Analysis
-
max time kernel
116s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
0be85afca6aaa8cdaae0f26a4a2fc380N.exe
Resource
win7-20240704-en
General
-
Target
0be85afca6aaa8cdaae0f26a4a2fc380N.exe
-
Size
6.5MB
-
MD5
0be85afca6aaa8cdaae0f26a4a2fc380
-
SHA1
0f579d9cffef787f017be324ea1d08c6180ed6e3
-
SHA256
8718c0f1b157df2752a6062e070b0a51fabb42d6e1c2e6bc1fea01904d6970c7
-
SHA512
e0880a43bf7874668d190f822d68c257a9aee1b6cd40a430d90c54040e22b4fdca91e3a52809d2a5cf83c7a58b9926c3f75bfe47e100029197fbcd9073fc7352
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSA:i0LrA2kHKQHNk3og9unipQyOaOA
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2776 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
mosuv.exeqienpi.execivog.exepid process 2160 mosuv.exe 2608 qienpi.exe 1316 civog.exe -
Loads dropped DLL 5 IoCs
Processes:
0be85afca6aaa8cdaae0f26a4a2fc380N.exemosuv.exeqienpi.exepid process 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe 2160 mosuv.exe 2160 mosuv.exe 2608 qienpi.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\civog.exe upx behavioral1/memory/1316-168-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/1316-174-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe0be85afca6aaa8cdaae0f26a4a2fc380N.execmd.exemosuv.exeqienpi.execivog.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0be85afca6aaa8cdaae0f26a4a2fc380N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mosuv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qienpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language civog.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
0be85afca6aaa8cdaae0f26a4a2fc380N.exemosuv.exeqienpi.execivog.exepid process 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe 2160 mosuv.exe 2608 qienpi.exe 1316 civog.exe 1316 civog.exe 1316 civog.exe 1316 civog.exe 1316 civog.exe 1316 civog.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0be85afca6aaa8cdaae0f26a4a2fc380N.exemosuv.exeqienpi.exedescription pid process target process PID 1772 wrote to memory of 2160 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe mosuv.exe PID 1772 wrote to memory of 2160 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe mosuv.exe PID 1772 wrote to memory of 2160 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe mosuv.exe PID 1772 wrote to memory of 2160 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe mosuv.exe PID 1772 wrote to memory of 2776 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 1772 wrote to memory of 2776 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 1772 wrote to memory of 2776 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 1772 wrote to memory of 2776 1772 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 2160 wrote to memory of 2608 2160 mosuv.exe qienpi.exe PID 2160 wrote to memory of 2608 2160 mosuv.exe qienpi.exe PID 2160 wrote to memory of 2608 2160 mosuv.exe qienpi.exe PID 2160 wrote to memory of 2608 2160 mosuv.exe qienpi.exe PID 2608 wrote to memory of 1316 2608 qienpi.exe civog.exe PID 2608 wrote to memory of 1316 2608 qienpi.exe civog.exe PID 2608 wrote to memory of 1316 2608 qienpi.exe civog.exe PID 2608 wrote to memory of 1316 2608 qienpi.exe civog.exe PID 2608 wrote to memory of 1604 2608 qienpi.exe cmd.exe PID 2608 wrote to memory of 1604 2608 qienpi.exe cmd.exe PID 2608 wrote to memory of 1604 2608 qienpi.exe cmd.exe PID 2608 wrote to memory of 1604 2608 qienpi.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\mosuv.exe"C:\Users\Admin\AppData\Local\Temp\mosuv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\qienpi.exe"C:\Users\Admin\AppData\Local\Temp\qienpi.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\civog.exe"C:\Users\Admin\AppData\Local\Temp\civog.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5c746a45a01e7ec649f583035a7e479a0
SHA19bd498d4f5f25fcbf7ead3240e85715aa309dfcd
SHA256000c087007c31a7ead7d2b1b163d6312a19cfbd1a999d86a3f0f55898aea586b
SHA512ecf6f0700fdd2229f983bb9829073f8ff18abd88442df4b5f5e07f82c028a80b2812b930d4dc830ec01153db7a34bcc661e9e05453a2514b9c100fcb82f6add6
-
Filesize
278B
MD589d1175ccc22de444733c8b8c183b51f
SHA160de7c4bb5f8029c7b92d0c27a3003b500210993
SHA256143add2de2b3d039a8f69bcc322d7e77035526aa2dd129dec469889f8d31ddc5
SHA512556fb939865bfa503dff724c591d9d545f8301ce4a7802058554fa1eec33547c961490decec6e67eba71f545e85887109a63eb763586e8343ed3ef92a6f341f3
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD59ee54eba1649954268d1f3f37c274921
SHA1cbb481c73a79a81b116e67d7aa275dfdf829a875
SHA25648982c78e545c80f0e989d647a878d63ecc856e5dfbafd08ed7414cd86023bc2
SHA512a17565f9f074095b623c6c1155ad34b7bbf9f48a3982d6a11755b1a7fb1993256039eaaa3da8982c6edbc1f2528854de929359632afdffd6bc3297f4436cd8b1
-
Filesize
459KB
MD52f6bdd8a9cc01c26e21b8710f5214acf
SHA1a2ae41268ee73e972929ced6f210e50ee281288e
SHA256127233514d41cbdd22b1c0edf3e822edebadc7b02a0321661530f13064faf9c2
SHA512ed9f258e4dbfa3d91b466338c4acf1ca3e4236cb45109d5747a6819c72493644c015390d95e5a4fa860c3bb5b68f9cc74060b64085d2e5d32dd1ab8133174892
-
Filesize
6.5MB
MD5b9048a18f5934eb7ad9fcf4bc3846ad3
SHA19a7f7a4d10ef957dbdc638a3a7b60e95df5ba6f6
SHA25625592762f6078878786ddedb40ae2d21f141bf38cc66e2322102e060be410937
SHA512e72a225386b91358490ab1d065166733d0d64cf56736c3a8cac7c39dfa6e802379fd4c655d6dcfb8bfb7887484b79e94234c9b7cca0de035af7574fe1f76cef6