9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f

General

Target

9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe
Size

65KB
MD5

62c801784034486b748fb5cdc67a9cac
SHA1

711893025f67f5a153d235e3b4e155b3347ecefe
SHA256

9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f
SHA512

b7ec0133ddf63de242329905ba3c8d3d018f7117a500ad7c4470af678cad6872ac03efdb6977db4725be80e1852ac9fedd7ac238aa2385c5321a219ee274c2f0
SSDEEP

1536:Tttdse4OcUmWQIkEPZo6E5sEFd29NQyA2w6TNle5K:zdse4OOQZo6EKEFdGC29le5K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
544	ewiuer2.exe
3680	ewiuer2.exe
2128	ewiuer2.exe
2476	ewiuer2.exe
4924	ewiuer2.exe
1232	ewiuer2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 544	920	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	84
PID 920 wrote to memory of 544	920	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	84
PID 920 wrote to memory of 544	920	9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe	84
PID 544 wrote to memory of 3680	544	ewiuer2.exe	97
PID 544 wrote to memory of 3680	544	ewiuer2.exe	97
PID 544 wrote to memory of 3680	544	ewiuer2.exe	97
PID 3680 wrote to memory of 2128	3680	ewiuer2.exe	98
PID 3680 wrote to memory of 2128	3680	ewiuer2.exe	98
PID 3680 wrote to memory of 2128	3680	ewiuer2.exe	98
PID 2128 wrote to memory of 2476	2128	ewiuer2.exe	99
PID 2128 wrote to memory of 2476	2128	ewiuer2.exe	99
PID 2128 wrote to memory of 2476	2128	ewiuer2.exe	99
PID 2476 wrote to memory of 4924	2476	ewiuer2.exe	100
PID 2476 wrote to memory of 4924	2476	ewiuer2.exe	100
PID 2476 wrote to memory of 4924	2476	ewiuer2.exe	100
PID 4924 wrote to memory of 1232	4924	ewiuer2.exe	101
PID 4924 wrote to memory of 1232	4924	ewiuer2.exe	101
PID 4924 wrote to memory of 1232	4924	ewiuer2.exe	101

C:\Users\Admin\AppData\Local\Temp\9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe
"C:\Users\Admin\AppData\Local\Temp\9f7dd2cd1562cbc0ff7637149f8fbc2cdde1a7d61c9e87c21ebe5c969b66cd0f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
43451056308a504afbca79c8795b39f6

SHA1
458f0055a3f7c5295091b1b6955c9673336681a3

SHA256
63198759fddf6ed2174b74c73c5ded2ad5afa6459c89dd53bf5733a00e7fe660

SHA512
b3b3b8a5bcf76788a77d5bdb0f102320e82dc0826e35512620025b0ce8997894191e7cdd30020df51f0afc481a22ed5a6bc8a24f45af81744a3946cf7271b419

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
970dd6be495a9d93e9849badc2e2e837

SHA1
011f49b56b9b9327e798c2940fe2a91831f28939

SHA256
9b5f0e69a087b35ee2847d9e14d38cdabe3e6763c086724be2e2f8c329a014c8

SHA512
52c2239511fdb8fcd776188495a03e394d2d905337f2cef8b61b86e717093206aec877ba5ba77ab614aa920de79cbcc8b050d74a38f06bf2bf9d97452a92a426

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
c8837c73bc6cf62f4da740017b4273cb

SHA1
21365e2679d8ae32da1464ca327eaadb0f3fe13d

SHA256
2402d0d623dbe557ebcdad8089fa98a90fea58e609c418ddab20af439a81d5e3

SHA512
1a0ce007581427141bdba3e9369b2a7843c72f7059a84936a0b7c8f102c4bdd250f8d65027232af01bb5b08630a181251a58f0c78de602e9fc32d72d585faa3b

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
c94380a719e1bf5915ddbfe3a12450dc

SHA1
5ae16d86e567088d34eedc37821162fa42dc920d

SHA256
b3e9ca6e23df618734a1bfebb706521b3c823f96dbb9b4099e54d04b0f3fb40a

SHA512
397725d3f63de2d6f01fa7f60bd5fb0baf87bf06715d104def095bb187d72ca41f7c91c0c7810703fe0c81e0993269bc4e549cefd9804491f15b711d209f2ca0

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
b185a4b511fd56ed978a7862375326da

SHA1
eb4ff165a36e9d2193333a8df6b88e4019a19086

SHA256
034bc09928b9c7117e30a7f975f948dc5c12a8ea43e18133eac3cc8f1673bdc9

SHA512
e812db44d1028205dedef7c660e73231e8b49841dae6a9cab87416f2eed2fb1c027e7c7c1dd93ce195c00f9d8655e39824aa78c8de1f0b227e171eeb1f3df016

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
e3802e8e92bc7da553324cacef63ee43

SHA1
53ef6c154c0fefb7caf1e5875ca474c179acd6e8

SHA256
4a79bad2eadd002deece770745c4b1b23b75825f897944584b1bac403bfb7523

SHA512
74d7548b28a26a75008d0cdf3c6c3cede76bb0392ce1c57efcc4eccca6c6bab028439f9c0ed203520424f58d4ea38596475504585f9d7df12b9967d5582dfa94

Download Submit
memory/544-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/544-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/544-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/920-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/920-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1232-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3680-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3680-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4924-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4924-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4924-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads