59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280

General

Target

59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe
Size

61KB
MD5

6eb4cb70bf41e34e6ebf72f2dc3f99cb
SHA1

ded9d4d14ac28cecdc0b9c1d8af0f6b409ee73dc
SHA256

59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280
SHA512

1118b323dc9ffe95fe693e77a6cb8d93cfcff9052ffd70e6f7b79e3d0d0322a0670fe31137aed622aa7975bae75c3ddaf44901008ff04351c36887f9fe53bba5
SSDEEP

768:IeJIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uA:IQIvEPZo6Ead29NQgA2wQle5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2036	ewiuer2.exe
2676	ewiuer2.exe
2560	ewiuer2.exe
2780	ewiuer2.exe
1536	ewiuer2.exe
1884	ewiuer2.exe

Loads dropped DLL 12 IoCs

pid	Process
2028	59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe
2028	59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe
2036	ewiuer2.exe
2036	ewiuer2.exe
2676	ewiuer2.exe
2676	ewiuer2.exe
2560	ewiuer2.exe
2560	ewiuer2.exe
2780	ewiuer2.exe
2780	ewiuer2.exe
1536	ewiuer2.exe
1536	ewiuer2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2036	2028	59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe	28
PID 2028 wrote to memory of 2036	2028	59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe	28
PID 2028 wrote to memory of 2036	2028	59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe	28
PID 2028 wrote to memory of 2036	2028	59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe	28
PID 2036 wrote to memory of 2676	2036	ewiuer2.exe	30
PID 2036 wrote to memory of 2676	2036	ewiuer2.exe	30
PID 2036 wrote to memory of 2676	2036	ewiuer2.exe	30
PID 2036 wrote to memory of 2676	2036	ewiuer2.exe	30
PID 2676 wrote to memory of 2560	2676	ewiuer2.exe	31
PID 2676 wrote to memory of 2560	2676	ewiuer2.exe	31
PID 2676 wrote to memory of 2560	2676	ewiuer2.exe	31
PID 2676 wrote to memory of 2560	2676	ewiuer2.exe	31
PID 2560 wrote to memory of 2780	2560	ewiuer2.exe	35
PID 2560 wrote to memory of 2780	2560	ewiuer2.exe	35
PID 2560 wrote to memory of 2780	2560	ewiuer2.exe	35
PID 2560 wrote to memory of 2780	2560	ewiuer2.exe	35
PID 2780 wrote to memory of 1536	2780	ewiuer2.exe	36
PID 2780 wrote to memory of 1536	2780	ewiuer2.exe	36
PID 2780 wrote to memory of 1536	2780	ewiuer2.exe	36
PID 2780 wrote to memory of 1536	2780	ewiuer2.exe	36
PID 1536 wrote to memory of 1884	1536	ewiuer2.exe	38
PID 1536 wrote to memory of 1884	1536	ewiuer2.exe	38
PID 1536 wrote to memory of 1884	1536	ewiuer2.exe	38
PID 1536 wrote to memory of 1884	1536	ewiuer2.exe	38

C:\Users\Admin\AppData\Local\Temp\59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe
"C:\Users\Admin\AppData\Local\Temp\59ded88218e048afa0362f71fbe633acfa179ac644569f5adf92a64053fd4280.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LQ5C8DOK.txt

Filesize
229B

MD5
1cdee1bdbf6f94ed967acabc40f65a54

SHA1
ba27dd50d323c2ad3a602c6cffd2fc50d6d8dc77

SHA256
dccb624d183c7a67c9f884a3ba665290126be4e986b459a6b74be490838ee3fa

SHA512
9e996753fa243be625a8a862869a040067669790ffe5b57ae4822a554dfb7b6f70de9c52e67460bc83315ae15225f805fdf19bf62bd4624b18bc4db7ee4eb36a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZUKNIKTE.txt

Filesize
230B

MD5
c9f2d7c63947872bb844a94780869827

SHA1
27308fd9f20d721b43d9afcc3fc732c52bb95764

SHA256
3e40dfc60c45b7814ba05e1758abb8bdce3dd061e5e8ab2fa09290a2f5a35b3e

SHA512
dc8afc00844004c806c327a27297b681b8e078eb17377608e81764339f9d2036a521527426c41cf704adaa1f64ec267eefbb2edfea5844f23f9f932303be2873

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
81c48a15b0242a7054b380b2b169f66d

SHA1
6975ef96084593815550180dfbe8cc7bcccc88c0

SHA256
0f619c9faf105390dd51f3bfdf0baadd087cddb86011dc8be8c2d7f52ddce9c0

SHA512
3616fdc8b8aec757f720ddffba6d2eb3cb3aa4aeb768bd119d244dffb8a7d340ddba5651f299aff11e59dfab6f4b45c0810a7cfd764dfb88ac237e9002f3bd62

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
dd7418573a457961344d82d381d632a2

SHA1
0caee16c73a3d82d6d55d203c0f5482cab111dc1

SHA256
477d716ea5548df9dc83e3f216ccf13a77503d1fb8be03e774fa93b47933bf7f

SHA512
4e03cc3a7029aea390fb5ea5e103c8383e3a088510b324415aa8f486c223f3314981aac590a446b7177cd3162a2642ee806dd3e891666d2abcf9b49186e8046e

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
15f2bbcec1cca8da4ec163e3aec77a56

SHA1
0d70af1a03f84d70589b734a7e1451dca7c6c10b

SHA256
b98fbb230296da4010578a97375787b4f3fe5f8bdd154a7f9dd2be58d9102007

SHA512
4e728828d5a5b71ac34bb9f5f1d7aed229b4c5cb039831bb3e69bc10ed7aa35c30daea3dd1b2d360956c49a06dd83192b250bfa4f65cc0e12d34811289165d4d

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
46e13ff718b8eb231240595a54692cb5

SHA1
348b668da9a43fe094ed4c19bb38de580ad276a3

SHA256
2b2ca381027b6d12695ced5d24d37be10624ad7de442a8a86fa4c6971ac632a9

SHA512
574f850b190346d8772a674d10d35545dc069668ed3ac8fbb19094c4d31f8ce9be1b25dd48ed9e08c0cccfbcb8934abf88e813414fb20d9e8367a9881b921090

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
2a3a844e1f35134079547da5eafcbf5e

SHA1
ea21b0f24ab96c3d0bc4083f470b646cffe525ba

SHA256
ab98131acdf3a55147f3b940e914f911c82cacf620b81db7191ecd2a5e90541d

SHA512
9766b4336e25a59d526cce9f7f2e1feaaf5993357295976f4d6ecf65eb1378e28054794765397e981502afd0fa656c38605ca272e6f21f2007d239977513e1f1

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
2d0083c23f44f7048e6b10388f0815db

SHA1
d268ce1210e05e76da7a7b6295f50c2f75a147ff

SHA256
b93280105e52515cf1428a11aa39197829489a8e9d614868c544ce4a6e949b36

SHA512
a6ab90baed074ad8a6bda676b229c20aafe178089fc62dc39b1af5bbc4a71401ef69705d9a6b2b5748c2299fa6fd2ab70eedaed78a7e99e4db1c18a0f4debedc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads