c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246

Analysis

max time kernel
147s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 02:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246.exe
Size

61KB
MD5

5d5c865544d4451d7e82b15a8104e8f5
SHA1

77fc27c275d341d3a03f87fa3d420734b1e541c7
SHA256

c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246
SHA512

c20d3e0251c7e09fa50f3bee98faffdd49bf262baff6506cdc0405882a8bc40b817c060d9ae6b8dbb392ff611a74f9e5b0caafb709e54804f43d1cefbe221479
SSDEEP

768:veJIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uA:vQIvEPZo6Ead29NQgA2wQle5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1556	ewiuer2.exe
4376	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1556	2408	c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246.exe	90
PID 2408 wrote to memory of 1556	2408	c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246.exe	90
PID 2408 wrote to memory of 1556	2408	c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246.exe	90
PID 1556 wrote to memory of 4376	1556	ewiuer2.exe	100
PID 1556 wrote to memory of 4376	1556	ewiuer2.exe	100
PID 1556 wrote to memory of 4376	1556	ewiuer2.exe	100

C:\Users\Admin\AppData\Local\Temp\c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246.exe
"C:\Users\Admin\AppData\Local\Temp\c8c1317e92d7cecf33854434715e93ecbc52a7d41cca6308166b37fda520c246.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2276

Network

DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

mkkuei4kdsz.com

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

mkkuei4kdsz.com

IN A

Response

mkkuei4kdsz.com

IN A

64.225.91.73
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR
GET

http://mkkuei4kdsz.com/541/202.html

ewiuer2.exe

Remote address:

64.225.91.73:80

Request

GET /541/202.html HTTP/1.1
From: 133581411839512801
Via: goqjiuq^uiv@77:bcrhe@9^serdq=4403435bovA6541aoe|Acd=4ejcee09=0d714j6g4cii8;:64=3i
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.18.0 (Ubuntu)
date: Sun, 21 Apr 2024 02:46:53 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
DNS

73.91.225.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.91.225.64.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

ow5dirasuek.com

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

ow5dirasuek.com

IN A

Response

ow5dirasuek.com

IN A

34.41.229.245
GET

http://ow5dirasuek.com/664/509.html

ewiuer2.exe

Remote address:

34.41.229.245:80

Request

GET /664/509.html HTTP/1.1
From: 133581411839512801
Via: goqjiuq^uiv@77:bcrhe@9^serdq=4403435bovA6541aoe|Acd=4ejcee09=0d714j6g4cii8;:64=3i
Host: ow5dirasuek.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 21 Apr 2024 02:47:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=b248ed8f5fdd7ab20d7961c8dcfdb8d6|191.101.209.39|1713667634|1713667634|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

245.229.41.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.229.41.34.in-addr.arpa

IN PTR

Response

245.229.41.34.in-addr.arpa

IN PTR

2452294134bcgoogleusercontentcom
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A

Response
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A

Response
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR
GET

http://mkkuei4kdsz.com/664/488.html

ewiuer2.exe

Remote address:

64.225.91.73:80

Request

GET /664/488.html HTTP/1.1
From: 133581412394980745
Via: bjledplYpdq;225]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^_8/`e^``+48+_2,/e1b/^dd3651/8.d
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.18.0 (Ubuntu)
date: Sun, 21 Apr 2024 02:47:46 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
GET

http://mkkuei4kdsz.com/991/992.html

ewiuer2.exe

Remote address:

64.225.91.73:80

Request

GET /991/992.html HTTP/1.1
From: 133581412394980745
Via: bjledplYpdq;225]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<^_8/`e^``+48+_2,/e1b/^dd3651/8.d
Host: mkkuei4kdsz.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

server: nginx/1.18.0 (Ubuntu)
date: Sun, 21 Apr 2024 02:48:34 GMT
content-type: text/html
content-length: 593
last-modified: Wed, 22 Feb 2023 21:25:52 GMT
etag: "63f68860-251"
accept-ranges: bytes
GET

http://ow5dirasuek.com/675/179.html

ewiuer2.exe

Remote address:

34.41.229.245:80

Request

GET /675/179.html HTTP/1.1
From: 133581412394980745
Via: bjledplYpdq;225]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^_8/`e^``+48+_2,/e1b/^dd3651/8.d
Host: ow5dirasuek.com
Connection: Keep-Alive
Cookie: snkz=191.101.209.39; btst=b248ed8f5fdd7ab20d7961c8dcfdb8d6|191.101.209.39|1713667634|1713667634|0|1|0

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 21 Apr 2024 02:48:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=b248ed8f5fdd7ab20d7961c8dcfdb8d6|191.101.209.39|1713667680|1713667634|23|2|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN A

Response

chromewebstore.googleapis.com

IN A

142.250.179.234

chromewebstore.googleapis.com

IN A

142.250.180.10

chromewebstore.googleapis.com

IN A

142.250.187.202

chromewebstore.googleapis.com

IN A

142.250.187.234

chromewebstore.googleapis.com

IN A

142.250.178.10

chromewebstore.googleapis.com

IN A

172.217.16.234

chromewebstore.googleapis.com

IN A

142.250.200.10

chromewebstore.googleapis.com

IN A

142.250.200.42

chromewebstore.googleapis.com

IN A

216.58.201.106

chromewebstore.googleapis.com

IN A

216.58.204.74

chromewebstore.googleapis.com

IN A

216.58.213.10

chromewebstore.googleapis.com

IN A

172.217.169.10

chromewebstore.googleapis.com

IN A

172.217.169.74
DNS

chromewebstore.googleapis.com

Remote address:

8.8.8.8:53

Request

chromewebstore.googleapis.com

IN Unknown

Response
DNS

234.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.179.250.142.in-addr.arpa

