f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6

Analysis

max time kernel
140s
max time network
140s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe
Size

61KB
MD5

6993c1e0d5b5a87642090cfb6d4aa01c
SHA1

20c8a850739b80d873e9ad4e6c0614de9b4bffa6
SHA256

f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6
SHA512

a912b233a3b6aad0703fe935b88177b7dc3cf1109ec8f3b253b189ef5e262c9d7b49469dfd0cf3adc340629040c0a85c35451e37c2f74457257f8f8e834b97fa
SSDEEP

768:AeJIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uA:AQIvEPZo6Ead29NQgA2wQle5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1792	ewiuer2.exe
2524	ewiuer2.exe
2164	ewiuer2.exe
1412	ewiuer2.exe
2928	ewiuer2.exe
1688	ewiuer2.exe
832	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2008	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe
2008	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe
1792	ewiuer2.exe
1792	ewiuer2.exe
2524	ewiuer2.exe
2524	ewiuer2.exe
2164	ewiuer2.exe
2164	ewiuer2.exe
1412	ewiuer2.exe
1412	ewiuer2.exe
2928	ewiuer2.exe
2928	ewiuer2.exe
1688	ewiuer2.exe
1688	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1792	2008	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	28
PID 2008 wrote to memory of 1792	2008	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	28
PID 2008 wrote to memory of 1792	2008	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	28
PID 2008 wrote to memory of 1792	2008	f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe	28
PID 1792 wrote to memory of 2524	1792	ewiuer2.exe	30
PID 1792 wrote to memory of 2524	1792	ewiuer2.exe	30
PID 1792 wrote to memory of 2524	1792	ewiuer2.exe	30
PID 1792 wrote to memory of 2524	1792	ewiuer2.exe	30
PID 2524 wrote to memory of 2164	2524	ewiuer2.exe	31
PID 2524 wrote to memory of 2164	2524	ewiuer2.exe	31
PID 2524 wrote to memory of 2164	2524	ewiuer2.exe	31
PID 2524 wrote to memory of 2164	2524	ewiuer2.exe	31
PID 2164 wrote to memory of 1412	2164	ewiuer2.exe	35
PID 2164 wrote to memory of 1412	2164	ewiuer2.exe	35
PID 2164 wrote to memory of 1412	2164	ewiuer2.exe	35
PID 2164 wrote to memory of 1412	2164	ewiuer2.exe	35
PID 1412 wrote to memory of 2928	1412	ewiuer2.exe	36
PID 1412 wrote to memory of 2928	1412	ewiuer2.exe	36
PID 1412 wrote to memory of 2928	1412	ewiuer2.exe	36
PID 1412 wrote to memory of 2928	1412	ewiuer2.exe	36
PID 2928 wrote to memory of 1688	2928	ewiuer2.exe	38
PID 2928 wrote to memory of 1688	2928	ewiuer2.exe	38
PID 2928 wrote to memory of 1688	2928	ewiuer2.exe	38
PID 2928 wrote to memory of 1688	2928	ewiuer2.exe	38
PID 1688 wrote to memory of 832	1688	ewiuer2.exe	39
PID 1688 wrote to memory of 832	1688	ewiuer2.exe	39
PID 1688 wrote to memory of 832	1688	ewiuer2.exe	39
PID 1688 wrote to memory of 832	1688	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe
"C:\Users\Admin\AppData\Local\Temp\f8b7a274aa5894d4549737e18688f0dc49bbdfccc0ebe5e7ad9eb2c6823d61d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7E2YX5VG.txt

Filesize
230B

MD5
efde03092a8771106c5dea7c5b21ef6a

SHA1
7397af99ed3b7efaaef29df51a76e025a52aa274

SHA256
735b482c408b5ff4fc81efe21a4b447ef27e80ba8ee3acb3f3a21cefee7c6c96

SHA512
57e4adff0d737d414f5b195663c72d7d0fda0349f4a823605a68394c66e8a6a550bbd85504ef689a382a05d42d0bb1aa1a87e84c3ce7ae358599110b39ef8142

