Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 01:36
Behavioral task
behavioral1
Sample
cf98e1c96efb311bbd871d0e2b974135.exe
Resource
win7-20240221-en
General
-
Target
cf98e1c96efb311bbd871d0e2b974135.exe
-
Size
402KB
-
MD5
cf98e1c96efb311bbd871d0e2b974135
-
SHA1
03e7db2575c8f88ee65107f33d9a260a15ccdb0f
-
SHA256
d14e7af0587c40e259d8b3400b9754d2df6359b3df0e522d261c9b9d117d3167
-
SHA512
d7f2ffffcf4294fa8451ab71a018bd8f269c6895739ffd44868f075bc5ad7e7c7e0f8fd224c2e3cad3a60f3dcbedc5b965d99fd349632ab4997d085686cec934
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh2:8IfBoDWoyFblU6hAJQnOg
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2656 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1944 ajsof.exe 2096 azyjhu.exe 1236 jifij.exe -
Loads dropped DLL 5 IoCs
pid Process 2276 cf98e1c96efb311bbd871d0e2b974135.exe 2276 cf98e1c96efb311bbd871d0e2b974135.exe 1944 ajsof.exe 1944 ajsof.exe 2096 azyjhu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe 1236 jifij.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1944 2276 cf98e1c96efb311bbd871d0e2b974135.exe 28 PID 2276 wrote to memory of 1944 2276 cf98e1c96efb311bbd871d0e2b974135.exe 28 PID 2276 wrote to memory of 1944 2276 cf98e1c96efb311bbd871d0e2b974135.exe 28 PID 2276 wrote to memory of 1944 2276 cf98e1c96efb311bbd871d0e2b974135.exe 28 PID 2276 wrote to memory of 2656 2276 cf98e1c96efb311bbd871d0e2b974135.exe 29 PID 2276 wrote to memory of 2656 2276 cf98e1c96efb311bbd871d0e2b974135.exe 29 PID 2276 wrote to memory of 2656 2276 cf98e1c96efb311bbd871d0e2b974135.exe 29 PID 2276 wrote to memory of 2656 2276 cf98e1c96efb311bbd871d0e2b974135.exe 29 PID 1944 wrote to memory of 2096 1944 ajsof.exe 31 PID 1944 wrote to memory of 2096 1944 ajsof.exe 31 PID 1944 wrote to memory of 2096 1944 ajsof.exe 31 PID 1944 wrote to memory of 2096 1944 ajsof.exe 31 PID 2096 wrote to memory of 1236 2096 azyjhu.exe 34 PID 2096 wrote to memory of 1236 2096 azyjhu.exe 34 PID 2096 wrote to memory of 1236 2096 azyjhu.exe 34 PID 2096 wrote to memory of 1236 2096 azyjhu.exe 34 PID 2096 wrote to memory of 2040 2096 azyjhu.exe 35 PID 2096 wrote to memory of 2040 2096 azyjhu.exe 35 PID 2096 wrote to memory of 2040 2096 azyjhu.exe 35 PID 2096 wrote to memory of 2040 2096 azyjhu.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\ajsof.exe"C:\Users\Admin\AppData\Local\Temp\ajsof.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\azyjhu.exe"C:\Users\Admin\AppData\Local\Temp\azyjhu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\jifij.exe"C:\Users\Admin\AppData\Local\Temp\jifij.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1236
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2040
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD536c9bf4a55cb8300c6139f9307c087b4
SHA1f02fac771ac36c38d63174907ce30d8272a9960c
SHA2563c6c5d512387419fec7f9e766ab4d85a515748b908e0e91f999fd45b584443e1
SHA51271af02057fe77265d918bf6c06d7414b4f0208ee971ead4101f1f719c614c67a711666ffab32eab5af1f5302b507e30b2da0a06b5b7870cff54b001408df259c
-
Filesize
224B
MD5161e3775e241a787082aeb2e66a94e99
SHA1c4d097fd4df7053acf15ae5982c4fb74d57159e9
SHA2566f770f463c62c890f32046afe19b6714a365201fb2ba442725a56a9b3cde8e34
SHA512350ec03a3d5909b05a9942cf88471d6215595a79603b19ddcf19f7e8a6e3fdc379f0417e53d01a6ca2d936f53ab27a3f43f1ad224b98f2568ac7892fd79dd4a7
-
Filesize
512B
MD5004fbe7531846998273fa0f9a150bd5d
SHA12a80262a40599b131e39bdf93bde50105667c151
SHA256da90476b573af311f9491b02be95d18c26019e7c3037ca76f74b4d650aebfb1b
SHA51247fc50f1f90d8e065631cfa678c642be869663a9e023b0caca16f8cd3d7dc0074e37842b8bb719728e9a842d2083420316c618760af3b9e0c803a2ea31a5fd4e
-
Filesize
402KB
MD59988d74b0b0eec5860390da023ac7cc9
SHA186bd4f60a55e2c112eb065cf539db6556dd92acb
SHA25649bc0ca57b24ed7754e965e2d9ca15d75cd7bd4153f4e82336270ba5bdc5bfc8
SHA5121fda0f84a027300d9f33bbfed45d1506561dd14bdadec9ead6f9ca064d80cd37ca95ee3f8ba51f7e9df134ce315ccbc2373b7b19d9dd0638cf8f769de18bffb8
-
Filesize
402KB
MD5d170e20e8f3738165fc0f8b5df188490
SHA1ee9876568c232fb1ebb9412ef34a1e0e8b122e25
SHA256465e05056d17a858364dd23c9a653db1d77bd445fc98ce14d97f9a5279188363
SHA5120adc977f22ead660184298582f01d17d6c64e6742f0a4468869183130e3b777323a19ee1dc81238d5a5d636fc21e8edd40ed46c1a9a0011dbeca70bcc239f803
-
Filesize
223KB
MD54daa1f8aeb1f6012b0a222d5654f6984
SHA150b40350c694833b6026169a357a873d45be1483
SHA256cbdb5ee3f06dfd7f45724995a54bdd2a176c02d1dd4822dd7a8ca94e7647e1b5
SHA512b40e37b90aff3d9e1758c01c3db8c496ae5f723872799ccb133eb89128a50f29752b0d5f7c80feee97ca447eb625afd3209f86dcd9767217a75533110e1e6784