9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe
Size

65KB
MD5

62c801784034486b748fb5cdc67a9cac
SHA1

711893025f67f5a153d235e3b4e155b3347ecefe
SHA256

9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f
SHA512

b7ec0133ddf63de242329905ba3c8d3d018f7117a500ad7c4470af678cad6872ac03efdb6977db4725be80e1852ac9fedd7ac238aa2385c5321a219ee274c2f0
SSDEEP

1536:Tttdse4OcUmWQIkEPZo6E5sEFd29NQyA2w6TNle5K:zdse4OOQZo6EKEFdGC29le5K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2184	ewiuer2.exe
1632	ewiuer2.exe
2756	ewiuer2.exe
1436	ewiuer2.exe
2232	ewiuer2.exe
2068	ewiuer2.exe
1460	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2132	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe
2132	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe
2184	ewiuer2.exe
2184	ewiuer2.exe
1632	ewiuer2.exe
1632	ewiuer2.exe
2756	ewiuer2.exe
2756	ewiuer2.exe
1436	ewiuer2.exe
1436	ewiuer2.exe
2232	ewiuer2.exe
2232	ewiuer2.exe
2068	ewiuer2.exe
2068	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2184	2132	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	28
PID 2132 wrote to memory of 2184	2132	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	28
PID 2132 wrote to memory of 2184	2132	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	28
PID 2132 wrote to memory of 2184	2132	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	28
PID 2184 wrote to memory of 1632	2184	ewiuer2.exe	32
PID 2184 wrote to memory of 1632	2184	ewiuer2.exe	32
PID 2184 wrote to memory of 1632	2184	ewiuer2.exe	32
PID 2184 wrote to memory of 1632	2184	ewiuer2.exe	32
PID 1632 wrote to memory of 2756	1632	ewiuer2.exe	33
PID 1632 wrote to memory of 2756	1632	ewiuer2.exe	33
PID 1632 wrote to memory of 2756	1632	ewiuer2.exe	33
PID 1632 wrote to memory of 2756	1632	ewiuer2.exe	33
PID 2756 wrote to memory of 1436	2756	ewiuer2.exe	35
PID 2756 wrote to memory of 1436	2756	ewiuer2.exe	35
PID 2756 wrote to memory of 1436	2756	ewiuer2.exe	35
PID 2756 wrote to memory of 1436	2756	ewiuer2.exe	35
PID 1436 wrote to memory of 2232	1436	ewiuer2.exe	36
PID 1436 wrote to memory of 2232	1436	ewiuer2.exe	36
PID 1436 wrote to memory of 2232	1436	ewiuer2.exe	36
PID 1436 wrote to memory of 2232	1436	ewiuer2.exe	36
PID 2232 wrote to memory of 2068	2232	ewiuer2.exe	38
PID 2232 wrote to memory of 2068	2232	ewiuer2.exe	38
PID 2232 wrote to memory of 2068	2232	ewiuer2.exe	38
PID 2232 wrote to memory of 2068	2232	ewiuer2.exe	38
PID 2068 wrote to memory of 1460	2068	ewiuer2.exe	39
PID 2068 wrote to memory of 1460	2068	ewiuer2.exe	39
PID 2068 wrote to memory of 1460	2068	ewiuer2.exe	39
PID 2068 wrote to memory of 1460	2068	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe
"C:\Users\Admin\AppData\Local\Temp\9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0LYDHL6T.txt

Filesize
227B

MD5
dec9cac01e91d314a02b7878473e10e4

SHA1
571476751b5dc09cefe1fd6c8d21c85ff0f1444c

SHA256
4f3a185634fc6432d705ecc58e23995252335e11bb0e860a48d5569cf7b2fe66

SHA512
daa29e88584f809f3ebe99092fc68eec5a0af87dc40040b0ada56e585bd5a861a6ac41ca7d84c425397649eb9c8dda8c706a84d7c0e7075db25fbb8073025677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\28PG9NAF.txt

