5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe
Size

61KB
MD5

1a9ff3f425e6c3ef4086f063080ed790
SHA1

e0d777342bc1eaa0c96f52196dbffb939fe0e9f2
SHA256

5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7
SHA512

57a000b07ed444813c84661e15513918600cf7100594ad211ce88a3ea4bdd81f1c1cd76e114fe4a54d32b72b6fd7f68e1b76e1606ad12fa019315866ed741520
SSDEEP

768:feJIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uA:fQIvEPZo6Ead29NQgA2wQle5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

ewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

pid process

2408 ewiuer2.exe
2580 ewiuer2.exe
2588 ewiuer2.exe
1720 ewiuer2.exe
1728 ewiuer2.exe
2428 ewiuer2.exe
2156 ewiuer2.exe

pid	process
2408	ewiuer2.exe
2580	ewiuer2.exe
2588	ewiuer2.exe
1720	ewiuer2.exe
1728	ewiuer2.exe
2428	ewiuer2.exe
2156	ewiuer2.exe

Loads dropped DLL 14 IoCs

Processes:

5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

pid	process
1848	5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe
1848	5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe
2408	ewiuer2.exe
2408	ewiuer2.exe
2580	ewiuer2.exe
2580	ewiuer2.exe
2588	ewiuer2.exe
2588	ewiuer2.exe
1720	ewiuer2.exe
1720	ewiuer2.exe
1728	ewiuer2.exe
1728	ewiuer2.exe
2428	ewiuer2.exe
2428	ewiuer2.exe

Drops file in System32 directory 3 IoCs

Processes:

ewiuer2.exeewiuer2.exeewiuer2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

description	pid	process	target process
PID 1848 wrote to memory of 2408	1848	5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe	ewiuer2.exe
PID 1848 wrote to memory of 2408	1848	5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe	ewiuer2.exe
PID 1848 wrote to memory of 2408	1848	5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe	ewiuer2.exe
PID 1848 wrote to memory of 2408	1848	5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe	ewiuer2.exe
PID 2408 wrote to memory of 2580	2408	ewiuer2.exe	ewiuer2.exe
PID 2408 wrote to memory of 2580	2408	ewiuer2.exe	ewiuer2.exe
PID 2408 wrote to memory of 2580	2408	ewiuer2.exe	ewiuer2.exe
PID 2408 wrote to memory of 2580	2408	ewiuer2.exe	ewiuer2.exe
PID 2580 wrote to memory of 2588	2580	ewiuer2.exe	ewiuer2.exe
PID 2580 wrote to memory of 2588	2580	ewiuer2.exe	ewiuer2.exe
PID 2580 wrote to memory of 2588	2580	ewiuer2.exe	ewiuer2.exe
PID 2580 wrote to memory of 2588	2580	ewiuer2.exe	ewiuer2.exe
PID 2588 wrote to memory of 1720	2588	ewiuer2.exe	ewiuer2.exe
PID 2588 wrote to memory of 1720	2588	ewiuer2.exe	ewiuer2.exe
PID 2588 wrote to memory of 1720	2588	ewiuer2.exe	ewiuer2.exe
PID 2588 wrote to memory of 1720	2588	ewiuer2.exe	ewiuer2.exe
PID 1720 wrote to memory of 1728	1720	ewiuer2.exe	ewiuer2.exe
PID 1720 wrote to memory of 1728	1720	ewiuer2.exe	ewiuer2.exe
PID 1720 wrote to memory of 1728	1720	ewiuer2.exe	ewiuer2.exe
PID 1720 wrote to memory of 1728	1720	ewiuer2.exe	ewiuer2.exe
PID 1728 wrote to memory of 2428	1728	ewiuer2.exe	ewiuer2.exe
PID 1728 wrote to memory of 2428	1728	ewiuer2.exe	ewiuer2.exe
PID 1728 wrote to memory of 2428	1728	ewiuer2.exe	ewiuer2.exe
PID 1728 wrote to memory of 2428	1728	ewiuer2.exe	ewiuer2.exe
PID 2428 wrote to memory of 2156	2428	ewiuer2.exe	ewiuer2.exe
PID 2428 wrote to memory of 2156	2428	ewiuer2.exe	ewiuer2.exe
PID 2428 wrote to memory of 2156	2428	ewiuer2.exe	ewiuer2.exe
PID 2428 wrote to memory of 2156	2428	ewiuer2.exe	ewiuer2.exe

C:\Users\Admin\AppData\Local\Temp\5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe
"C:\Users\Admin\AppData\Local\Temp\5d38d8d624a56f2ecefe5b8046dda194c25df728e22b43519a4b77faeb0941f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
8⤵
- Executes dropped EXE
PID:2156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2G0FNG9G.txt
Filesize
230B

