1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe
Size

61KB
MD5

9112f5517726bea964f0d1b411e63a00
SHA1

fe3eb58d7bf859e093c25684aff029238bb52913
SHA256

1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19
SHA512

886b39224e54a5f4f890bdad58e96203676a6c8c66574445a086e513277faa7c7ffd4b1136ae0a6533d72c3629cf927cfddc50b365fda2b16f862eb440a68fef
SSDEEP

768:feJIvFKPZo2smEasjcj29NWngAHxcwKppEaxglaX5uA:fQIvEPZo6Ead29NQgA2wzle5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2276	ewiuer2.exe
1600	ewiuer2.exe
2408	ewiuer2.exe
1668	ewiuer2.exe
1244	ewiuer2.exe
1516	ewiuer2.exe
2420	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2332	1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe
2332	1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe
2276	ewiuer2.exe
2276	ewiuer2.exe
1600	ewiuer2.exe
1600	ewiuer2.exe
2408	ewiuer2.exe
2408	ewiuer2.exe
1668	ewiuer2.exe
1668	ewiuer2.exe
1244	ewiuer2.exe
1244	ewiuer2.exe
1516	ewiuer2.exe
1516	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2276	2332	1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe	28
PID 2332 wrote to memory of 2276	2332	1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe	28
PID 2332 wrote to memory of 2276	2332	1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe	28
PID 2332 wrote to memory of 2276	2332	1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe	28
PID 2276 wrote to memory of 1600	2276	ewiuer2.exe	30
PID 2276 wrote to memory of 1600	2276	ewiuer2.exe	30
PID 2276 wrote to memory of 1600	2276	ewiuer2.exe	30
PID 2276 wrote to memory of 1600	2276	ewiuer2.exe	30
PID 1600 wrote to memory of 2408	1600	ewiuer2.exe	31
PID 1600 wrote to memory of 2408	1600	ewiuer2.exe	31
PID 1600 wrote to memory of 2408	1600	ewiuer2.exe	31
PID 1600 wrote to memory of 2408	1600	ewiuer2.exe	31
PID 2408 wrote to memory of 1668	2408	ewiuer2.exe	35
PID 2408 wrote to memory of 1668	2408	ewiuer2.exe	35
PID 2408 wrote to memory of 1668	2408	ewiuer2.exe	35
PID 2408 wrote to memory of 1668	2408	ewiuer2.exe	35
PID 1668 wrote to memory of 1244	1668	ewiuer2.exe	36
PID 1668 wrote to memory of 1244	1668	ewiuer2.exe	36
PID 1668 wrote to memory of 1244	1668	ewiuer2.exe	36
PID 1668 wrote to memory of 1244	1668	ewiuer2.exe	36
PID 1244 wrote to memory of 1516	1244	ewiuer2.exe	38
PID 1244 wrote to memory of 1516	1244	ewiuer2.exe	38
PID 1244 wrote to memory of 1516	1244	ewiuer2.exe	38
PID 1244 wrote to memory of 1516	1244	ewiuer2.exe	38
PID 1516 wrote to memory of 2420	1516	ewiuer2.exe	39
PID 1516 wrote to memory of 2420	1516	ewiuer2.exe	39
PID 1516 wrote to memory of 2420	1516	ewiuer2.exe	39
PID 1516 wrote to memory of 2420	1516	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe
"C:\Users\Admin\AppData\Local\Temp\1e4c942efee2461881b765f4ff90f283abdaf1a3dee4365fe70d7207e47c6a19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LOQSQDN2.txt

Filesize
227B

MD5
990ef560b630cf92c5c0eac73880ce8f

SHA1
4cf91296ab9f76571a8980e3f1bc3377b5bf7c43

SHA256
8b7db216e50c4157503c050b5bf4b2ce1279550086f5b38bef7146c93053fd17

SHA512
3f15e7d4930bcfe6ec48fd8d483bd0a5c09ca3a39b2671d48e2407ba5fdf6b4e9541af73bdaa125835d3d714ce8fdec4b15c1b3d287b18901100c81bcd710acf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NH5V1U9U.txt

