Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe
Resource
win7-20240705-en
General
-
Target
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe
-
Size
323KB
-
MD5
b116169395da074d7699bc77222d95dd
-
SHA1
a84ba2ef6efc30bfe2b8247ceda0957c1ef0bc29
-
SHA256
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1
-
SHA512
84da88b7606a793e7e74fbb0165225c0351e995b88e6921f6b86633616362d9808f1867fcfd80fd6df93a6a76745bfe51e367e0bef7de803931b9c88498088a7
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYF:vHW138/iXWlK885rKlGSekcj66ci4
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2248 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
cywyq.exezylea.exepid process 3040 cywyq.exe 2348 zylea.exe -
Loads dropped DLL 2 IoCs
Processes:
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.execywyq.exepid process 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe 3040 cywyq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
zylea.exea1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.execywyq.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zylea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cywyq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
zylea.exepid process 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe 2348 zylea.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.execywyq.exedescription pid process target process PID 2168 wrote to memory of 3040 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cywyq.exe PID 2168 wrote to memory of 3040 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cywyq.exe PID 2168 wrote to memory of 3040 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cywyq.exe PID 2168 wrote to memory of 3040 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cywyq.exe PID 2168 wrote to memory of 2248 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 2168 wrote to memory of 2248 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 2168 wrote to memory of 2248 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 2168 wrote to memory of 2248 2168 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 3040 wrote to memory of 2348 3040 cywyq.exe zylea.exe PID 3040 wrote to memory of 2348 3040 cywyq.exe zylea.exe PID 3040 wrote to memory of 2348 3040 cywyq.exe zylea.exe PID 3040 wrote to memory of 2348 3040 cywyq.exe zylea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe"C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\cywyq.exe"C:\Users\Admin\AppData\Local\Temp\cywyq.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\zylea.exe"C:\Users\Admin\AppData\Local\Temp\zylea.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58ebe2ce36bf8db13f65993dc0c550fbe
SHA15af0c513a485e4fc02bd82d4e0776b4585dca293
SHA256b4a92629d5605aac1390196386f832432c060e4bdbb12611d899f5d209c29b01
SHA512d7c7df9f090d7af178bec8b25a6d3c9291503b2b233d84c4f3b05afcf515ea4bed2c0f85647037953fd68996259df729c6a946f044a99f481cbc2ee02dca1488
-
Filesize
512B
MD54f84896559711ae2bdb68b5f61f50dcc
SHA1793a753783d8b605515aa4cc37f4e71765f67678
SHA2567fe17dfd633c8885e99696f6e18958fb3d600d8980665dce1ed26112e98ec1c5
SHA5127e3b6b2587d4a102771343fabd52a0d5d4f6ae3830861f51c6845cb559876b429e4e639455bbc8d78c5adfdfd28f88d7c2630ddb49804ac83df996f4a9f31032
-
Filesize
172KB
MD50512ed62e34a512e155b8895e67304f0
SHA17c9b8cce465e721f0dee5c07ec50261fb1e7ab5c
SHA256171a8c9844cb36bc823030281f80327ed8b3a76980aa01a221dc58b6590e8613
SHA5120d8d2f893c3cde45f477c04c6eb6e65ff5717a9c56c7b70c84dd340cf379c8a3c0a951899bc2c36e51751465e2761db1a09d6306abc5b096f5baf791e5d76e2d
-
Filesize
323KB
MD51c1ee8aa40b1e3c5d0ead6270e0c54a4
SHA1aab6a78cd80727fd39bad1526fb2242dcf5a88f9
SHA25679aab4a98cd49dc748ea75174ec1a736dd800d48de38f82351e01c10e71f075a
SHA5123a05637d24c54c5b7cea8d1b595d8e3ce8e19285f39c78795c203c13b8505919535ebafb372e0f097e63b9b7f13b02cfd15e65c8faa41d4ef67d7a4a774ed8f9