b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 01:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe
Size

65KB
MD5

970cbdf97e7bc859970ba37a81a6847d
SHA1

066f94272b59c68961ceeb15b38eb1b858d6cc74
SHA256

b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455
SHA512

7cbd58f4d8f11305acf6f34e86948d0419eaddc0fb096f75d1d9671e143472a87c502094026e922ffca73aed8341e697213cba1af83821e9de22b939586420d8
SSDEEP

1536:lttdse4OcUmWQIvgPZo6E5sEFd29NQgA2w6TNle51:tdse4OlcZo6EKEFdGM29le51

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2960	ewiuer2.exe
2396	ewiuer2.exe
2856	ewiuer2.exe
1420	ewiuer2.exe
1760	ewiuer2.exe
824	ewiuer2.exe
1328	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2196	b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe
2196	b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe
2960	ewiuer2.exe
2960	ewiuer2.exe
2396	ewiuer2.exe
2396	ewiuer2.exe
2856	ewiuer2.exe
2856	ewiuer2.exe
1420	ewiuer2.exe
1420	ewiuer2.exe
1760	ewiuer2.exe
1760	ewiuer2.exe
824	ewiuer2.exe
824	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2960	2196	b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe	28
PID 2196 wrote to memory of 2960	2196	b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe	28
PID 2196 wrote to memory of 2960	2196	b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe	28
PID 2196 wrote to memory of 2960	2196	b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe	28
PID 2960 wrote to memory of 2396	2960	ewiuer2.exe	32
PID 2960 wrote to memory of 2396	2960	ewiuer2.exe	32
PID 2960 wrote to memory of 2396	2960	ewiuer2.exe	32
PID 2960 wrote to memory of 2396	2960	ewiuer2.exe	32
PID 2396 wrote to memory of 2856	2396	ewiuer2.exe	33
PID 2396 wrote to memory of 2856	2396	ewiuer2.exe	33
PID 2396 wrote to memory of 2856	2396	ewiuer2.exe	33
PID 2396 wrote to memory of 2856	2396	ewiuer2.exe	33
PID 2856 wrote to memory of 1420	2856	ewiuer2.exe	35
PID 2856 wrote to memory of 1420	2856	ewiuer2.exe	35
PID 2856 wrote to memory of 1420	2856	ewiuer2.exe	35
PID 2856 wrote to memory of 1420	2856	ewiuer2.exe	35
PID 1420 wrote to memory of 1760	1420	ewiuer2.exe	36
PID 1420 wrote to memory of 1760	1420	ewiuer2.exe	36
PID 1420 wrote to memory of 1760	1420	ewiuer2.exe	36
PID 1420 wrote to memory of 1760	1420	ewiuer2.exe	36
PID 1760 wrote to memory of 824	1760	ewiuer2.exe	38
PID 1760 wrote to memory of 824	1760	ewiuer2.exe	38
PID 1760 wrote to memory of 824	1760	ewiuer2.exe	38
PID 1760 wrote to memory of 824	1760	ewiuer2.exe	38
PID 824 wrote to memory of 1328	824	ewiuer2.exe	39
PID 824 wrote to memory of 1328	824	ewiuer2.exe	39
PID 824 wrote to memory of 1328	824	ewiuer2.exe	39
PID 824 wrote to memory of 1328	824	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe
"C:\Users\Admin\AppData\Local\Temp\b7c9c5250c771be2836a7a89f9804c86a607e7ca1a27443779b35cfdc389b455.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1QER34GT.txt

Filesize
229B

MD5
d5627d95aea448ec4563a184f1a0beed

SHA1
b24851420a91aa7337d3d5b22f958c1fb76524c0

SHA256
0f0f7d1dd3bff30bffc69310141baf0fe41a05b358197c59425e836c66ec3310

SHA512
c4244638d08c3ba74f27fea6cda76b5dbf566b4e1bc29021ccfd5c056670c3e925446a8a090b5035d168c50ebfac6c1e35ceba1977e2e693bd5c550d01e0b76b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\83ELUGU3.txt

