ac054d99415087d70db0d7d559b8ad709187bcf8fde0bc4a1c4f57d0783c0622

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cwelium.exe
Size

16.8MB
MD5

6b8e3b2d5af2b80646eed6497c9ed88d
SHA1

1c746294a9ec08011e8ed93a6be2d35e77f86f1c
SHA256

ac054d99415087d70db0d7d559b8ad709187bcf8fde0bc4a1c4f57d0783c0622
SHA512

4339fafd4df16c9e183c37b4c0150bdd1f569f27e4b0c265221736dff43ee91c46cec95a5cd926dfa3485c21d6087de468422bd9901942229b53e968c0854b29
SSDEEP

393216:nCirct4Pke6h23GX96ETxjEwS6pEyegG:/5803GX9pT9PS6ppe9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2580	Cwelium.exe

Loads dropped DLL 2 IoCs

pid	Process
1284	Cwelium.exe
2580	Cwelium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2580	1284	Cwelium.exe	29
PID 1284 wrote to memory of 2580	1284	Cwelium.exe	29
PID 1284 wrote to memory of 2580	1284	Cwelium.exe	29

C:\Users\Admin\AppData\Local\Temp\Cwelium.exe
"C:\Users\Admin\AppData\Local\Temp\Cwelium.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\onefile_1284_133615781120158000\Cwelium.exe
  "C:\Users\Admin\AppData\Local\Temp\Cwelium.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1284_133615781120158000\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1284_133615781120158000\Cwelium.exe

Filesize
14.8MB

MD5
3dbe7a1eba14f2251a855b5be4021924

SHA1
db5d0b0552b4b5c0ab1b19dd25ec3c2d11cb8f78

SHA256
4a577967392cb8946d5abae4eaac421f02f8de06694ee33c3dab6ee2c6d32f8a

SHA512
965aec51ad2ea682b0533ab3ff7ecfb8866a2dde2c66180a86de976b05fef385ad504a68a3d57454310e90708e85acb8e2806bbdac2619a2b3b9402466629628

Download Submit
memory/1284-55-0x000000013F570000-0x0000000140659000-memory.dmp

Filesize
16.9MB

Download
memory/2580-30-0x000000013FE60000-0x0000000140D5A000-memory.dmp

Filesize
15.0MB

Download