Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe
Resource
win7-20240508-en
General
-
Target
d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe
-
Size
289KB
-
MD5
bd5f8a05982a2f907a416dd5ce6707c7
-
SHA1
e0d4e8d2ddd5743d074e61ca9fee4ede506c9c9d
-
SHA256
d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120
-
SHA512
a46d1302409d5c38dc92cd92442ad4abe99ab2f62ce57b0219ad3f63decdb13c48c6501fa713a9616f3342fbb8d36e385770f2bfeef6acc6f427e94ec4c7b053
-
SSDEEP
6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKZN:9A3NtUISdPw+Elq2Jsm2u
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral1/files/0x0004000000004ed7-38.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 1296 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1880 gibix.exe 1632 dulyy.exe -
Loads dropped DLL 3 IoCs
pid Process 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 1880 gibix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe 1632 dulyy.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 836 wrote to memory of 1880 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 28 PID 836 wrote to memory of 1880 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 28 PID 836 wrote to memory of 1880 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 28 PID 836 wrote to memory of 1880 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 28 PID 836 wrote to memory of 1296 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 29 PID 836 wrote to memory of 1296 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 29 PID 836 wrote to memory of 1296 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 29 PID 836 wrote to memory of 1296 836 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 29 PID 1880 wrote to memory of 1632 1880 gibix.exe 33 PID 1880 wrote to memory of 1632 1880 gibix.exe 33 PID 1880 wrote to memory of 1632 1880 gibix.exe 33 PID 1880 wrote to memory of 1632 1880 gibix.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe"C:\Users\Admin\AppData\Local\Temp\d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\gibix.exe"C:\Users\Admin\AppData\Local\Temp\gibix.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\dulyy.exe"C:\Users\Admin\AppData\Local\Temp\dulyy.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:1296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5be6f41c533e8e7b4b21a618d3c6cc8dd
SHA17be082566040aba09f90e8754c71c0fe1e539092
SHA256e0e9ba3077a250ff40642c9ccc7c363795d88fad9fa778557dc7e5c6b4b31922
SHA512b8e66dc4a5f9294bf568dc5ff25657412780bffa4c27d9a5f3412a3c69cb69ce4130d0fb813ce1e89bab5930598fa85cee401d7f46ea37b53aa0539d7193d6b4
-
Filesize
512B
MD5efb5fce9962b8af8fd9ebe81d3eb315a
SHA14ddffd085b862160b517f39f6b0404b244fafed9
SHA2565a933d989ea08ed19d4d6718b0e161a0b972b5eabb451756e8779de20987e31b
SHA512cf41bb879a825b965d168a83ac415600d91f2eec1c9f3aab0bf5664cb0fa4a2a34b865e6761a3cdab411afb6b21cddacb4c7870d324b7ef1c7ec3fe55421107c
-
Filesize
216KB
MD53f1a38a287d61aa5bca4249d714b24fd
SHA172b84cbecae144817882cfde93b2bcecaa45d17e
SHA256c9aaf02ccfa7f2af0d6066145cc2f4d46f45a91711ca4f6e391ff85bb44d10fa
SHA5126eec21900fbbca1848624c09571faad62bc11a888ad163319fa0a7f6f2357190e3c18c5ca642b5bbfb9f30e7c74c23dd90af28e29496136987affb50b37c4566
-
Filesize
290KB
MD5a2c713f396a74378169d26eaa1a0c80b
SHA134bd6e60adf0c30ee310b39556a12ace360090f8
SHA256e48591bd18d01e595f2fff1ad1c6884fd734d0f71e6604498ca21ff1016fa63e
SHA512f30bc37edf4dfcfe6fe6657eafc798b749bc14c15556058c29f87a5a6d96f37ca6028921ff274b44f3ac84c15238be64d677cbc12ae928740ad4b57658555d29