Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 00:21
Behavioral task
behavioral1
Sample
8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
Resource
win7-20240508-en
General
-
Target
8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe
-
Size
418KB
-
MD5
ea14eeede03624f6b152c1dc67ff963d
-
SHA1
e564148b241d488134c78f189950f5a512ea0902
-
SHA256
8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f
-
SHA512
dd759269f1510145716d37fe53f4827f6041ef402b0f61889724d7b81896b3c5554deb350685ca79b80d43ec5e85d9617f31ecf9ae8d5e8c5926bd0f7bdde13f
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqi:eU7M5ijWh0XOW4sEfeObi
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hauto.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2720 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
kadig.exehauto.exepid process 2544 kadig.exe 1564 hauto.exe -
Loads dropped DLL 3 IoCs
Processes:
8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exekadig.exepid process 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe 2544 kadig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
hauto.exepid process 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe 1564 hauto.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exekadig.exedescription pid process target process PID 1632 wrote to memory of 2544 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe kadig.exe PID 1632 wrote to memory of 2544 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe kadig.exe PID 1632 wrote to memory of 2544 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe kadig.exe PID 1632 wrote to memory of 2544 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe kadig.exe PID 1632 wrote to memory of 2720 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe cmd.exe PID 1632 wrote to memory of 2720 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe cmd.exe PID 1632 wrote to memory of 2720 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe cmd.exe PID 1632 wrote to memory of 2720 1632 8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe cmd.exe PID 2544 wrote to memory of 1564 2544 kadig.exe hauto.exe PID 2544 wrote to memory of 1564 2544 kadig.exe hauto.exe PID 2544 wrote to memory of 1564 2544 kadig.exe hauto.exe PID 2544 wrote to memory of 1564 2544 kadig.exe hauto.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe"C:\Users\Admin\AppData\Local\Temp\8fe40148871a932884596eafabcd958626e8cc0ec4181e3c362cfba37b3a9b2f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\kadig.exe"C:\Users\Admin\AppData\Local\Temp\kadig.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\hauto.exe"C:\Users\Admin\AppData\Local\Temp\hauto.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1564 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58c26531e32478068bc2e9c31f252c2ef
SHA13d1813d44b9066976ae6be976629a93b5623692c
SHA25681b824b79c7607c0e39134cf7da4a027bcd2d0dcc17de68bb6f1833b15b3e4ff
SHA5128d25c9fd51200b76fe2f9b4c2ed1f7172c29643801542996b0e885df4d5cc932759f7b6f083218023cfb6289012f6c78d73a38bceb71bcd3d290e03c6def6086
-
Filesize
512B
MD58df2319eb37f57f4385677115e042155
SHA173c2624cbb246030520ff9bde9005fab05eff2d0
SHA2564f56f299cc68e68ed91897edb046163de70b4c2c527ed7530355a44b1ac26a2f
SHA512d30be0b2c55439a34929cc44beb37531b6232cca007bea801d7900f236889dc6f4401572c95b51d752530cce69fb73e3be90df9269f53603e5ce59cdfe719bd9
-
Filesize
212KB
MD5acc8502d8e54d5537bce797095f9a0b4
SHA163bc47d389646328af24410c4e909478e6a2437c
SHA25636915817a4420da8108b95462db005713735ade540f04d2c850a1a63fd4a47d8
SHA512b059f3012e547aca52567bc6185b0ea2be5d01a85fb2b08a4ff5db6f9dfda862a15ed63692edd97a5a1e020b3031340b5c28b3cfcfdd2a89f9ae146e7abac853
-
Filesize
418KB
MD548ffbb42db686c2121e9d563748e5772
SHA1946d0fb813dcc27e954638f7493154da1d6b352d
SHA256ef29b3081bd813e2459794e9650a1a0d0e7b3b9a7d19a793058ecb5e1c0098f6
SHA51296e11792443a34aa7d329d8729784189589f895abc76e1808cd084653c6e4fb6c86472c43deea201156808304af555b26f2d6679ae7db536e330790ffb4e168f