Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:36
Behavioral task
behavioral1
Sample
7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe
Resource
win7-20240221-en
General
-
Target
7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe
-
Size
623KB
-
MD5
b3c93663d9ff1c807ccfd89d296d009b
-
SHA1
054917c3e37da49916f252213a98b79c9017bb77
-
SHA256
7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15
-
SHA512
dbe0e141b6cc36138761761940feebaabffbfd45638630ff08242c0f55a3a3ccf32b7f07cac9ce537f28fc952cdf351a672f799a200f272c345f04e89c0bd69b
-
SSDEEP
6144:imbmLppYOuakYGWV5Q4XMxvQ4x1OpGcm9VQl0lM/oJ4/gupXWy7:ima6idv8zzkGHVqoq/gKWK
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Detects executables built or packed with MPress PE compressor 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ygdup.exe INDICATOR_EXE_Packed_MPress behavioral2/memory/3432-24-0x0000000000400000-0x000000000049F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3432-28-0x0000000000400000-0x000000000049F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3432-29-0x0000000000400000-0x000000000049F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3432-30-0x0000000000400000-0x000000000049F000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3432-31-0x0000000000400000-0x000000000049F000-memory.dmp INDICATOR_EXE_Packed_MPress -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exeluuwl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation luuwl.exe -
Executes dropped EXE 2 IoCs
Processes:
luuwl.exeygdup.exepid process 3428 luuwl.exe 3432 ygdup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ygdup.exepid process 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe 3432 ygdup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exeluuwl.exedescription pid process target process PID 5064 wrote to memory of 3428 5064 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe luuwl.exe PID 5064 wrote to memory of 3428 5064 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe luuwl.exe PID 5064 wrote to memory of 3428 5064 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe luuwl.exe PID 5064 wrote to memory of 4924 5064 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe cmd.exe PID 5064 wrote to memory of 4924 5064 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe cmd.exe PID 5064 wrote to memory of 4924 5064 7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe cmd.exe PID 3428 wrote to memory of 3432 3428 luuwl.exe ygdup.exe PID 3428 wrote to memory of 3432 3428 luuwl.exe ygdup.exe PID 3428 wrote to memory of 3432 3428 luuwl.exe ygdup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe"C:\Users\Admin\AppData\Local\Temp\7ebbaa2c0a43e7490253fdef9453897837e9bae07f1010dddec7198a95c27f15.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\luuwl.exe"C:\Users\Admin\AppData\Local\Temp\luuwl.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\ygdup.exe"C:\Users\Admin\AppData\Local\Temp\ygdup.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_uinsey.batFilesize
340B
MD56dfc2b3349970e9e93fb240ce34f9b42
SHA1fd0f3790de2195de5d6d04e04dff812bf7aa6da6
SHA2565eea7030fc50e1ffc7fb4f116ad36e9a34318c5ce5abfd6d5c9431a089ed49ad
SHA5127dc62edd9bf1f4a82ecf6063497da1ed7474b7a556f2d5ca801b9dddea529786144d18799a7378491fe368cdef5a251a915f1856bc6f045a83ac602a9ebc3885
-
C:\Users\Admin\AppData\Local\Temp\golfinfo.iniFilesize
512B
MD5a0b317548a02ef4a9302bf61a081517a
SHA1d45c4a72dce538ae4ee0138a4d431a490d50bb75
SHA256c64c412b12e57cf541df1f9bf0ccbd732579fe40b849c20cf5c3ce3466138884
SHA51294b4cf229809797cafc54f58331cd1dfeaab07ae95f9829cc1dfa2b9533826e395291f6ac42207391a9ec09a76c079262f20d2b998b1de1fe0fd4780b3c275d9
-
C:\Users\Admin\AppData\Local\Temp\luuwl.exeFilesize
623KB
MD52c44b32204c229332a703b6f171b232a
SHA1ca138990be0be8cfb81e30a82d4a913679ba43e3
SHA25621e09148dff379aa86f309284345d119324897ddaaa1024a03b9642296bae4a0
SHA5127a553ecad1a001dfb8c8428ccd8a0c27b1a4d4af38bb935978c7a74bafa986a96b4aa0b72625833c26f836757fa1342976a5319c2ab9eeee22b597fe34440b9e
-
C:\Users\Admin\AppData\Local\Temp\ygdup.exeFilesize
203KB
MD50a88f75da011d818dca07c7e49bd12ca
SHA153cadbfcbf447c42ef93918b16f9d0eb30ad799d
SHA256957ad7bb33cca0aed87fdb1a37b209ccd00ca90fae8eb47767ea0d3ccc53e9a3
SHA51238f7f725e94c48b035716ea85468bdd7246d243c5b7daa77b6cef43269df5eaa4a8dbb25230242e004b3a6dee01eef2a138c6b8e11c60fe42b5c17e196775cc9
-
memory/3428-25-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/3432-28-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/3432-24-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/3432-26-0x0000000000492000-0x0000000000493000-memory.dmpFilesize
4KB
-
memory/3432-29-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/3432-30-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/3432-31-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/5064-14-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB
-
memory/5064-0-0x0000000000400000-0x000000000049B000-memory.dmpFilesize
620KB