MD5
50deb6cf96b67615ab116b5799ef16b4

SHA1
2dbdc964153ec8cb8dc180fca7d60c90d5fcc27f

SHA256
6d3f8746a340fe1c58a42f9fc4ce251c09ee9f20715eb65577f106e7438b9aeb

SHA512
02cce02e63e2069e85ea328bead6f539ab3d4376e5331f8ecd7176256449c347901e12964f8d9f62b2090d86ec1061c79f4ecd9d5f4ab8dbb96868c441c0f370

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LPUCM8W2.txt
Filesize
229B

MD5
ce01417cb648a434b7aa4377c020a2ff

SHA1
32c9a0e5a3a89903a954fce7e549605221337db8

SHA256
cc8772a74f0d9f81401d46989e4a77b47118f1dfe011d69db7b75079197e23b9

SHA512
d7816a1500e455b197649d91cf8eeefb5a14fedc4a9fbc9f66a143f7fed7c70e687b4a08bf489769da4cd2f4284b0a6e58ed55cdb2f9d0977e074ecf16bbf510

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
80b31ace3d1991826923ebc7d3f80ccd

SHA1
5154788a64cd4999010eae0dd1ad6b8dfedc0f9b

SHA256
a93e1829e3dbf72670a9c603e72b3f5e69ba218e4433860abd648f60848da8c8

SHA512
5093d277f93d8aad67cf4182a2da97a9b358d17bac01d25bb1c7dabc1a196797dd722c6bc06e528954438e9528794be67cbc8ed36782ddcf775b05efe63ac9c5

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
4a39df0a5dcde971b9c6ad5abd7dee87

SHA1
131734aaa5d9a4a900edd5ac830ddb4141273b20

SHA256
3cf077fe0af802525fb843901ebfa087dc1217a4be5be6e5b928276a0dd64b4e

SHA512
4e0d3683e3e2d29d69a6e90e5ba20e1d9dc287710840c928986e34cc1415dba516afd88f0413b4934683fe35ab221b864ab3d541ee18b63dca750808004084b7

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
095f622c5c5f75463587e3d4a378bd12

SHA1
0c6f47a8fa441e964748cec91557d854df39c117

SHA256
35f213cd03c2017b766c7039c4285ee5a4a6f8c895d82505d8b9c9d66c6e2cc4

SHA512
c9c8c2ecb72c3dcf9660cde50e9be72047de009c90f9a35b7d9ae43fd4ddb5005a3fc8a5acf2f8714026170eb3bd061788d46be72155cc090bbaaf5d2da7cf6e

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
0b224244d46c022813e3f191e3f31757

SHA1
8cc786a2d1b1f6c33ac55d430674dc561b656f26

SHA256
75a2c969a6530c1200a2d1631fc9cb0576faafcb3a7c12745093ea6eb11182e8

SHA512
f7bd79479bb6d659bb8d967fda46655424fdd8d841dff89e332bbf3abdb69102598dde226f99b986cec876a6876a321be9f8ee39ee2fce913c72ed79216cda04

Download Submit
\Windows\SysWOW64\ewiuer2.exe
Filesize
61KB

MD5
c963e0eed9ddd7fafb39ad423cbb9d39

SHA1
2ba4e6d64ef32af3094f2f151dc001437bc976cb

SHA256
02969dae02d8f816c3ed3ba60936e984348e2c286857e5a6e40688778d38f743

SHA512
c1c2aafaf86f6ba074e0754292256c4d1bf0fd90a639f3efaee0131122b14e5119d4bf42a08cf0e845178f01d302c55bf45f1fdcbe3af8cfc6f9c9a87d17a4f5

Download Submit
\Windows\SysWOW64\ewiuer2.exe
Filesize
61KB

MD5
633e580944fab21700b6f154ee5b8117

SHA1
5870680add18630e1c7ece46ff9b4f0f05d35b81

SHA256
38546b85ea7d2fea59908262058568bac249697179fc70c9029a396ddb94675d

SHA512
be7fbc73c0eee872340a33267507da32d62d320ec7a7c1378a0d159a34122cab048741e52926f8e479f86cd9d33d7fe21594b1f68c7e0895e2d4fbe8e9aa88ae

Download Submit
\Windows\SysWOW64\ewiuer2.exe
Filesize
61KB

MD5
618174e0bc5c88d3b9cdf9fd541a8199

SHA1
7bc05c1b4786f012c1ccc16255e24268a7f85a31

SHA256
9d6a415863c4ae4f34625ab29bd98a7ad9c0bce92daefb0da912d4f87086ab3d

SHA512
3b1494e2ff3cc9a5ddc7486a5762b5251b42c194a95681c149cc3430393f1f3108af6edc75a6965f1b8e700950dffea0ec4000e12f63d5597fbf49be427131b4

Download Submit