d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254

General

Target

d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe
Size

65KB
MD5

c753311447be3a086acd908d810aeca6
SHA1

22dcc28333bebba84178e37dfc3681ce3c6fa01e
SHA256

d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254
SHA512

52f6485782626246e975699147536b9b3533da94c646bdf10c07e08720986a5acec36583ec4f8a62b9f6dc6578a138526448d0dd3e3b636ef5616f2c0f073cb8
SSDEEP

1536:Attdse4OcUmWQIkEPZo6E5sEFd29NQyA2w6TNle5K:gdse4OOQZo6EKEFdGC29le5K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3048	ewiuer2.exe
640	ewiuer2.exe
4340	ewiuer2.exe
2236	ewiuer2.exe
1504	ewiuer2.exe
3420	ewiuer2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3048	1280	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	82
PID 1280 wrote to memory of 3048	1280	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	82
PID 1280 wrote to memory of 3048	1280	d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe	82
PID 3048 wrote to memory of 640	3048	ewiuer2.exe	99
PID 3048 wrote to memory of 640	3048	ewiuer2.exe	99
PID 3048 wrote to memory of 640	3048	ewiuer2.exe	99
PID 640 wrote to memory of 4340	640	ewiuer2.exe	100
PID 640 wrote to memory of 4340	640	ewiuer2.exe	100
PID 640 wrote to memory of 4340	640	ewiuer2.exe	100
PID 4340 wrote to memory of 2236	4340	ewiuer2.exe	102
PID 4340 wrote to memory of 2236	4340	ewiuer2.exe	102
PID 4340 wrote to memory of 2236	4340	ewiuer2.exe	102
PID 2236 wrote to memory of 1504	2236	ewiuer2.exe	103
PID 2236 wrote to memory of 1504	2236	ewiuer2.exe	103
PID 2236 wrote to memory of 1504	2236	ewiuer2.exe	103
PID 1504 wrote to memory of 3420	1504	ewiuer2.exe	110
PID 1504 wrote to memory of 3420	1504	ewiuer2.exe	110
PID 1504 wrote to memory of 3420	1504	ewiuer2.exe	110

C:\Users\Admin\AppData\Local\Temp\d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe
"C:\Users\Admin\AppData\Local\Temp\d81b5df8cdcd423b2dc78303db3e2d05d9a31aa2b4832fa7036a0c1a5d58f254.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
bfd4c40c4d63783fc1d76744c2019e70

SHA1
e261fe12b28bc9890bdf2d54a25dab1ea5b55881

SHA256
a27b9e3f96c4c3d03c302cd7219ddbd0d86af435e7de79c223f56553fc17bf9b

SHA512
eedc9ab715bbe0903aab1c4e451ea5bbd19dc47f914b83b5656bbd2580659cdd0089c06b68213cb6878e8770f1af8737d487668e30d6c82aa51c27ba1161e884

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
46c3d8e73605f9e23cd1b6d22110563f

SHA1
daf11cc4f36c3a99b19a34ec3e08f7107a9f4d8c

SHA256
530db315274db188dd3b2bd0e91cf6843e57dc777c7e7c1c4e9be5c8e1f900ea

SHA512
c0617b910829acdc731dd6fa86f866384c6239a2cd00846abb7bf75e2037c93659ddb01320e83df411b34aef9ef7f169e60cc2c23bf55c6910ff1517bf2fb369

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
0f91e2473a46a3d6f8072844beb93a1f

SHA1
557ddef01d7dadf14fe8f4ff035078eab674e787

SHA256
228cac0a149607bb127b53dafc2e588863917448677652a17fbb466eca60ad39

SHA512
322dfebe048714fb95ed1cffe9b4c2c40f514e4ebe1696083b4dbf40d543373ecdf9ab099a54bc9f7e17423f79936b8955702852e3e9be3d1772b04bb0fe7cf1

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
3f747a2e48c3e3ec0c891a13c4279827

SHA1
40c63247ac5c9a1cc2c5f6e64b3f5e2fdcb26e5e

SHA256
72fd1e8b8f2e2dafec780171836bf85121e311beca0a6e8feb954e6066b1a248

SHA512
a901d9592377794e67b738b2164298a9814a541ced49dc95d96304471b4d7dbc82ca3fb585d4310d0e46ca8a2a4bf6afadb403fe50c7a39bb903af6d1e43a277

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
c0ea23bcad52b98a441bd6065656b57c

SHA1
032b104083954fae4e4e4def8d23a9dce27a2a81

SHA256
98ab57686be0c8de66bd3ddae926659e763033e84536a3e0da2962536015be9a

SHA512
078d8a5dd1f0541bc6330c8da7ddff396509f727957d2f5c0b1ac4b69932d6dfce66927ac5ed82b666b144c7958c916461cf172da1ccbee9347505f979c1e252

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
e8f1a9e5fec6bf29117bce11c5278dff

SHA1
aba7ea522f040730e56d475673f51056d4e0fd15

SHA256
d2ec05bd1fd4f31f3c8d2ff1ad7966d78c37791745a9e44aa2e8d6f35cc961e4

SHA512
ef6c897983b4ac660137b139e007ff58e6463aab77965bfe9cefff23de7d0f765e4fc8a32e510275cc14bf4ddaa20709f48934e8bfe04b5e4f74603303c54687

Download Submit
memory/640-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/640-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1280-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1504-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1504-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1504-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3420-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4340-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4340-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4340-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads