441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe
Size

65KB
MD5

5b4d31ee8b52f64a5649da53e2e8a52d
SHA1

676851b9703fe95b77aa273d25a0a84614892c84
SHA256

441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196
SHA512

09aba0e8526c2e81573ca47268f456778efdac4299b6ee95b192c59776632b43678aba39894a6aeeed9f1088bf03c1dcf966c8e48c0d46e57be2493b554298c8
SSDEEP

768:yeJIAFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uAi:yQIAEPZo6Ead29NQgA2wQle5q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2216	ewiuer2.exe
1732	ewiuer2.exe
2860	ewiuer2.exe
1604	ewiuer2.exe
2056	ewiuer2.exe
1532	ewiuer2.exe
1740	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2372	441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe
2372	441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe
2216	ewiuer2.exe
2216	ewiuer2.exe
1732	ewiuer2.exe
1732	ewiuer2.exe
2860	ewiuer2.exe
2860	ewiuer2.exe
1604	ewiuer2.exe
1604	ewiuer2.exe
2056	ewiuer2.exe
2056	ewiuer2.exe
1532	ewiuer2.exe
1532	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2216	2372	441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe	28
PID 2372 wrote to memory of 2216	2372	441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe	28
PID 2372 wrote to memory of 2216	2372	441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe	28
PID 2372 wrote to memory of 2216	2372	441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe	28
PID 2216 wrote to memory of 1732	2216	ewiuer2.exe	32
PID 2216 wrote to memory of 1732	2216	ewiuer2.exe	32
PID 2216 wrote to memory of 1732	2216	ewiuer2.exe	32
PID 2216 wrote to memory of 1732	2216	ewiuer2.exe	32
PID 1732 wrote to memory of 2860	1732	ewiuer2.exe	33
PID 1732 wrote to memory of 2860	1732	ewiuer2.exe	33
PID 1732 wrote to memory of 2860	1732	ewiuer2.exe	33
PID 1732 wrote to memory of 2860	1732	ewiuer2.exe	33
PID 2860 wrote to memory of 1604	2860	ewiuer2.exe	35
PID 2860 wrote to memory of 1604	2860	ewiuer2.exe	35
PID 2860 wrote to memory of 1604	2860	ewiuer2.exe	35
PID 2860 wrote to memory of 1604	2860	ewiuer2.exe	35
PID 1604 wrote to memory of 2056	1604	ewiuer2.exe	36
PID 1604 wrote to memory of 2056	1604	ewiuer2.exe	36
PID 1604 wrote to memory of 2056	1604	ewiuer2.exe	36
PID 1604 wrote to memory of 2056	1604	ewiuer2.exe	36
PID 2056 wrote to memory of 1532	2056	ewiuer2.exe	38
PID 2056 wrote to memory of 1532	2056	ewiuer2.exe	38
PID 2056 wrote to memory of 1532	2056	ewiuer2.exe	38
PID 2056 wrote to memory of 1532	2056	ewiuer2.exe	38
PID 1532 wrote to memory of 1740	1532	ewiuer2.exe	39
PID 1532 wrote to memory of 1740	1532	ewiuer2.exe	39
PID 1532 wrote to memory of 1740	1532	ewiuer2.exe	39
PID 1532 wrote to memory of 1740	1532	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe
"C:\Users\Admin\AppData\Local\Temp\441a1cfff58e7d9a7f7620e9b774cf8bb5592961ae49648e2bbc3a02c4d10196.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HD2ATS7G.txt

Filesize
229B

MD5
79da7da04c94e49940cfa636e5bf6093

SHA1
8bbc63c022360049a1143d56d457dc0a2fad4f96

SHA256
c77c55939bb960c60517360db8a2d7d027a2b8550ca292992c19c99b82a06e6c

SHA512
34046643fc4aa9d12334b96f26f01320d5d5b403956e6e2047d3a3885b4c9b3a9c61ff47b9c8636c5711c449e49174fdc2b82f5c55074d28aee7d8ac5be3d01e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X1OJ87P6.txt