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DFG92DN7.txt

Filesize
229B

MD5
8d25c5b43fc842769865a220d89ed360

SHA1
7719c45f8decee6aa8e37141e5e3ce0af1aa0f03

SHA256
2fdc9a61d5e3365778903b789ad2b85375ff5e79619fa561577d3c5acfda95b0

SHA512
10e236fb60aaa7ee24c45f2944e5f4686df20c940425f1b7d8536187bcbc48010438e616aa3c439a60a26e15171e6d24875d88906a89d217ab4cd42635b1cd68

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
97b449fd3820dec2ff820aac155f2c42

SHA1
d64a27d7da497348307fed282ecfcaf19e731891

SHA256
ce225201a639581498f095ec440f2ac3155e5eba679bdc2fabbe9d89137ee145

SHA512
6e4c2cad3b64cd2d76a29278331c0fa8bbe4130988a2b75d8d1bff9c9b1367d29e8ef5ffbf85aae66a79e25d6d33a89e3b6f66ffcdd62656795a1eb0a90da383

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
8ce7450c7c52972abd5de5e48a8f973c

SHA1
0983c21563a09d0a2099144f977d2d38489ccb81

SHA256
92f14cb6dbfd130dc1ba0ac4def510d3d600a31ba0eeaf8eb12eea8d29412e24

SHA512
0d7a2046b774763c6e57d35775ed5b0c0c3210cb75108919dcfa175072938ec595a4c3b1c108626b8247cd4dc3c99c2aa1c495600b0f1f585741d7713d65845c

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
993f8568b42a89b5be640c5ca31f780a

SHA1
a047f7f9f74dd3a74d4f8155dfb7368e7e3bf759

SHA256
b69937bd4460fe0d2617a1d830d2235bd05c60a0cba98c3e94476bb325760837

SHA512
d74d522390086a385d6114c6b741cfc7c4711f99f91372e654965291518ce4422c9d9b78a058adb366b285b73648d143b861e19f5304f10353b0b5618b1607de

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
8b3326d8b8a577c439212c47dde81bbc

SHA1
4b86f40cd555e75ef0eb669d6ae69672c020399f

SHA256
49cb9663bf45aa45d59ffe7a7fe74018495acb23778478b21339687a358665f1

SHA512
62c491f1fef68f9b8402889c5f4d28787f47ac7e4668af58051e2df3518f38728e52304c10fecebf3c3a79b5d57c2ab79b6495cf85794d46451cadf573089a95

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
9764b9076fbdadf2144cb8cd21513de2

SHA1
db3ea18f04e67032c424689432d332d10b2350f2

SHA256
b3f77c2d9c6f84abba5f7bcb2a01eafab5a1f5ccea9ef82fdfb264060c88595d

SHA512
9e9e53eedb0510495aace6f18082c4bf718a1a1c3aef3782cc1cd6096d77a1774a3015e5129caac889ac894d75259a0e9dcfb138f1052d3a741b0a4a9adefbb7

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
df7c872b80785cd2c1e48cfc68ce22ee

SHA1
1744c44244cead3d246d5f5044c06b88032d7883

SHA256
32fa2f4df5ab5b38fd9267fa0291690342b338345ea830ff297a5d093774ad7c

SHA512
e199307c78bf69e3a052d2ecf21ae5bd88db98df2f29d3c48ea389074e2dc3615af84a55929b24b583322d0524f4ff854688ff335e978482e052e9ae96a82b0b

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
be42ec280dcdac4c18704cea991dee39

SHA1
4a785348ddf105a8044ba59a3b80252fc5733c18

SHA256
b6d67368eef441acb37f7818c18ef8a16f1bde159254ea9f73e3ffecf46f529e

SHA512
37a8995a9aebeb2b7e1da20f2ef025ddea5a80eb0baa8d21914fb3bc5b3b075a901ce8a43671c256693c78f617eedcb7eb4580386a5464425739ea9b940ef09e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads