7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe
Size

61KB
MD5

5ecde2a08c92c596b81625ef7e4df93f
SHA1

9d4588de70e519b24469026e40f94016d16f4fe6
SHA256

7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6
SHA512

c3b60612b9f6e82be0a0976af94550a489f2919c2453325e8b9ea562031a2a5e5e0e1bf3927768107a8cefa6ed3cbc4000e93ea434013313bc6e246b1a1f1bf2
SSDEEP

1536:Qttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wwle5:Qdse4OlQZo6EKEFdGM21le5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2132	ewiuer2.exe
2592	ewiuer2.exe
2248	ewiuer2.exe
528	ewiuer2.exe
1480	ewiuer2.exe
1348	ewiuer2.exe
1552	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
1216	7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe
1216	7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe
2132	ewiuer2.exe
2132	ewiuer2.exe
2592	ewiuer2.exe
2592	ewiuer2.exe
2248	ewiuer2.exe
2248	ewiuer2.exe
528	ewiuer2.exe
528	ewiuer2.exe
1480	ewiuer2.exe
1480	ewiuer2.exe
1348	ewiuer2.exe
1348	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2132	1216	7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe	28
PID 1216 wrote to memory of 2132	1216	7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe	28
PID 1216 wrote to memory of 2132	1216	7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe	28
PID 1216 wrote to memory of 2132	1216	7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe	28
PID 2132 wrote to memory of 2592	2132	ewiuer2.exe	32
PID 2132 wrote to memory of 2592	2132	ewiuer2.exe	32
PID 2132 wrote to memory of 2592	2132	ewiuer2.exe	32
PID 2132 wrote to memory of 2592	2132	ewiuer2.exe	32
PID 2592 wrote to memory of 2248	2592	ewiuer2.exe	33
PID 2592 wrote to memory of 2248	2592	ewiuer2.exe	33
PID 2592 wrote to memory of 2248	2592	ewiuer2.exe	33
PID 2592 wrote to memory of 2248	2592	ewiuer2.exe	33
PID 2248 wrote to memory of 528	2248	ewiuer2.exe	35
PID 2248 wrote to memory of 528	2248	ewiuer2.exe	35
PID 2248 wrote to memory of 528	2248	ewiuer2.exe	35
PID 2248 wrote to memory of 528	2248	ewiuer2.exe	35
PID 528 wrote to memory of 1480	528	ewiuer2.exe	36
PID 528 wrote to memory of 1480	528	ewiuer2.exe	36
PID 528 wrote to memory of 1480	528	ewiuer2.exe	36
PID 528 wrote to memory of 1480	528	ewiuer2.exe	36
PID 1480 wrote to memory of 1348	1480	ewiuer2.exe	38
PID 1480 wrote to memory of 1348	1480	ewiuer2.exe	38
PID 1480 wrote to memory of 1348	1480	ewiuer2.exe	38
PID 1480 wrote to memory of 1348	1480	ewiuer2.exe	38
PID 1348 wrote to memory of 1552	1348	ewiuer2.exe	39
PID 1348 wrote to memory of 1552	1348	ewiuer2.exe	39
PID 1348 wrote to memory of 1552	1348	ewiuer2.exe	39
PID 1348 wrote to memory of 1552	1348	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe
"C:\Users\Admin\AppData\Local\Temp\7825ad08c432e26c7894599b5e958eb08d3f6884523390d3f5aeff359e34acd6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\79S50TDH.txt

Filesize
230B

MD5
8ed659d6a7e2e7874da2a1153a9565b4

SHA1
8565359e2f55fdf066cc0152456567025602af1e

SHA256
a371abec14cfd7d2b41c50837db3ff2b93b9e935a85bd9fe1e6a34bab8d7ab0c

SHA512
dd6e98abb5104d94d6e4da772690e12ec4346c7971e990febead3039bdb042bf820073df25bc10026d0175cda82dbba8e73a1ab4ee37a00bb0d5b93fabc98e69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GK2CXLUY.txt

