Analysis
-
max time kernel
157s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 01:51
Behavioral task
behavioral1
Sample
f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe
Resource
win7-20240221-en
General
-
Target
f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe
-
Size
406KB
-
MD5
891bf6404527fad1fe321fa5a2ba7281
-
SHA1
98ec4fb028e8caa6703062c31d83612c51b58d30
-
SHA256
f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a
-
SHA512
6e4181cbc999981f13dc4967a4359a42c0edd2f02a41d3cde91c2ac9f6f09bfa92f354b039c9da330b2a8ffc718d6e93535aa4348743dc226989c13d3a811978
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohPS:8IfBoDWoyFblU6hAJQnO0
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 1564 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 3004 jijui.exe 2768 isnuso.exe 2624 pojin.exe -
Loads dropped DLL 5 IoCs
pid Process 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 3004 jijui.exe 3004 jijui.exe 2768 isnuso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe 2624 pojin.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2716 wrote to memory of 3004 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 28 PID 2716 wrote to memory of 3004 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 28 PID 2716 wrote to memory of 3004 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 28 PID 2716 wrote to memory of 3004 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 28 PID 2716 wrote to memory of 1564 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 29 PID 2716 wrote to memory of 1564 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 29 PID 2716 wrote to memory of 1564 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 29 PID 2716 wrote to memory of 1564 2716 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 29 PID 3004 wrote to memory of 2768 3004 jijui.exe 31 PID 3004 wrote to memory of 2768 3004 jijui.exe 31 PID 3004 wrote to memory of 2768 3004 jijui.exe 31 PID 3004 wrote to memory of 2768 3004 jijui.exe 31 PID 2768 wrote to memory of 2624 2768 isnuso.exe 34 PID 2768 wrote to memory of 2624 2768 isnuso.exe 34 PID 2768 wrote to memory of 2624 2768 isnuso.exe 34 PID 2768 wrote to memory of 2624 2768 isnuso.exe 34 PID 2768 wrote to memory of 1368 2768 isnuso.exe 35 PID 2768 wrote to memory of 1368 2768 isnuso.exe 35 PID 2768 wrote to memory of 1368 2768 isnuso.exe 35 PID 2768 wrote to memory of 1368 2768 isnuso.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\jijui.exe"C:\Users\Admin\AppData\Local\Temp\jijui.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\isnuso.exe"C:\Users\Admin\AppData\Local\Temp\isnuso.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\pojin.exe"C:\Users\Admin\AppData\Local\Temp\pojin.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1368
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:1564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD51c1e982d6941717d841e4129df9c41c3
SHA159d7f341b12c1c7305dea8cdc267e17c35379d04
SHA25682a2baeca1a8f9dadec11e7799a35d5007e5d8c3fcb4afbf93953496b07eaeb6
SHA5126d0b4ca58cfc3fa866ba20127e47dc9ae9bcc920929c68432506d50e4e551c4f8c9888c67c411c65f2f6760a6d8462833a109e35f1086032bff2884546469f6c
-
Filesize
340B
MD5047b024223c5fa0c621431007d08b16f
SHA1eb2aef08b0c87407281cada747a5cd5a12af26f2
SHA2564c77c8080060a85d99ca2e0fbd2986dc73378cb8dcd65e7cf3c10de27c12d397
SHA512187bcd8a107b81a3c7e9585b93cabb7e4db9a9cfb105f1e1ead4d18f8154da64c27bb23f127f911d03f06f8555035006e7da0154f203ceb3d920a008972bb1e3
-
Filesize
512B
MD527fef949ccb96ac3f9c325feabdccb61
SHA1694c9104de36b20826e7b956832c8726d71a5c0b
SHA256d11b9ab63b75941afe79e382a7542ed4557a064de6e9bd0f87d489bebfc46475
SHA512096b4772202cf1f48c166f24c6bbbcde4627c3da3b56ade0265f11f8aefe0d0c29047dbfa5ad82a8a6dd1b8e82fe6d208cb08e6a9d4e38d022a917891851a43e
-
Filesize
406KB
MD576ea83a5d8e05ce7d4180db69e907957
SHA14ad8252a92a8a2a4f3ba0670f87eea5864e8c23b
SHA2565b0949f3298f767f9e3308086b0a12f32c924037c70974e14535657cf6ee1186
SHA51225c5b4f0b866ebfc8b9824a3311e67fd5846840b87cb03f1833329a709ca8836ffd556a14c05693c638e3c7b0e0e4465bf1a2c8e89dc5f0154963879f3a77522
-
Filesize
192KB
MD5cebd9e1b3893da666d3b620f99255e93
SHA1c8b428008322c787b8f772f685e61b31edec0c4f
SHA2566f69e4aaee647ee2119131f4051814124a40d08fe1804ae17c75e4c261b38e59
SHA5128eebd667d79483ff914b73812a0c366bf4218d5d98f0fb49f401e16b5be8f425068219e9d69ea2c01f8a82e12e530019acb09461d037ff03fe1c37a8d6bc4f6a
-
Filesize
128KB
MD5df4c53b223ed60a53332801214a30953
SHA1bbaac36875c4ade502e7231cf66e772e93e13185
SHA2566af392d27bafe7553d54fe382480661db1fa354249f8a3b29d458e2a87dfc44a
SHA512758bf5106dda55aad0274976050390c5c19b8b2c854a8404c5c0ccc37a18640b61b71d9f2f5a1be4a24d643a549a62e0cf8e29d5d6b52a06a2e8fbf2b08f8e9b
-
Filesize
406KB
MD5ba700a5dca2f84364202fa2fed34ae83
SHA15d30c5cb483eeaf4e1a8314f1f195a90cc9f1f47
SHA2566e3dd3a5a1084516bb1152acb3ca9430186bc99c058746db1c4726acb11c40a9
SHA5127b3cc5fb268df891730c66ae17d6f68a275d36c11063ac75406684f75d0dcdb1d5f47b5bab51fd79f48b790ce1cecd8d7918bb2ed71b13d42648ccb6d1a64620
-
Filesize
406KB
MD5ab8d2123ca4162d852e887e135fc2a0d
SHA1b0d3a914a7fc6c7838737a6f92dd8e640c60e560
SHA2563bc5ea7560ec94e47cbcf30e7f23aad323f1628768a1aa98af4558312f18fcb0
SHA512046de8c9202a899a6bcabd503ea2ee5b9347d3bbb0364c41be252ec3883013ec7552a3fdc378d5527358802cc719ef41465aada08c5427b85e03750e47534476
-
Filesize
64KB
MD5e49881b9caeb2e1881e02efa0275fd45
SHA1c47401d50a491326258d34337d07e25fa223a9ab
SHA2565c0f7a466a88e100998645ef61c6876b17704365ed042ee9a23fff4ce5e0fe00
SHA512177dc1c55d8069377fbbd4e1b86272df87ec68789ab7c2c307d8f867778d55f607e7cb7fe6d66bfc30653b963123a26e59bd862ae3656d2db9b4a0aeb4674a8b
-
Filesize
223KB
MD5dfebaf7318dd971fc04764d0da3f56ca
SHA1a154748087ebf983b436236d65113545c606941d
SHA25674cc296ea7da2152e2b8fcd8a657d4f34a57a3d506acc4e6596e63366c8ae0be
SHA5127519191ef2bf6a8e06cea513cb656fa4601748ba2582d8ac684343d596c3beb2deeb62d02195e1cb310e5bc0dc9b202324be01a425a049de0a91775b2aebfa3e