Filesize
228B

MD5
08dc162c75d4eed804e1f2a8be313d9f

SHA1
7853c3a8d09136b506d9b0d13f262c0ed55acba9

SHA256
c2350454bcbbb304d2dd90b4d9d545ae6c5a2f998b8c9b2de1cdbb87f000f5c5

SHA512
645b5a6692071588fdbb25fb75ed275d17150c974d3446ba172f195381189e2022d2d4915410eacba7ea6662cf9942a2c2380598be36b4265b8603f62359378b

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
f4ca37a5e6371621e380b17358ac721d

SHA1
c49a8ad2302ec66221e2604601fe5ff9004ef7c1

SHA256
10d3be8d7bfafc262f194d7a88956f081a368efce200269a53f6c60cbbd9d5e9

SHA512
f1d52251e18f3310c0e3eb5b9a06eb2d199be9223b12687f7e3657c69710e4eca8acb3a78b3b23f813d50d98aa6df56901cc80bcbcbba9bae7f604bac052868b

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
c1bb04afcfa7139077b1fe0030849ba8

SHA1
6c2d1d7a4c38a819050e6eebff2003be2e5a68d0

SHA256
21c14b50e80260c70fa969b3ea6d66479a08088031d89a2d16ae80b27dd12679

SHA512
d2df0524bfe132d280322926752f70fa7c4e5d4c3a8621ca56eafb106c4e09b4bd8c2c73de1615de82ae8b64daa754fafe03649555c8257c10c30188af403cf6

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
7c808d75d04cb7219865505325456c33

SHA1
3391ca4cfe0faec843f1928e511dd9dfdd65a320

SHA256
e07530db3bd6b6f648334d4047709a939a44e79de3329041152b7c4aa6fe6951

SHA512
a9f746225bcc4da0eca87b630f10dc1dba6f2b9413c0a1c39a9fbbe99b563af9369e071ec3b44191d6b743ec89cc0a7fa705f943e745ff5d5bbe31d93d67ca03

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
fcc6e925dcced7073f476291b30afde6

SHA1
7515fba04f3c9415fd003a8a13bdb60ec0a3facb

SHA256
18d1ef5fde632d092a272ad2105d2bb342541d921a587c0c63697d7f13a08f23

SHA512
98fdbb01311405d46536bef323384b2909f56f18fcc8a4aa346b6ed6e4303a912dd8ce47e52f6f535e8ce99d817612c6b24eeeeaa19d3936c903d29c310fa809

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
3d18ed9a0b3ff5360f5fb4ed7ff0d951

SHA1
ee0657a2f21b029a563b2ea300b21ed8be1bb1d1

SHA256
d868e7779c599ddffd9b75f4127d044256c9ca80fff6be5f4f4ad37d29db1b21

SHA512
2af39b2eb1669440d27e5da5cbf83317f8fc732925b4366b4460431149fbf42317c84f1bae786c8f6d0cf6af39c8151044d87f951559260fadb5bcdbb9a21ea9

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
1ec4756be98f811b430622f995859f18

SHA1
8f9f05e3b522da5a9b8fe26fcdae11fc1538cb8a

SHA256
174479feb43bdea2516f894c2948266870ae229b0a72f65d8a4818efd277bae0

SHA512
d50f3793b61ecffe2d69eb96f9ba1ae9a4c83c6e480dd1c500386dbc1fbc20f30344a13d76f9c8250145aa9d612376605db7081aaa2b10ff8be27e428057fc6c

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
f6f1f755da148d751038edbd665f6665

SHA1
d0506db71adffa687fed970c7c0caaab1c159928

SHA256
9074bebb122db9ff0a7e76a985ac53414c76b97639cb56b07e752d142b8828a8

SHA512
f4df249de3236a5b9d1c7afa9c201ffcb2d2d2747f1da629c5c5f0302cc0c5969ba1d10a4046442c0f913d9670a259de473931b20630148d46dee8046fff2d47

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads