66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd

General

Target

66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exe
Size

61KB
MD5

4a2bff0219ea8b915e3fc6dfbca2aa6e
SHA1

a336a7e89d143d56ee85911aa72b888db0136bcf
SHA256

66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd
SHA512

8fee760451866e147dbc874254efd0969bbffeb2f7d3320520671d9fdb634cb0315f8d3757bb982afe23e637fec2da32e83b8f9d3af94ffd78d5bbf5f8681e86
SSDEEP

1536:ettdse4OcUmWQIvEPZo6E5sEFd29NQgA2wnle5:Gdse4OlQZo6EKEFdGM2+le5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

ewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

pid process

1536 ewiuer2.exe
1420 ewiuer2.exe
1136 ewiuer2.exe
2852 ewiuer2.exe
1384 ewiuer2.exe
432 ewiuer2.exe
1688 ewiuer2.exe

pid	process
1536	ewiuer2.exe
1420	ewiuer2.exe
1136	ewiuer2.exe
2852	ewiuer2.exe
1384	ewiuer2.exe
432	ewiuer2.exe
1688	ewiuer2.exe

Drops file in System32 directory 3 IoCs

Processes:

ewiuer2.exeewiuer2.exeewiuer2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

description	pid	process	target process
PID 1868 wrote to memory of 1536	1868	66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exe	ewiuer2.exe
PID 1868 wrote to memory of 1536	1868	66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exe	ewiuer2.exe
PID 1868 wrote to memory of 1536	1868	66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exe	ewiuer2.exe
PID 1536 wrote to memory of 1420	1536	ewiuer2.exe	ewiuer2.exe
PID 1536 wrote to memory of 1420	1536	ewiuer2.exe	ewiuer2.exe
PID 1536 wrote to memory of 1420	1536	ewiuer2.exe	ewiuer2.exe
PID 1420 wrote to memory of 1136	1420	ewiuer2.exe	ewiuer2.exe
PID 1420 wrote to memory of 1136	1420	ewiuer2.exe	ewiuer2.exe
PID 1420 wrote to memory of 1136	1420	ewiuer2.exe	ewiuer2.exe
PID 1136 wrote to memory of 2852	1136	ewiuer2.exe	ewiuer2.exe
PID 1136 wrote to memory of 2852	1136	ewiuer2.exe	ewiuer2.exe
PID 1136 wrote to memory of 2852	1136	ewiuer2.exe	ewiuer2.exe
PID 2852 wrote to memory of 1384	2852	ewiuer2.exe	ewiuer2.exe
PID 2852 wrote to memory of 1384	2852	ewiuer2.exe	ewiuer2.exe
PID 2852 wrote to memory of 1384	2852	ewiuer2.exe	ewiuer2.exe
PID 1384 wrote to memory of 432	1384	ewiuer2.exe	ewiuer2.exe
PID 1384 wrote to memory of 432	1384	ewiuer2.exe	ewiuer2.exe
PID 1384 wrote to memory of 432	1384	ewiuer2.exe	ewiuer2.exe
PID 432 wrote to memory of 1688	432	ewiuer2.exe	ewiuer2.exe
PID 432 wrote to memory of 1688	432	ewiuer2.exe	ewiuer2.exe
PID 432 wrote to memory of 1688	432	ewiuer2.exe	ewiuer2.exe

C:\Users\Admin\AppData\Local\Temp\66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exe
"C:\Users\Admin\AppData\Local\Temp\66adb2e8cc5a92652d12ce5d470ee1ecc4f7de7744ca8fcc44b152b5aefb39fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
d8149ad8aa5920a8224bc857d2366d5b

SHA1
79328a4f6ee6fb5f31ea31275e0c05535a91c7a5

SHA256
6f9526ccdf162df1aa3e01fc2eb6ccea085ed57d3ec8901d37ee0d870dd1b96f

SHA512
aff1e9bf29ce399204ba1083680374ba847d25b295c26562f8d6feeeb2553f0dd660b89934e34c18157f684a82fcb89644ccd3f34b6fc837b4e7a19c5732bcb2

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
3d6a18a8ac046ff9d5547e248a76e117

SHA1
74a21c4bd8d0d38ab5be7d5d03aa9de10c3c493c

SHA256
dba0625a69efecdc93da4fae5bec3ea2f924170e21679c90f1e45b10bd0fb60b

SHA512
128a3f3f2eeaa9ebd168c9bca43e8328da9e16315a4544055f7935db3e5b37b531173bcb3773bc822c59776b6a966e940d0a27603e7264b7dbb4c13bced68402

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
9f5ce1a2272d8f78201d83897f2a37bc

SHA1
96b643fa4458be9214034ca6c6de646048bac906

SHA256
def2be1a4843e70b8476eae0b5305ffa7c70258fed6122fa240ae98aa2c25334

SHA512
67a657b8571cf82a811f139da21fa03084a8d39a0a26cbeb2ed2aeb93e42d8ccade1ffce73ef3de1b5f9c8e99897f8ad74fcd17608b0cea871b03d1c0e0fd2fc

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
81016a12cdfa5d6bf01379f25c5bf0f2

SHA1
7ffe336c18078bca262acaa92b6fb40eb6a33510

SHA256
137b7e07c0e3ba2363febdc9b34a8091010504213afff172d03441f523a8ef5a

SHA512
99e235d8bf7f1a0273a1c78946dfb2b68819501d2e46bf5cb809db179846dc96ea4c219b6358f5d30dc7281ff8b37281a7a1fd40638f36c35758d0ce85ad9604

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
07cb5adfa62826a7b169223c8b5473e0

SHA1
30c8f622a1e2e2a1f24bece3693607b7da7d09c7

SHA256
c977d40f3bf4a4e9b26e4557141f81bef6a5ba77a52025850c236efe680f66a4

SHA512
41ef99a9e9b49162a4fa04e1191c827d5bb7c547995e84c330030fa77a1973d2694b0c75df003449c04c938511cfad3a3be2787cbba529d711ff81aa8825b793

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
458001d7ad5f993ff587f92306231020

SHA1
148b99896822cfa26bcc563c0f3c0fa86eb61478

SHA256
7d441d242fb186280823c976f1cb4ec7b71ea75a5dbe73a05b08657fa66c00bd

SHA512
a7b868f798e807494b085bcb7576c6c81070d4072cd4346cd6796d7b6ed5c098d4ef16a295439e708ecc09fdc939488a7f94843ecb451055132eac79792aba91

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
c5fe84c6277baa2498ca6c455a69a7cb

SHA1
ebb588f53723db5cea1869869e5350ae9607653b

SHA256
ed6b7acacdf983c53e2045f20917656a8368041fbc7d90a7da18db061d80c275

SHA512
4faef72bcbd6fd66753b949de38b9a2945b25ad351ec8ece83a39d9b8ea39d1b6d1cce85c5ebd559a4747700967dbd579840ad7f1ca65e4c8bbf10fcf084faa5

Download Submit

Analysis

Sharing