Filesize
228B

MD5
9be57e710e4ed58f46dac88af2689a89

SHA1
fa86cbe076f40808bfebb56a2e66715d1a9b1f11

SHA256
09fef545acdf0a228f21a6c7c34809e4147102779f6e8dbdf1c242b5c250f0b1

SHA512
6e48c0aa2bcd09c8ec3724b88ea7bb64ea7cac63a9df3f1eaa21316a116c5a8ca849ae4d8ad827f5fbace5661290c50293966b14825e11a58db3c5fe3b017aa3

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
89012b892bd1eea74899222874eb25c7

SHA1
ebfd1576a7573d84fded655878d70c0c07b1f2df

SHA256
6b02f96005ab3c86368fa5e5ec001c8c15789582bd382f850286ad81450422ee

SHA512
d652de04887a4e1d1330abb8da19cc8fbbf1ad1088768cec19e63cd9984ed7ef73004455ef63a04c473c2b85e618da6c450a58a5496f9696faa3199d5ae6e1e5

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
4d4e46558541974cc2a899342ac46c0a

SHA1
e130f0f6d289cf0078812a14ade8dcf04e684fe9

SHA256
c38f2d0cb433f41c3644d2f084ded04c188af748bea4c43ab0b166c65c098235

SHA512
33ea67dbaf03796881f48085754320e8a36a082472498049611e2ad84d3527c914411d9d71297fda0d83dde6c2b1e56a13c80822f0f4ea554f1c3c0ff8ced6b3

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
c8837c73bc6cf62f4da740017b4273cb

SHA1
21365e2679d8ae32da1464ca327eaadb0f3fe13d

SHA256
2402d0d623dbe557ebcdad8089fa98a90fea58e609c418ddab20af439a81d5e3

SHA512
1a0ce007581427141bdba3e9369b2a7843c72f7059a84936a0b7c8f102c4bdd250f8d65027232af01bb5b08630a181251a58f0c78de602e9fc32d72d585faa3b

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
a1e88143ad9223432d4c83d21ac26cbf

SHA1
d17345bcbdba50f37e9267ea50f0f621374394de

SHA256
c08d0dd52dd66505d63680c8d735371920f15c1f62693e1f16d3cc5d67d7ea4c

SHA512
cc81eed78fa741b19f521111b11f8e1c2eb6a6bcb70b5762640cb5d6c4031bd4045d788f26e7adc4799e076e8344a7c404cfee2fbce715344585dfe98fcb7c47

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
fc1da812650ad9f2cbb2edaf416089b7

SHA1
b4f51fef44cc7bf214648343a568593d3a74fd32

SHA256
dfe391adf269fa1148afa20fab098cb39458cf3099050d74d39f6ebec46c5f46

SHA512
5d0e2c0fd95a0f0402834f83f1214329f2149d36aa69200a0858dc7c77e439b9f49a550a0c249d4478ce685794b361819a46c97f980b488afdff6d667d59445b

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
9d3b14fb02fdbbb1c10d7cf4c9528219

SHA1
2c93a230541b51a86b11672f11a524e103c861f0

SHA256
8aa645e56f9005ff4056278a2fdf44c14041892d0c237ae7c19541a71bc08288

SHA512
eb751f9d48a965974e2b9601d24af3b67bdb42631dc3f469fcfbbe374f7cf6f481faa43493ebd1dacbddd582fcf3e7b20277e092355e68760a2fd07120729b89

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
7e77f261f7fa12f906824f335b7608df

SHA1
b452c5bc51e3fd476c31e95a0172bd531f3a30fe

SHA256
2c7d5b198c402cc7938ddacb0efad302df0a3b647d49bae673ad6ed87a932c75

SHA512
5e9a9ff1d7c4c289ecab266045e9b9827eb880be37b745ff15bb4238ef4cd41206a0d903e1a466b45b5c7a692fe63de126f80c53ff2e90443fe7881a0572f271

Download Submit
memory/1436-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1436-54-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1436-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1460-86-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1632-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2068-79-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2068-85-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2068-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2132-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2132-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-17-0x0000000002130000-0x000000000215A000-memory.dmp

Filesize
168KB

Download
memory/2184-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads