159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe
Size

61KB
MD5

1e08939e765b21ba128795f7a1d15c30
SHA1

db92940448e6466e2d6da5f43023815e4860acdd
SHA256

159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d
SHA512

9e0f50e4c0f5b8da1e28c389daa94ea9d9243cd51c4e4e0f2403ac34520756439c053dd5d3e66f5a3fe2146441cb15698d0569dee46ea7fde38a1139298dfa40
SSDEEP

1536:Nttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wwle5:Fdse4OlQZo6EKEFdGM21le5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

ewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

pid process

2172 ewiuer2.exe
2380 ewiuer2.exe
2824 ewiuer2.exe
2044 ewiuer2.exe
2700 ewiuer2.exe
620 ewiuer2.exe
452 ewiuer2.exe

pid	process
2172	ewiuer2.exe
2380	ewiuer2.exe
2824	ewiuer2.exe
2044	ewiuer2.exe
2700	ewiuer2.exe
620	ewiuer2.exe
452	ewiuer2.exe

Loads dropped DLL 14 IoCs

Processes:

159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

pid	process
2164	159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe
2164	159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe
2172	ewiuer2.exe
2172	ewiuer2.exe
2380	ewiuer2.exe
2380	ewiuer2.exe
2824	ewiuer2.exe
2824	ewiuer2.exe
2044	ewiuer2.exe
2044	ewiuer2.exe
2700	ewiuer2.exe
2700	ewiuer2.exe
620	ewiuer2.exe
620	ewiuer2.exe

Drops file in System32 directory 3 IoCs

Processes:

ewiuer2.exeewiuer2.exeewiuer2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exeewiuer2.exe

description	pid	process	target process
PID 2164 wrote to memory of 2172	2164	159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe	ewiuer2.exe
PID 2164 wrote to memory of 2172	2164	159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe	ewiuer2.exe
PID 2164 wrote to memory of 2172	2164	159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe	ewiuer2.exe
PID 2164 wrote to memory of 2172	2164	159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe	ewiuer2.exe
PID 2172 wrote to memory of 2380	2172	ewiuer2.exe	ewiuer2.exe
PID 2172 wrote to memory of 2380	2172	ewiuer2.exe	ewiuer2.exe
PID 2172 wrote to memory of 2380	2172	ewiuer2.exe	ewiuer2.exe
PID 2172 wrote to memory of 2380	2172	ewiuer2.exe	ewiuer2.exe
PID 2380 wrote to memory of 2824	2380	ewiuer2.exe	ewiuer2.exe
PID 2380 wrote to memory of 2824	2380	ewiuer2.exe	ewiuer2.exe
PID 2380 wrote to memory of 2824	2380	ewiuer2.exe	ewiuer2.exe
PID 2380 wrote to memory of 2824	2380	ewiuer2.exe	ewiuer2.exe
PID 2824 wrote to memory of 2044	2824	ewiuer2.exe	ewiuer2.exe
PID 2824 wrote to memory of 2044	2824	ewiuer2.exe	ewiuer2.exe
PID 2824 wrote to memory of 2044	2824	ewiuer2.exe	ewiuer2.exe
PID 2824 wrote to memory of 2044	2824	ewiuer2.exe	ewiuer2.exe
PID 2044 wrote to memory of 2700	2044	ewiuer2.exe	ewiuer2.exe
PID 2044 wrote to memory of 2700	2044	ewiuer2.exe	ewiuer2.exe
PID 2044 wrote to memory of 2700	2044	ewiuer2.exe	ewiuer2.exe
PID 2044 wrote to memory of 2700	2044	ewiuer2.exe	ewiuer2.exe
PID 2700 wrote to memory of 620	2700	ewiuer2.exe	ewiuer2.exe
PID 2700 wrote to memory of 620	2700	ewiuer2.exe	ewiuer2.exe
PID 2700 wrote to memory of 620	2700	ewiuer2.exe	ewiuer2.exe
PID 2700 wrote to memory of 620	2700	ewiuer2.exe	ewiuer2.exe
PID 620 wrote to memory of 452	620	ewiuer2.exe	ewiuer2.exe
PID 620 wrote to memory of 452	620	ewiuer2.exe	ewiuer2.exe
PID 620 wrote to memory of 452	620	ewiuer2.exe	ewiuer2.exe
PID 620 wrote to memory of 452	620	ewiuer2.exe	ewiuer2.exe

C:\Users\Admin\AppData\Local\Temp\159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe
"C:\Users\Admin\AppData\Local\Temp\159040dbcbd11e70b7cba12cff585331bb79a974698e44eac9da58f51d80b68d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
8⤵
- Executes dropped EXE
PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\924OEPA6.txt
Filesize
229B

