Analysis
-
max time kernel
119s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
0be85afca6aaa8cdaae0f26a4a2fc380N.exe
Resource
win7-20240704-en
General
-
Target
0be85afca6aaa8cdaae0f26a4a2fc380N.exe
-
Size
6.5MB
-
MD5
0be85afca6aaa8cdaae0f26a4a2fc380
-
SHA1
0f579d9cffef787f017be324ea1d08c6180ed6e3
-
SHA256
8718c0f1b157df2752a6062e070b0a51fabb42d6e1c2e6bc1fea01904d6970c7
-
SHA512
e0880a43bf7874668d190f822d68c257a9aee1b6cd40a430d90c54040e22b4fdca91e3a52809d2a5cf83c7a58b9926c3f75bfe47e100029197fbcd9073fc7352
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSA:i0LrA2kHKQHNk3og9unipQyOaOA
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
evysz.exeirgezy.exe0be85afca6aaa8cdaae0f26a4a2fc380N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation evysz.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation irgezy.exe Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation 0be85afca6aaa8cdaae0f26a4a2fc380N.exe -
Executes dropped EXE 3 IoCs
Processes:
evysz.exeirgezy.exeutpuj.exepid process 1292 evysz.exe 1164 irgezy.exe 2528 utpuj.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\utpuj.exe upx behavioral2/memory/2528-71-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/2528-75-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
evysz.execmd.exeirgezy.exeutpuj.execmd.exe0be85afca6aaa8cdaae0f26a4a2fc380N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language evysz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irgezy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language utpuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0be85afca6aaa8cdaae0f26a4a2fc380N.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
0be85afca6aaa8cdaae0f26a4a2fc380N.exeevysz.exeirgezy.exeutpuj.exepid process 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe 1292 evysz.exe 1292 evysz.exe 1164 irgezy.exe 1164 irgezy.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe 2528 utpuj.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0be85afca6aaa8cdaae0f26a4a2fc380N.exeevysz.exeirgezy.exedescription pid process target process PID 1112 wrote to memory of 1292 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe evysz.exe PID 1112 wrote to memory of 1292 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe evysz.exe PID 1112 wrote to memory of 1292 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe evysz.exe PID 1112 wrote to memory of 2660 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 1112 wrote to memory of 2660 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 1112 wrote to memory of 2660 1112 0be85afca6aaa8cdaae0f26a4a2fc380N.exe cmd.exe PID 1292 wrote to memory of 1164 1292 evysz.exe irgezy.exe PID 1292 wrote to memory of 1164 1292 evysz.exe irgezy.exe PID 1292 wrote to memory of 1164 1292 evysz.exe irgezy.exe PID 1164 wrote to memory of 2528 1164 irgezy.exe utpuj.exe PID 1164 wrote to memory of 2528 1164 irgezy.exe utpuj.exe PID 1164 wrote to memory of 2528 1164 irgezy.exe utpuj.exe PID 1164 wrote to memory of 4768 1164 irgezy.exe cmd.exe PID 1164 wrote to memory of 4768 1164 irgezy.exe cmd.exe PID 1164 wrote to memory of 4768 1164 irgezy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\evysz.exe"C:\Users\Admin\AppData\Local\Temp\evysz.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\irgezy.exe"C:\Users\Admin\AppData\Local\Temp\irgezy.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\utpuj.exe"C:\Users\Admin\AppData\Local\Temp\utpuj.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:4768
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5a05f4f76ee04c374111e12e296fa87b5
SHA1c6deba5f430f32a0812f548d95556fa280b3c3dd
SHA25633ba234ae1cd905e6663e8f1bfc8d41c043a3557ef3b42310481205d62bc9bb1
SHA5127cbab0aa0fa0ec296581adb7fc161772ee9bf068f177abcc2441111ca9d83fb9b40b6c42cdf243fb843fccf27b99e7d65eb51af8ce799827b0a835c4efa64ace
-
Filesize
278B
MD589d1175ccc22de444733c8b8c183b51f
SHA160de7c4bb5f8029c7b92d0c27a3003b500210993
SHA256143add2de2b3d039a8f69bcc322d7e77035526aa2dd129dec469889f8d31ddc5
SHA512556fb939865bfa503dff724c591d9d545f8301ce4a7802058554fa1eec33547c961490decec6e67eba71f545e85887109a63eb763586e8343ed3ef92a6f341f3
-
Filesize
6.5MB
MD5c49071bb0d92505f7b82e682d9e5f6d7
SHA13754018af72336c3a1603ed5c489b45c904233f7
SHA2566e3a54c3e35285577f168e2aa2c1eb4b8caae6d6b981f680113ccb51109e3420
SHA512dd76cf0a6d4edda9a49db59f73bc210d5bc0e64e0b1330ad79a887c1ece19e485eded60e2707f7987cfe0da229047dfeb6d22952011d56494f16e47e2265c563
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD51715d782fd22e1e249d1dc84a38068f1
SHA162b659e6de863e395e75bd6dec46f75a49ee90d6
SHA256a7b62918649a0140c7bb388d3677c0ced1455ff7401c1ebf4ba685a0bce7beaa
SHA51232e720d644acd7618976fa9cdc588b39af48f751cca36fb834be8121250bba6cba7f38eaa04915f1124034e3d41dfe91d78e1c700707403c42a687060e23ab75
-
Filesize
459KB
MD5260d07179168706353b4c6679b728af5
SHA1ddc017d61c959e4697f784b07f2fcc7bcfa7095b
SHA2564de81441c86e3e7243853af58205d5b04d1cff6152b00e431a98f34cbb5fb2f4
SHA51299b98dd757dd0c91c6b64ee8007dce6d92207611bb44677f0942b15a73c655cbcb6c328252d24090ad1cf1bc3c78501d75cccd15f0a0e123bf8b6cd20a153dc8