Filesize
229B

MD5
80a6ca5d09e6ac74fabf0d8c26475901

SHA1
d7d1e79107f724f8c369a31fa6e7883966cb5586

SHA256
b4243f2a0cb4a18b32a7431ee2e6be9fe2deb9787938ccda271aae9f1b14857c

SHA512
f8fbf636612531694bf5d83f2c9d18d79b01e87871929e5991ed2786083a3655d3494c94078e9f66cc9600b4ac1b186df610c753fa4453a47986745bfbefc6ae

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
1aaaf4679cfa344a263344a6f103b0c3

SHA1
99e473517b8fe5c129ae4d6afa2f00969e706fb6

SHA256
6cfd65ef1273936d177a5df14fccd73627d55aeeaa209135c9413fdacdc08a4d

SHA512
a289cc6a649bed874357b24fc32145ec3b5c8a63ef4705011d09bb24ed0f78efd71dc3d62c39007f828c9eabe5665c1e3f38ba70ea0aef7a7e2dc770b35dcc25

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
dd115a7c982c16bb8eb4df55eddcc0e9

SHA1
9b5ebfae39edc28979e0175f16b6ffbd1037e1ea

SHA256
15c182bee4daec2e684956282955b41c26cdcff8227d9dcc42a722ed24dd7eb8

SHA512
1aa3b3320bc070c442573cd210207a741b5d0d7f3f9e5706652a804ec1dc1f7f7d4c2d0a96e567bf33e66a4a6a9bc7fe36ec887084e5b8a4cc32a862b075cbc7

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
bff0754ce2ad9a2496fba0b9efdc19fe

SHA1
bc967cf58bc05dcb7fefdf030b03d1f66b1d0e8a

SHA256
d1563744cf73f9a5071a3e20a806ddc234d5fca3ea8529f41a53e565a88622bb

SHA512
4f69518d33ba929d85766bb7ebc31d39f5e9a9b9b6b9e3176282c51018574d6c2d5031b8621f21c14c519612fe48504c5fa00d6de43c607afa294f3bc6a0abd9

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
55173360747b942710f52190c7e64807

SHA1
4f7b507ad1b8fc2bd8d93c8952f155ca34e8082b

SHA256
6f0174a14d8849730d07afc7dfa8095e6b6a2c80977aead396b81693fee1ef41

SHA512
8faede7245ff96887deee498cfd9d4a1857dd82e1827cfc8c85d69411809241732483c45e4f0843ae4239058fa49bd78617ed6fd9d8e595bb2669778d78c72d3

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
0629007e9f3595faee8b2ec032a54211

SHA1
209ae5e81103f07e8833ca44243958b659a735f2

SHA256
777e7a316e7d0add0642886ecffaa8b50184d2fc2ea2ce7c4c4dc5afa842ce52

SHA512
c62b9e01c3469eff96bbf751dee5e1cb23382dd6189cf5099956bf19595db1524d1c5e5fd1f7eee0cf529e49fe4560857a622c0d0b760a8a58118423ff84aca8

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
33e6f014a4dd10baf23ede5f0a7bb611

SHA1
6298c9733450145d94a4d33015afa6ce813e05e2

SHA256
119e10ef2ad7ac24fb712440522681acdb8a72062fe427584b374afae8579019

SHA512
43327a1a4cb7ea37f3cb06dddab0e27cdb82d71a954918c66a1f7d7e9932c9307462d4bb541c8ebe7ee7ae52c41dddbd64aec1c9e1062a57f86eb3c4017f7f8a

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
ba7f325bcb2a5245f215df0cc15ca5e2

SHA1
bb1365791ad9f76bac442a58211bb3d2f0fd5bf7

SHA256
d9996aacd406418407e784df8447e43e59020ca835c8a9d9cb7800ec51bad2e9

SHA512
ceae3240a05b53f43597d6776a83122d62fcdb29bf6ee9e7fb90d21a56f4f0eb0a27d16a8c6ec758d0715431a04956e804b9aa34156026b714d2dbd4c711b4c7

Download Submit
memory/824-80-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/824-76-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1328-85-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1420-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1420-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1420-54-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1760-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1760-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2196-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2196-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2396-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2856-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2856-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2856-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2960-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2960-17-0x00000000026F0000-0x000000000271A000-memory.dmp

Filesize
168KB

Download
memory/2960-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2960-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads