Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 03:40
Behavioral task
behavioral1
Sample
cfd5c1aa6724937811319258b8ef1acf.exe
Resource
win7-20240221-en
General
-
Target
cfd5c1aa6724937811319258b8ef1acf.exe
-
Size
445KB
-
MD5
cfd5c1aa6724937811319258b8ef1acf
-
SHA1
bc03f8c15cc1ff46eb8fc3af6d3b835001b2d242
-
SHA256
a4ba88a728adc6608e0589a1b1f473e1c3b841d7b3b074735e89de4896c56d9c
-
SHA512
62d1a0c91dea0ebba830c9d6a9eb3e3e474121e1ec9c76ecd3e45c2997bd3c6897e3b5935e4cc857e79c12275ae4811f78f40d537158f276a978d860a4451908
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoL:PMpASIcWYx2U6hAJQnH
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 1268 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2088 ygleg.exe 2540 duloxo.exe 356 simyc.exe -
Loads dropped DLL 3 IoCs
pid Process 2004 cfd5c1aa6724937811319258b8ef1acf.exe 2088 ygleg.exe 2540 duloxo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe 356 simyc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2088 2004 cfd5c1aa6724937811319258b8ef1acf.exe 28 PID 2004 wrote to memory of 2088 2004 cfd5c1aa6724937811319258b8ef1acf.exe 28 PID 2004 wrote to memory of 2088 2004 cfd5c1aa6724937811319258b8ef1acf.exe 28 PID 2004 wrote to memory of 2088 2004 cfd5c1aa6724937811319258b8ef1acf.exe 28 PID 2004 wrote to memory of 1268 2004 cfd5c1aa6724937811319258b8ef1acf.exe 29 PID 2004 wrote to memory of 1268 2004 cfd5c1aa6724937811319258b8ef1acf.exe 29 PID 2004 wrote to memory of 1268 2004 cfd5c1aa6724937811319258b8ef1acf.exe 29 PID 2004 wrote to memory of 1268 2004 cfd5c1aa6724937811319258b8ef1acf.exe 29 PID 2088 wrote to memory of 2540 2088 ygleg.exe 31 PID 2088 wrote to memory of 2540 2088 ygleg.exe 31 PID 2088 wrote to memory of 2540 2088 ygleg.exe 31 PID 2088 wrote to memory of 2540 2088 ygleg.exe 31 PID 2540 wrote to memory of 356 2540 duloxo.exe 34 PID 2540 wrote to memory of 356 2540 duloxo.exe 34 PID 2540 wrote to memory of 356 2540 duloxo.exe 34 PID 2540 wrote to memory of 356 2540 duloxo.exe 34 PID 2540 wrote to memory of 2156 2540 duloxo.exe 35 PID 2540 wrote to memory of 2156 2540 duloxo.exe 35 PID 2540 wrote to memory of 2156 2540 duloxo.exe 35 PID 2540 wrote to memory of 2156 2540 duloxo.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\ygleg.exe"C:\Users\Admin\AppData\Local\Temp\ygleg.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\duloxo.exe"C:\Users\Admin\AppData\Local\Temp\duloxo.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\simyc.exe"C:\Users\Admin\AppData\Local\Temp\simyc.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:356
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2156
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:1268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD565fd3a13a52c711374fd6ddd251f4568
SHA15e03bab03cd1243d2381f725b1b70b505d88b236
SHA2563caab30d0f3b69820e0cfdf003a77831da6e053417d8ecb744a4b097122ef4b0
SHA5125858224a2f573c9bf6034be522b21500bcae5066b6d56a0d4709095ef500ec1e9224b46633bb23dbee58ae4abc715d8fda698657fe9d5adbd01459b063623bae
-
Filesize
224B
MD55583b82a3be6ed8b547e222bfceec3f1
SHA105c3bfa771aae75842fc5a0327a69246f2775dfa
SHA256986fa65fc9595c06ed90e9403fcdfd085df8c9598d78fd8156fdb2d40737fd03
SHA512e140a14aa6f25e34b683c1e8b3b74d6e442766a8c445df7e923f46fdf18a5586447a828a9c330e5f007f28a84e4a8d96889219adb0769346ea65a821c5a5fead
-
Filesize
445KB
MD5f9bad2a336f0fdfbb02390e6329e5425
SHA1145558c3254d4ac773b43dcb77e657a5497935dc
SHA25686c5bf0c174c305036f7aeb4cbed7ca79ce3bb8032c71dcc4aaa79a76d6a6ae2
SHA512cf16e147af3655f5731c76dcc1edafdce5e29bde49e1e8532f33e0f8d3790064a308519a3b2d4bc421ad3a2fbd493f7c9c18d82803270908e75a713c65ac9077
-
Filesize
512B
MD53598d114d7086fd1cc2bfb5853f9d900
SHA1170bd1f4831aca145318380536f73141d1549edd
SHA256ccd56ffaeedeef855550b6f10efeacb133452f36475d0f108b5b0e3592b03815
SHA5122a49d76d3ee4994e5099fdbd1f2e08be3fba8f548c01f72637f4bd02924c1615110d9f6521a8501cb41259e9002c6114a4bd0002bf5ad26ed484f34e92182aef
-
Filesize
223KB
MD52a84363eb633d17990f7bf2169aa5c54
SHA1d4e509b6c002e934a3520ce538d277610649b380
SHA256ff92e3e5bb7d3d2205ca1aada8774146c2d8abd88b95288612d7eade2b93cda2
SHA512fb5e79113cc9e635ae884f93e2337bfb362163ce2fb7dc22f6798f1660f992c7f106f9a3b7b0df8e8abbfadc33dcd5f9a2e4530b5931a282b0e1b8e53174c551
-
Filesize
445KB
MD59ac5c56008564d493791fd16f533ced3
SHA115f136d84ad7d84d885724da029aee91181387e8
SHA256f4436b9f15c3131a3a791d5fe45c127a3cd52dee67b470cbe08e53e8e2cb5fc5
SHA512fd1177c8f136005baea1a6bc65076aec126deb1d4d48ffa0dccbbb67eee255f2839b661613da3f0549b51c3ba5523a37bee37946bb7186c0a9a17a56c430dbc8