Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe
Resource
win7-20240419-en
General
-
Target
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe
-
Size
289KB
-
MD5
6d25a28958e8ecc61a82a7866dabd79a
-
SHA1
a7ff2b34ad2455a4bb0fece62350c00368770d23
-
SHA256
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688
-
SHA512
40facb3f95f712a7155b64ff67355d31a6a48357659be99891fc10ab22442eea73b35f04186ea017a0782018e48f21fb7f1bf6bddc13a182042f37469616583b
-
SSDEEP
6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKg:9A3NtUISdPw+Elq2Jsm2z
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral1/files/0x0004000000004ed7-38.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2432 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3004 fujum.exe 2400 pojuv.exe -
Loads dropped DLL 3 IoCs
pid Process 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 3004 fujum.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe 2400 pojuv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2188 wrote to memory of 3004 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 28 PID 2188 wrote to memory of 3004 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 28 PID 2188 wrote to memory of 3004 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 28 PID 2188 wrote to memory of 3004 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 28 PID 2188 wrote to memory of 2432 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 29 PID 2188 wrote to memory of 2432 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 29 PID 2188 wrote to memory of 2432 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 29 PID 2188 wrote to memory of 2432 2188 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 29 PID 3004 wrote to memory of 2400 3004 fujum.exe 33 PID 3004 wrote to memory of 2400 3004 fujum.exe 33 PID 3004 wrote to memory of 2400 3004 fujum.exe 33 PID 3004 wrote to memory of 2400 3004 fujum.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\fujum.exe"C:\Users\Admin\AppData\Local\Temp\fujum.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\pojuv.exe"C:\Users\Admin\AppData\Local\Temp\pojuv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD52dd4c59f8cf29c07a29920d74d85222a
SHA12ddf9f8dd6ec640960265884ca9876d34f7af925
SHA256729cb2e8d2580599ab02345b6f6a9c78507356bb0ec1fbf5a15b81e0d533a7cc
SHA512918e7d0cd049bd025ff662d9b061b7f8e416b790de09d783af9b6f9f3f0cfd94e57ea790ea0329d152b3ae97566b87d4b498c845398c4d48446c26d24e3e399e
-
Filesize
512B
MD588e9fa0c1f043a07b7d474bea2b70e8e
SHA1022015e39fd85876024f6c80355bf9948455196c
SHA2560a96653ceb619e7c50876af9c8917e3f87ee8597e1dcd63c9159db14cd89780b
SHA512d3baf163ccfd1f53a3bd417118951f44f0948ae0a3c8061d11e24b0c25342ab7e430a16ca9a422a980ac0c14782ab4152eb4bb14fe428915d386abf32acd9bd0
-
Filesize
289KB
MD54771ff8555ccffe148aac82ae76d00ea
SHA1e9e99f5965d8ff8faf6c938e6d8f19339b6aef7f
SHA256feb48e4d4a087c48d57432a78dbe95a5069092ef455cb73581843e0944e74e07
SHA512edcb6e68c06fa803e9300feb37e2942531becc0831396fe058bddaaaab5344ad88a4bcff107abcb5dcc3ac82d5e379cc9bacf2abe1ffb78641e9d210f4656f1e
-
Filesize
216KB
MD5f8e100d8516a1f6c76d3de7a45fafc5a
SHA1f6dbaf5e8600ec467f3011d85292c6c3378d8673
SHA25675ea14fd95dd65b74b838ea0b0920acd8500f1d459d7ad37bc07d93d9980e3a5
SHA5120df52df44fe07623fc76a08ffaec889305656d82c2e502f33867aa8d9ed4f886fcd9e1322d3ccec37eb11a2d1a07e506ba701f3b819de094df0f534deef84b03