Filesize
229B

MD5
3197e80781c3284cfdec7c5605e5bfd2

SHA1
84f98b81c3ac18c4d2cfb2ec1f19bd41fa6032b8

SHA256
5fd8327a2d4488cfacdd220cf81ff355bb0602056dfd4d800f4bad22dca08226

SHA512
3f3cd66f72266eaeb0a39e8ae1f1ca4dacc6b6160bf8067d4744bb38e67cc0c755d858273998902d9703b03621fd19a964804a40ede120a81f53895524b2b197

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
afe5ecf9ef269b45049d0752cefbf0fc

SHA1
dd7b31cf540327944c37a2cb0843708cc6ac0e59

SHA256
170c9441a30b11eaa8f81530e2eccfc3458adadb16827eff3ec6472cbbad55da

SHA512
33650e9899fb1481a7cec9bd282eafa09ffe87006fcc22a7b70f9ae104145f394b1b38b419ed9e0f01152007a0a1b0a1f201436a54a58ae117e0d7d7c1fa56f8

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
251f572693b8322724a9cf4168d4ef50

SHA1
e2d6728a234f07e47fc65422d84598e9e876c887

SHA256
d9c94c3a54b25cf5545fa9ba6d927ed21adc7f51b70fcfb0388bcc6e214778d2

SHA512
a22b1303b101f5a7931850211771903d61f0d8e42109fcd70d78a6ad0e3e9ba06cf07051640b3d4287fc1edc4f930da8333f19fba6f78e16ef1bba47d8cba5e9

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
69b3e1ba124bc2d79fa96e14932dbab0

SHA1
1ce33dcc6b36ecc94ca1d5e080d6a64f21f785eb

SHA256
d1f52cef35a4df455612f374ae61dcb876e58d3d815c069915c05e3dad99ddd8

SHA512
b56f15060e9248bee514b1ba7bef3a999fa98e283f172adbf69bf81d8e2d21ab5cbb9099e9df47aea772b370572fbd8e4ee8be80e132260d89e1fa0427ac10df

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
dbf177477f3fbd51330649ff721251ac

SHA1
474b3e9b54526b8cd7c89685297b7a69a770e564

SHA256
9c028538dc1f850943ea7347a83a071e00b03ed430d485f62c9e8ba8f881979d

SHA512
53e5e2c5c331fa5cbd5dd83faeaa2d499ce17d0642964b88c05b50593ed811a7d4f81969224a043708a9434fbc55f95892af0c84c80b9aa64a6d1264caa3e999

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
623defcbeb9ceca7560858f571c1609c

SHA1
78252437056c53ed879153d68f89aa5e8485e4fb

SHA256
feb5ea5021c6ae8579393c383ce51a51a069104281f844f0a75126a20b449305

SHA512
d827a60e33a5ebd2ed80ccddc6d263b6bf6aca1728e64dec78d79a1acb5816677a18ad08cc935b58d53593f511b9995ff277a8090e31f76bdb5ec148b32c14be

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
dd2beac974f952a00e6f187dceb51edf

SHA1
8348a81858be3c6ee8eae67af296035058439a63

SHA256
b8203d280917b92307c0e76867128cf472d655e8317f3e4269a894274b7421d5

SHA512
9abc1e9532e87dfdb1351245f9dd22e529c0cfa99060569c262a21d86412368bcb7c2cac74a285969375e8f1aa589002f9454fe4b45c1d063cf531d1c6d83021

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
11082fc7159f232a7571b0fae35c298f

SHA1
9121d6ef5959c0cb5e1e42d231b5114f87499bdf

SHA256
0640d83fd6d258adaac7d9cda9aab529415ea651d10d267ed67b621481d0653c

SHA512
c752861b19e6e413e33740b78f0c4b084736f5f1961820dd244c11358ff5b14ef600b8c85b04b60682e87841e4fb69686f566169c4a8e3dc47a2478c4218587e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads