Analysis
-
max time kernel
169s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 01:35
Behavioral task
behavioral1
Sample
edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe
Resource
win7-20240221-en
General
-
Target
edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe
-
Size
386KB
-
MD5
63f8ca27ddacce225638a34121edadde
-
SHA1
70f897e4e843388f656269c5257d7d62b9ce94a8
-
SHA256
edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771
-
SHA512
19687aff5e1e59da7b52bb76e8da49c9e5cf071ea1166484610b681c88c209cd3589aacf673a75eaeec9e0165aca792548884ffec40a75d15f52b9b86f398b45
-
SSDEEP
6144:1soTOQcDCbE8qLi6mADXdJ2dcoARXDR6YZbus8Z+2vFJhcemcyOpG8h:WalcDCbE8qlmx8RkeS+MJueQi
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2564 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2492 seejd.exe 1580 ramad.exe -
Loads dropped DLL 2 IoCs
pid Process 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 2492 seejd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe 1580 ramad.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2808 wrote to memory of 2492 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 27 PID 2808 wrote to memory of 2492 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 27 PID 2808 wrote to memory of 2492 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 27 PID 2808 wrote to memory of 2492 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 27 PID 2808 wrote to memory of 2564 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 28 PID 2808 wrote to memory of 2564 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 28 PID 2808 wrote to memory of 2564 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 28 PID 2808 wrote to memory of 2564 2808 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 28 PID 2492 wrote to memory of 1580 2492 seejd.exe 32 PID 2492 wrote to memory of 1580 2492 seejd.exe 32 PID 2492 wrote to memory of 1580 2492 seejd.exe 32 PID 2492 wrote to memory of 1580 2492 seejd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe"C:\Users\Admin\AppData\Local\Temp\edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\seejd.exe"C:\Users\Admin\AppData\Local\Temp\seejd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\ramad.exe"C:\Users\Admin\AppData\Local\Temp\ramad.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD55de5a24b2248d5b4b4758d811bb82e98
SHA1e4e9e2759ca498ebeb4f26226f709e6d6ccfa3d3
SHA256fb65b262f8c267fd370bf55cebb570927668dd814968428262e92a6b6cb76e25
SHA512e1230a655127643c7d24ee1a4c299f2fb87d12e774c25afd6a2455a0617ac7d014d35ba7bd7612aaaed46491e499ce907eb9bedc1ce869b75771a218ad385c6f
-
Filesize
512B
MD5668b842c1f44a1ef25fcbeede97b1364
SHA18607b95423c33b90315ae2b37834ca2b7e6494ee
SHA256b31da2465570429a1e24cc679f9c8bdf03fbd9faf99162c797ae2efc4d7d6205
SHA51267c97f0952be0551154639b1862d477722795eb96d0d8f18a3312d2f34c1fc68a40864071d3dee9b751df688e0e7a76801ea641ba03cf9c12de610d7dc69a837
-
Filesize
212KB
MD56fef2650c175bd51089427a0ac37559c
SHA1ac5a49485a682c3611c247c9b67e529f4ccb5270
SHA2560651c2721e6819c341cc7f7a1cd9369728eb3ad11f4beca35ea1abf9cc571f44
SHA512407714a93725ea5553fb139375a6899614e402a1c2eb7c8d29ce686422014c575949094b6c7af994ff8ec5eadbe0e347d4c14ab82af1dbac4877542dff4be145
-
Filesize
386KB
MD50568705ae35d1dfa13dcec035a5a9280
SHA1a2c3895873d5fc271ac204b1148bee1da803cf9f
SHA256e0ee7a184c27adb7263b53faa35196c7fa68a3617f2070cdb90a8af71e1ac736
SHA5129a8ffd5e3340ec73bd6f2ed4e1a2a6087f540016e4b8115f33d886d42a36f75d4b9c30b6efc47a58f590ea4590b693cafc00253a3deee4c98f6e85d3d5ab3439