172a373101becd8615478f941705924ab60f3f48bd
SHA5124c1e85e81a28e9809b726ce63b8dd1251edfe05f47afd8cdf1897e46c2de5aca731b2a1b42718a1e80040d321a2ce6727dc187e3e623f3e27928f4201f3708bc
-
Filesize
260KB
MD5562a70e375581b0366eb230d673804e2
SHA102508ef528589514b4b4222a9afc5694d272c0e8
SHA256aeeb067361a045ae4f0e828ba8d574bd7366336f4fe025e84c03fb20618f8011
SHA51235a2397e338d230b7d3a6425e089feae7403bf5ad0b3c32d1c98096ced9b5498109f796882bfa04943a64fe48b4b89ecde35254ed8455550c3ba63a5469e01d8