MD5
550ec4e282bdb0225dced1f4d0e34d92

SHA1
1085cf60baa9a38e054b0f612917554955df1c74

SHA256
1cb675ce230d3c7faf1bcb560d3829491ca583c3b3a61d53db5c02aea9b9534d

SHA512
e3dbde55c80dea073f36d01b2ee935994ea3b3d5647733149e47e7d0a1c79d4e3d771212025c2ad842b5d8ca53b4eee682a1c26a71c5cc02138a24f9dc228a65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MNSFZ2F6.txt
Filesize
230B

MD5
54ef8cbd500da5c092d502b47ce6514a

SHA1
60027550eee436499b9f8902b7ae38410072df3e

SHA256
6715afa352ff9f402c0dff23221c98d3f1854e700296f46df0322a86d84b206a

SHA512
5775ef52d03e5ce26344428b2c948454a7ccff0684735e317718d2d4a7a8ce910311f2c2abb8b0a5a5f8121edb4ff91d459c737ccf4a4196d22c66ad7017a9a1

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
d8fc7581a296f7b6a42d3d56e7a355d4

SHA1
fc40f480a58f4a553aebf8bf18b0d94e92be379a

SHA256
f169b5546d5d542849368cc79f6c0034cb2541d90666ce09830cd4b1cd1a029e

SHA512
810d080cf2c26cf225b7f86d120f25f2418766f12399c17d8c7fc939d4202242d1df100b4b31690df24b627a8d65120d589c0aa2ea889738be71fcb5ef2206d3

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
0b42de534248b4f8a403542c8f578b5d

SHA1
ccb313f42c4c847daa077e9a57510261d7231ecc

SHA256
67ff7d9fa1d9a6822cc1d70ed8b5a55d3ef8144225a62444c2b00cc6872c2f50

SHA512
125ef62f0f5a87471b5611ef2d99e1febc7a35a55651d94e9ecd04059925c80db86a122c9ac41f79b00aede414559088aa8bb90ab1140662335ca6dd8d9698e4

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
974ee4ee5c3dc501217c295b7c9ee9af

SHA1
79615421db6292f68e9c649ecb65e5cf4f544b86

SHA256
5c2a914c6862b43db6653e22b6884b830e62dd136e81907af00ddd3d2d7f991d

SHA512
406053620fe2d8f7077d1a8801b561e3ef067ee01dec30317dc21cef673c747fd8db13d3f40224f8396d28e9a4188f7ea3f883b1af187a51897ff5e0e9360719

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe
Filesize
61KB

MD5
c4a6b6ff718ddf06b655cce9fe678fe6

SHA1
03298a8e8c6b926a7d118324ebc8171c4d8893b6

SHA256
ee3fd709b6f92ba519c4d0662ce6f6180d724ca3680f74cc981772e2233b15c2

SHA512
58e2a0179dc707d45fa02f1f51250b8cd104acfbec49f2894193583abe19ed45ecad386505da5ce716ce6247e815a067b435ab5b8878222faa9cf730a1bc46a1

Download Submit
\Windows\SysWOW64\ewiuer2.exe
Filesize
61KB

MD5
980c311514070d9cb6b89b7a9eec553b

SHA1
6446fb648f41c5b593b3d8f1a0e499703e56600d

SHA256
4154da6a835eeb8fdd8312aaf22e1c029792b0ff03ac3c08e4cda511fd13f03b

SHA512
43772b385ef192265d7f2644f6e30b11057af5851ea178975afcb05814f1b762c103503a302ce87e8d7837ba85e7882898404827691d3f3be1dc00a23b654035

Download Submit
\Windows\SysWOW64\ewiuer2.exe
Filesize
61KB

MD5
110deb4c1ccf370586b04bcd3fd58f96

SHA1
5ccf5e5a2435be2e0f48353e6c6c1c5a19a3e8d6

SHA256
acbd14618e7c8944fd30a7dafb7679220c4b20210a7d770b8dab0b22a367b7cb

SHA512
7cebae0ddf62f047ecc17759c0d175f12da11331df2e5fab049c58b57abbc81e91cc178a5d115ad176cd8b56382ecf07eb81bf8b89abbae9d1e7b39056c95cfd

Download Submit
\Windows\SysWOW64\ewiuer2.exe
Filesize
61KB

MD5
73da51d073b2fec89118e01a054fa190

SHA1
8d732f4374d24fda7d6c2152e393090e29faa1ea

SHA256
b3072377af78c7f5e700a8c453f40862f18a5a0706fa0cfae36917de4e773f07

SHA512
8d59c75feaa923a54da43ecb65fef8de968ad889e02462c170e4737007b3f0f0cf56a630e04f7e8fd3b1f28db334251b337a805af5f19cd5f214d13ad12c897d

Download Submit