IN PTR

Response

234.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f101e100net
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A

Response
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A

Response
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A
DNS

podayl.net

ewiuer2.exe

Remote address:

8.8.8.8:53

Request

podayl.net

IN A
DNS

104.116.69.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.116.69.13.in-addr.arpa

IN PTR

Response
GET

http://ow5dirasuek.com/73/217.html

ewiuer2.exe

Remote address:

34.41.229.245:80

Request

GET /73/217.html HTTP/1.1
From: 133581412394980745
Via: bjledplYpdq;225]^mc`;4Yn`m_l80/+./.0]jq<10/,\j`w<^_8/`e^``+48+_2,/e1b/^dd3651/8.d
Host: ow5dirasuek.com
Connection: Keep-Alive
Cookie: snkz=191.101.209.39; btst=b248ed8f5fdd7ab20d7961c8dcfdb8d6|191.101.209.39|1713667680|1713667634|23|2|0

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 21 Apr 2024 02:48:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=b248ed8f5fdd7ab20d7961c8dcfdb8d6|191.101.209.39|1713667726|1713667634|34|3|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;

13.107.253.64:443

46 B
40 B
1
1
64.225.91.73:80

http://mkkuei4kdsz.com/541/202.html

http

ewiuer2.exe

421 B
948 B
5
3

HTTP Request

GET http://mkkuei4kdsz.com/541/202.html

HTTP Response

200
34.41.229.245:80

http://ow5dirasuek.com/664/509.html

http

ewiuer2.exe

854 B
623 B
10
5

HTTP Request

GET http://ow5dirasuek.com/664/509.html

HTTP Response

200
64.225.91.73:80

http://mkkuei4kdsz.com/991/992.html

http

ewiuer2.exe

883 B
1.9kB
7
5

HTTP Request

GET http://mkkuei4kdsz.com/664/488.html

HTTP Response

200

HTTP Request

GET http://mkkuei4kdsz.com/991/992.html

HTTP Response

200
34.41.229.245:80

http://ow5dirasuek.com/675/179.html

http

ewiuer2.exe

1.0kB
544 B
9
5

HTTP Request

GET http://ow5dirasuek.com/675/179.html

HTTP Response

200
142.250.179.234:443

chromewebstore.googleapis.com

tls

2.0kB
7.9kB
16
17
34.41.229.245:80

http://ow5dirasuek.com/73/217.html

http

ewiuer2.exe

630 B
544 B
7
5

HTTP Request

GET http://ow5dirasuek.com/73/217.html

HTTP Response

200

8.8.8.8:53

podayl.net

dns

ewiuer2.exe

56 B
129 B
1
1

DNS Request

podayl.net
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

podayl.net

dns

ewiuer2.exe

56 B
129 B
1
1

DNS Request

podayl.net
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

mkkuei4kdsz.com

dns

ewiuer2.exe

61 B
77 B
1
1

DNS Request

mkkuei4kdsz.com

DNS Response

64.225.91.73
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

56.126.166.20.in-addr.arpa

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

157.123.68.40.in-addr.arpa

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

73.91.225.64.in-addr.arpa

dns

71 B
138 B
1
1

DNS Request

73.91.225.64.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

ow5dirasuek.com

dns

ewiuer2.exe

61 B
77 B
1
1

DNS Request

ow5dirasuek.com

DNS Response

34.41.229.245
8.8.8.8:53

245.229.41.34.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

245.229.41.34.in-addr.arpa
8.8.8.8:53

podayl.net

dns

ewiuer2.exe

56 B
129 B
1
1

DNS Request

podayl.net
8.8.8.8:53

podayl.net

dns

ewiuer2.exe

112 B
129 B
2
1

DNS Request

podayl.net

DNS Request

podayl.net
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

14.227.111.52.in-addr.arpa

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
283 B
1
1

DNS Request

chromewebstore.googleapis.com

DNS Response

142.250.179.234

142.250.180.10

142.250.187.202

142.250.187.234

142.250.178.10

172.217.16.234

142.250.200.10

142.250.200.42

216.58.201.106

216.58.204.74

216.58.213.10

172.217.169.10

172.217.169.74
8.8.8.8:53

chromewebstore.googleapis.com

dns

75 B
132 B
1
1

DNS Request

chromewebstore.googleapis.com
8.8.8.8:53

234.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

234.179.250.142.in-addr.arpa
8.8.8.8:53

podayl.net

dns

ewiuer2.exe

168 B
129 B
3
1

DNS Request

podayl.net

DNS Request

podayl.net

DNS Request

podayl.net
8.8.8.8:53

podayl.net

dns

ewiuer2.exe

168 B
129 B
3
1

DNS Request

podayl.net

DNS Request

podayl.net

DNS Request

podayl.net
8.8.8.8:53

104.116.69.13.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

104.116.69.13.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
a0605ee63628931195a14ccb1aab3948

SHA1
35881267085f98a0a046df4b34e8983c3e1ef883

SHA256
464b60c31f5e5202bb72e0c15aa2d8d75431298f1be0432617a6058378345d10

SHA512
cd0f32a41ff859b379961e4aa82cbd15742793c3006657bd0f8e3b3764cfbff8b820df3fa364f71031aad5cd8cc542d741af44ecfb071a3daad2aa226c407e76

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
b089f2736c554b5ee47ba0f6c40b1e89

SHA1
8485e4d06ef90e8df70535e079466cda466fc4c2

SHA256
d33b6c8cfe7c00db58a6b48a6165517449fee96038e2291fac0cc660bf4d7409

SHA512
ff3811fb6eb409156adb9a473a03a0fef24211e2fe3dcd1b7bfa59be376b1e49f5854c9538546ee9ad2dde80ea6c56e67f1c318580ce2d69c0c5fb93bdf2cb8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.