68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe
Size

61KB
MD5

8ad5d231e90dd5be2d02d1c896c50d77
SHA1

5258c40fdb43baeae1249c8721fcd38e564866e3
SHA256

68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e
SHA512

873781b245f98f7281ae9f6688c23f5727fdd5e390763b4ef9cc2b0bcba68bc730ad54f9a0e3e3b5dbe401ea1260508f3b6dc63ff740e2cc18e510d9d7da0c5e
SSDEEP

1536:6ttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wHle5:adse4OlQZo6EKEFdGM2Sle5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1952	ewiuer2.exe
2300	ewiuer2.exe
1604	ewiuer2.exe
1188	ewiuer2.exe
1684	ewiuer2.exe
2112	ewiuer2.exe
1204	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
1868	68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe
1868	68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe
1952	ewiuer2.exe
1952	ewiuer2.exe
2300	ewiuer2.exe
2300	ewiuer2.exe
1604	ewiuer2.exe
1604	ewiuer2.exe
1188	ewiuer2.exe
1188	ewiuer2.exe
1684	ewiuer2.exe
1684	ewiuer2.exe
2112	ewiuer2.exe
2112	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1952	1868	68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe	28
PID 1868 wrote to memory of 1952	1868	68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe	28
PID 1868 wrote to memory of 1952	1868	68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe	28
PID 1868 wrote to memory of 1952	1868	68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe	28
PID 1952 wrote to memory of 2300	1952	ewiuer2.exe	32
PID 1952 wrote to memory of 2300	1952	ewiuer2.exe	32
PID 1952 wrote to memory of 2300	1952	ewiuer2.exe	32
PID 1952 wrote to memory of 2300	1952	ewiuer2.exe	32
PID 2300 wrote to memory of 1604	2300	ewiuer2.exe	33
PID 2300 wrote to memory of 1604	2300	ewiuer2.exe	33
PID 2300 wrote to memory of 1604	2300	ewiuer2.exe	33
PID 2300 wrote to memory of 1604	2300	ewiuer2.exe	33
PID 1604 wrote to memory of 1188	1604	ewiuer2.exe	35
PID 1604 wrote to memory of 1188	1604	ewiuer2.exe	35
PID 1604 wrote to memory of 1188	1604	ewiuer2.exe	35
PID 1604 wrote to memory of 1188	1604	ewiuer2.exe	35
PID 1188 wrote to memory of 1684	1188	ewiuer2.exe	36
PID 1188 wrote to memory of 1684	1188	ewiuer2.exe	36
PID 1188 wrote to memory of 1684	1188	ewiuer2.exe	36
PID 1188 wrote to memory of 1684	1188	ewiuer2.exe	36
PID 1684 wrote to memory of 2112	1684	ewiuer2.exe	38
PID 1684 wrote to memory of 2112	1684	ewiuer2.exe	38
PID 1684 wrote to memory of 2112	1684	ewiuer2.exe	38
PID 1684 wrote to memory of 2112	1684	ewiuer2.exe	38
PID 2112 wrote to memory of 1204	2112	ewiuer2.exe	39
PID 2112 wrote to memory of 1204	2112	ewiuer2.exe	39
PID 2112 wrote to memory of 1204	2112	ewiuer2.exe	39
PID 2112 wrote to memory of 1204	2112	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe
"C:\Users\Admin\AppData\Local\Temp\68e04a9c198a95e988296549b7a11554ea0d6cf78db53faf805e793dd96e7c6e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P7CIASIZ.txt

Filesize
227B

MD5
5cf0b3a5752eee38f82c9337df09509c

SHA1
7a19c899b2f77c7b9fac6a27195501149abbe477

SHA256
ca4ffe201b3c79cba133468f0f2d835ed122901808d204ceeb30d96dddda2807

SHA512
482204735296384300c3e24b52195fe8227440e45e9ccc2c8fd7eef0441d559cae56533fb4b3dd8bee884982f62abd7daec8b42b621b2415dfaaa773fa405f3c

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
f48cb3679ecbd7df6c9d2c69096945d6

SHA1
57439684a73f92254befb33c100a9573a7fa5622

SHA256
d21d313020ad86a571578a431f89161d7d40a66114080c7b001c230ff1e9d651

SHA512
e409010b3b5bc42b59da6e0036ad59e901268c83ba621b3bb0aa08cedbbcf5eb46829e1866f41fc86574b65fbe8d6de11044d49a6aa10399b471892b9de05f76

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
ac00c00dbd93d1102b58bcea0d9fb1f6

SHA1
947ab28a01c932020d90babb963387a128cc59ae

SHA256
191e7c4ff364120d52445c508b57a0676c37177a6aaf6a8c4c2a7541437d33bb

SHA512
b0d99b802267751ff0dc12383b7b5d5a6927a64ec9a32a02691a9af5a5908767561af6c39cd1da897194452216f2a928240ca4f5a9f96f0fbd35a4277107ec24

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
5e2f274ab36b4a54379303e3e87dfec6

SHA1
ad432041a945b82a1351736f421a3135c77826f6

SHA256
725f53783e6eb9ced3b19674492e6b2d1daf73c5dfd323538348a225e2236aba

SHA512
5c5c5172171ed789b046b6496ef77ee12451d1f78db012b2e704cce1e02b227c49739193b6aba73da1ed8d8c75b375eb00fc5c0782a0d3127623d48a5de18fed

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
ed4b1a24ae8aa12af3393833486cf3a0

SHA1
ad672c8607402a2610e05cbc6e3a9bc4d46b876e

SHA256
55dd94b0bc2549b4ad43863949528332037aa4b260d1bfc4364132330101cdaa

SHA512
a2f6b0816ef880b64e3c2f52971b773203c2601632ca9540bd79adab0f62654f422dbac576757151e6fb7cc7e746928f22be764f5aa4588b446a04aee4f8e02e

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
298fbffb87dd2cc2b4db73e1733afb6f

SHA1
384c492869c40a6edd45690b9b80395bf9023697

SHA256
4fdd42153ca470aca083fcc266f9f0d5ec2a1f1a290ec5ce102afa1cbb015b75

SHA512
185cd9533eb2ed8a757321b393e1af64c45b5d6fd7ee24087e685b21233160d6bc79432c42218b3dd3bd8e20f8d16dad3367fbb16384c8af559e6b5687eee493

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
06ddce9253764c448c74e99150fe1bd0

SHA1
40407c2a590772b2ee2e7177e742009fe837fc1e

SHA256
973213d8cb6407c7f163576b6ca41f1e3dcc590bba9f4243d652765eb514adbb

SHA512
e35506f75b1c19e18a67a2bf9d02b9fa8731a91597d38a1deb4446dc9be4f2ddd548e7e112b0bf565f58a8906ff9a1d8083cbc12625532b9e311fc09abaa5331

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
87e35140bfe008f99ef92f2c165d7711

SHA1
eae61c66bb270cf86effb77ee422ba1f940e26fb

SHA256
161139ed2327f20f6ec138416a445e745d5ae267856b66181fdce7f2fdfcf65d

SHA512
daa317fd9f9549811a50de80846cc00bb4eba33f0517a178cc7a06e5d4e807d05dab00448c2c1036e80f552c85a4b7194992217c65df2dec448b43c2e64e9bb6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads