f2fea660a69ac61119f1a30bbe9dfe157aef6c40e73c3874a500143a7b26c6f7

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cwelium.exe
Size

12.8MB
MD5

3c7cc2f565f73dbc7fdee28123ff395e
SHA1

10f2272b6ed44b3d2e1dd8df348b6bb41dea631b
SHA256

f2fea660a69ac61119f1a30bbe9dfe157aef6c40e73c3874a500143a7b26c6f7
SHA512

5be5f258b2ec9ca36327be7c365a73e8f5a8dfeb17b2cfc0c3fa2d2ac78165a04aeda996aac37359301cb94f5354ade325ed22221c3725f33ec544e047108247
SSDEEP

393216:u2oxNgBt5DbyvSlshkEQNOuHJjJHl9uqrUP9s/GU:fof65HoA8QNDjBl9Wa

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2192	Cwelium.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	Cwelium.exe
2192	Cwelium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2192	2492	Cwelium.exe	31
PID 2492 wrote to memory of 2192	2492	Cwelium.exe	31
PID 2492 wrote to memory of 2192	2492	Cwelium.exe	31

C:\Users\Admin\AppData\Local\Temp\Cwelium.exe
"C:\Users\Admin\AppData\Local\Temp\Cwelium.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\onefile_2492_133702481554632000\Cwelium.exe
  C:\Users\Admin\AppData\Local\Temp\Cwelium.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2492_133702481554632000\Cwelium.exe

Filesize
14.9MB

MD5
85452c040e2544776e82360b7f60f9ce

SHA1
e7cb0729a4e947888640d2a3ec3b9880fd916c03

SHA256
38aded4243c21eccd4e06810fb00c3df9e59c249b19ecb08f1d55aa57576e2c2

SHA512
2f0d5fb0414a784a2370463ddb911a30cee56d694ffad2ee619cd409da4ee3214fb95ed9823877a3f114e7c97e7b2da50c367a85bbdbf4e87747fa4936fcbcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2492_133702481554632000\python311.dll

Filesize
5.5MB

MD5
5a5dd7cad8028097842b0afef45bfbcf

SHA1
e247a2e460687c607253949c52ae2801ff35dc4a

SHA256
a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce

SHA512
e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

Download Submit
memory/2192-29-0x000000013FAD0000-0x00000001409F5000-memory.dmp

Filesize
15.1MB

Download
memory/2492-53-0x000000013F480000-0x0000000140172000-memory.dmp

Filesize
12.9MB

Download