d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254

General

Target

d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe
Size

65KB
MD5

c753311447be3a086acd908d810aeca6
SHA1

22dcc28333bebba84178e37dfc3681ce3c6fa01e
SHA256

d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254
SHA512

52f6485782626246e975699147536b9b3533da94c646bdf10c07e08720986a5acec36583ec4f8a62b9f6dc6578a138526448d0dd3e3b636ef5616f2c0f073cb8
SSDEEP

1536:Attdse4OcUmWQIkEPZo6E5sEFd29NQyA2w6TNle5K:gdse4OOQZo6EKEFdGC29le5K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2212	ewiuer2.exe
2072	ewiuer2.exe
1056	ewiuer2.exe
304	ewiuer2.exe

Loads dropped DLL 8 IoCs

pid	Process
2224	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe
2224	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe
2212	ewiuer2.exe
2212	ewiuer2.exe
2072	ewiuer2.exe
2072	ewiuer2.exe
1056	ewiuer2.exe
1056	ewiuer2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2212	2224	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	28
PID 2224 wrote to memory of 2212	2224	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	28
PID 2224 wrote to memory of 2212	2224	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	28
PID 2224 wrote to memory of 2212	2224	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	28
PID 2212 wrote to memory of 2072	2212	ewiuer2.exe	32
PID 2212 wrote to memory of 2072	2212	ewiuer2.exe	32
PID 2212 wrote to memory of 2072	2212	ewiuer2.exe	32
PID 2212 wrote to memory of 2072	2212	ewiuer2.exe	32
PID 2072 wrote to memory of 1056	2072	ewiuer2.exe	33
PID 2072 wrote to memory of 1056	2072	ewiuer2.exe	33
PID 2072 wrote to memory of 1056	2072	ewiuer2.exe	33
PID 2072 wrote to memory of 1056	2072	ewiuer2.exe	33
PID 1056 wrote to memory of 304	1056	ewiuer2.exe	35
PID 1056 wrote to memory of 304	1056	ewiuer2.exe	35
PID 1056 wrote to memory of 304	1056	ewiuer2.exe	35
PID 1056 wrote to memory of 304	1056	ewiuer2.exe	35

C:\Users\Admin\AppData\Local\Temp\d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe
"C:\Users\Admin\AppData\Local\Temp\d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6H1QG1U2.txt

Filesize
227B

MD5
394cde0f83ea3a6bd65f99207e1864a6

SHA1
2aa2b1d8b320778513c842aa6adff9f3766f4e3d

SHA256
53b569b65b32d9e91b6dd918bc454eb1f11a089f18980dc6b73b70c9de9579b9

SHA512
35c186e15fab0da7708d6e85d196d509a16300a3a934f7a3eb1b27f8e082b308d71f20be0b8bae8945803e68d29f9ff3a1e5e43881118618508660dbfab1e290

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IHL75X9R.txt

Filesize
228B

MD5
ab27a4c63f4dd2594cf31f139c53d5e9

SHA1
61b73e271d8ad2fbffc6eb79861e8ad23d89d525

SHA256
07113d864358bf33ce8bd12250d72904217cd297906fafad2f07e51e77345517

SHA512
d842c1634617a53e3663e443ea0175f76f5181e0d965e145b7cb60315d3b61a8c4a73629f5c5035219abe3aa89b4756a0d494906230274470b8cd2d92c6969ef

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
2baa210f46d27f3df50170e3cfdb6530

SHA1
04a44acd1854cfba50cc7b12152aff34febb4152

SHA256
18a6a84a8458b4e4472b99ae5b2bca3bd9e811d4188c86f1bcaadfc1b96d79fe

SHA512
09d82e960d932a0eaa3da5986fa42aee1db1048e653f117e3a612dbf6a18ad64d938ae906e6c0de1c5a7bae13298c478b54d2895f59cf608ed24a199062d6a83

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
46c3d8e73605f9e23cd1b6d22110563f

SHA1
daf11cc4f36c3a99b19a34ec3e08f7107a9f4d8c

SHA256
530db315274db188dd3b2bd0e91cf6843e57dc777c7e7c1c4e9be5c8e1f900ea

SHA512
c0617b910829acdc731dd6fa86f866384c6239a2cd00846abb7bf75e2037c93659ddb01320e83df411b34aef9ef7f169e60cc2c23bf55c6910ff1517bf2fb369

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
a6bd694d5fd200ab703047436d4ee738

SHA1
a33a2862bb9dd59242be55c6f5040cd27cdb4cbf

SHA256
ea95befa3219dc113dddc0423cf7882dafd0215393f2ec7627ddd1b252aecff2

SHA512
1e1cdd28541fafd54a63eb082fd1472c5fa26ba2299329f06f045d3d4bbd08640f8d89be40a978554b6740d2187acef2b1d36cf2441f59d2660b443d8249b7ce

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
1c0900a55d3165cfc3d86a651d2210ee

SHA1
3226fa8d8f822b6dd361eaf884a3f555f03fd27d

SHA256
43e7d493a8d245c0bef6eff007f2414acfa84bc85f6db0039c6da1fbe8cbbfb6

SHA512
f515bbd1f07109692c3fede2ce6750041092811d94a7f20a85ea3fb12514073cb8f09ee2fda7e7d61dd8e3ac68cb27858a6e57541f043de8e329293a9c4a06c5

Download Submit
memory/304-52-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/304-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2072-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2212-17-0x00000000020F0000-0x000000000211A000-memory.dmp

Filesize
168KB

Download
memory/2212-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2224-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2224-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads