Analysis Overview
SHA256
0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73
Threat Level: Shows suspicious behavior
The file 0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:05
Platform
win7-20240903-en
Max time kernel
116s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe
"C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
Files
memory/2236-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | d3e6d918a6428d6be9e3087685c2553d |
| SHA1 | d943abab1d3581806fbba2c6031f29567b630e61 |
| SHA256 | 2bec897a3be47dbba3a48329cf1e7253ab2a1125b8d05e3e7a06df565fa2295e |
| SHA512 | dc378469620de638a953820226afa92e01926f10f75702d04e621746b1103934492db76b1ca15aead5127faca7c457011c1d85e62ebd95d9a49dcd79728f6c72 |
memory/2236-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2184-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2184-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 945129048d9b11f39ae396538616727e |
| SHA1 | 0bbafd45f1e4142e8a5456643f12d71fc560d748 |
| SHA256 | 71f3b676e3ac97750aef6c069d889e7441f453686c6e6555e6f3a664e57b686f |
| SHA512 | b378b3fbd8033554eb71c8b94bea70ce6916a52cf6e7f4bada69480657c5425390f0ceefdd8bda58622a305c54011790b7ac40aab7d6806d937816b6583b9bf2 |
memory/2184-17-0x00000000023F0000-0x000000000241A000-memory.dmp
memory/2184-23-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2508-29-0x0000000000220000-0x000000000024A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | c7da8664a33d4202df40e98465fe7d84 |
| SHA1 | 69ad964b1bf430950fc21912c28ecff3479ebe24 |
| SHA256 | 633d43e67993cd07da574db01fbf005c66b72cf2f90adc93596130e76b8dbfa6 |
| SHA512 | 854341381c5c557ff77db88682e1d3a601a1e7a68c3dd08171a7af103df18fdc0c59258502814090e71c6ce08952acc06be2245e9afefa64877a67b74c14e910 |
memory/2508-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2600-37-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TONYS52K.txt
| MD5 | f2ea166a16be9d6b554e024f3e2bae76 |
| SHA1 | 557b6ee2e440200e2d934531fb88d7cbb5322806 |
| SHA256 | 446812867671e857644f3a27e54cc0e002c67f97f25db8e6258a29885248ce10 |
| SHA512 | 35acd0476a01914911be964c1aeb0f18cd028e293e810293cb8bac06382b0728048d078370a5e05358b4d4d923f09138871d7739fb46c3b9905a61225a087a78 |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 5cf90ad0df7ff3dce0eeab7547099201 |
| SHA1 | 486f9bcedd3f6d6aceb1a3fa169cefbd48126e57 |
| SHA256 | e15f163f900d9d59148164e23541056d3bf0dfa8757e7039f1ead0490ceb8761 |
| SHA512 | 8fe66ed9d385ddbd9fa42ee8e0e51696af2cc07503a87bc74c4bdb8c40182ef432ffa19c08ae3bdfd885daf397e2eba5405fee99aca618b78e26224d1be089e6 |
memory/2600-49-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2600-43-0x0000000002150000-0x000000000217A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 69e1dd94378f02e9ce5428211f76f8b5 |
| SHA1 | 4a145170ef31fbe53190d656345c6d763d27899b |
| SHA256 | dc5ef6cdd5fb28f0efe6b102861676a6413b550396e8b7be65c232c5b503b84e |
| SHA512 | b079a9cb55adf977c9b9a0fadf813b8c0e3ec3408b21cf2448f9258698b101b9516be0ce706a1af91bcb1bb376b0dad20a31f8f78d8303ef928e557e2c79b82d |
memory/2264-54-0x0000000000250000-0x000000000027A000-memory.dmp
memory/2264-59-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1908-61-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1908-63-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:03
Reported
2024-11-09 22:05
Platform
win10v2004-20241007-en
Max time kernel
113s
Max time network
116s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viesazm.mpk | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4040 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe |
| PID 4040 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe |
| PID 4040 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe |
| PID 2620 wrote to memory of 3420 | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | C:\Windows\SysWOW64\ewiuer2.exe |
| PID 2620 wrote to memory of 3420 | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | C:\Windows\SysWOW64\ewiuer2.exe |
| PID 2620 wrote to memory of 3420 | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | C:\Windows\SysWOW64\ewiuer2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe
"C:\Users\Admin\AppData\Local\Temp\0709403fa3ae2de4de90f3edbf33ed2ddc727205e73cd4e616fe23beaa68dc73N.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 15.197.204.56:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 56.204.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 15.197.204.56:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
Files
memory/4040-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | d3e6d918a6428d6be9e3087685c2553d |
| SHA1 | d943abab1d3581806fbba2c6031f29567b630e61 |
| SHA256 | 2bec897a3be47dbba3a48329cf1e7253ab2a1125b8d05e3e7a06df565fa2295e |
| SHA512 | dc378469620de638a953820226afa92e01926f10f75702d04e621746b1103934492db76b1ca15aead5127faca7c457011c1d85e62ebd95d9a49dcd79728f6c72 |
memory/2620-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4040-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2620-7-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3420-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | a2e7d78d3c8392f191fbfc7d40407713 |
| SHA1 | 3bd24e84a94b6c81a929845de1c6e529581ca951 |
| SHA256 | 1bbad225e67e54211932313da722964fa7c3e21609eaadad5efab17ee5207959 |
| SHA512 | 23af2030c4cc8d3e60d5f4f82aba6505d8d3ef9750b85a61414e94b75bf2ee2f3c10c829f2b6dc318d058bc31155af09954e2a35a6c2532a9533b1f40f90c802 |
memory/2620-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3420-14-0x0000000000400000-0x000000000042A000-memory.dmp