Filesize
229B

MD5
af16a57d6696ff4c1c9f7ed25c890f29

SHA1
bf73644a182a10ad30c795708f1315e1d8232786

SHA256
07fbf290fcaa8da2e622b96bd8a8276f58aa9cafc05ca433819e70d770fa9fa0

SHA512
d6b3e597430fe5ca8016cf0bb5f54f61040c92cb0373dd44a1d49c3a08e744d52c8978a5a7d20b4d70eb3d70a49932aa946cb96bbbb881c46b1d3a983583346e

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
c3d52f99cbe2434bba9bbc177e164bcb

SHA1
5924c92b08f532d96d529b1dbe3cd5d785ae1edb

SHA256
4bfbff1d0ce8511b10b85405b5150dd86a51d3d76ded04cf3530b18aad48c441

SHA512
b30ccf771803b278023e5859130944ae6b33b321fabe5364d1c002cc62ee7cc2b7384f6f7e95b73a1bc8764bc5ac71e5c40cca5e1272363a9c35fa65bce5e72f

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
76e37baa003c7d42cbd98a32a601175b

SHA1
787a5ac38f0e962c3f039824ac750badc04437b2

SHA256
28022ab86338eb5ef6268d587a792acc27b179250da95dd45d88d6c2a36b854c

SHA512
90386a2e5ff3224549aa23c157dcaec8c0af39a15671bb22a9a29a605eb224ad49d97e987600a51f05256d189e55e205ec267e06f319b45f20196f4ef4be4840

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
014f5c548040d71961443ca8719196cf

SHA1
db37a38cfc3a443a1ed832dc3b8381f1e1ff159e

SHA256
2a47fcad213b4ab8d099b162b46d3dcb40076468f9b59bb3124695f407b038f1

SHA512
8134c37b96fb5428b1533de45633cab5b7ccb5d3eb286b5419a0e73516f7179bd32a8399a48594035c24cfd3986270f57a7af3d52ac7d63789b97254f78f9059

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
b8752230dbb05ebdbf380a470d28e478

SHA1
01329dc4d4a9ad37f618caedea7fa1283d1a3084

SHA256
9c2eda5cb586db8a96fcfdf6e38f0403341aac11737d59c2bb5f9fc88ee388d8

SHA512
050ab369abe2a9c7d7a2535cba84579f22b828c8db5bfeb3d00f4d32f48511f6bd6195d818ecbee8a24732abc60ffc223d829aae73995242353b59a4d60fa648

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
d3ff6fcb56581b3d4fe1d7d25fd88d60

SHA1
cdd6ede64cfd4a5b72dfd0bf5e6300c076f14e65

SHA256
f27271eb4030d50a7d7c92a9b7880fa869019a31910988dfb2d38fa140d1e898

SHA512
5eb870fd7987b18c276150d1181c3fe9f2876c68761ff50b584038b798ac8648922f179c2b4bc96ab09531cdb20082d8268a4df33c3b2e44ce9e61cc588c990c

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
39dadf5061c885957e88e9c783bff7b3

SHA1
29207b6dd169758cef24fcbbf5807bb7301caa7f

SHA256
b5bf53ffddb6edfe4d25dc28f0936729c99030f8745c4e75301cd23a46e71b8a

SHA512
1d983142f01216fb29d1171d81caf3d95cbcbece833654c63c1ee973d38aea6a23d9aaffe4512b72bec09f88e709d30079fd7f04e92957b2c88c135faa5590fe

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
d19f643e704402a440760ac21149d1ab

SHA1
1b0eb652d0c5c50b611018c58dc868f8a4f3dd57

SHA256
ad70131f56b30a12eaa4045fccee15c8efd54dc17b7ed57e897a7b2093bd0fdc

SHA512
3138788dc50b46e54d7c5aeb8fc13a649070b33533ec4835c3fe3a680d03e5576c17530a44ea42a7d93032189c151e6af6e8da9941fb0e6d39a8b4ef178d9709

Download Submit
memory/1532-83-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1532-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1604-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1604-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1604-54-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/1732-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1740-85-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2056-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2216-17-0x00000000027C0000-0x00000000027EA000-memory.dmp

Filesize
168KB

Download
memory/2216-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2216-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2216-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2860-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads