Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe
Resource
win7-20240705-en
General
-
Target
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe
-
Size
323KB
-
MD5
b116169395da074d7699bc77222d95dd
-
SHA1
a84ba2ef6efc30bfe2b8247ceda0957c1ef0bc29
-
SHA256
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1
-
SHA512
84da88b7606a793e7e74fbb0165225c0351e995b88e6921f6b86633616362d9808f1867fcfd80fd6df93a6a76745bfe51e367e0bef7de803931b9c88498088a7
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYF:vHW138/iXWlK885rKlGSekcj66ci4
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exemygus.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation mygus.exe -
Executes dropped EXE 2 IoCs
Processes:
mygus.exeivqia.exepid process 4824 mygus.exe 4864 ivqia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exemygus.execmd.exeivqia.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mygus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ivqia.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ivqia.exepid process 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe 4864 ivqia.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exemygus.exedescription pid process target process PID 4672 wrote to memory of 4824 4672 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe mygus.exe PID 4672 wrote to memory of 4824 4672 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe mygus.exe PID 4672 wrote to memory of 4824 4672 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe mygus.exe PID 4672 wrote to memory of 1872 4672 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 4672 wrote to memory of 1872 4672 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 4672 wrote to memory of 1872 4672 a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe cmd.exe PID 4824 wrote to memory of 4864 4824 mygus.exe ivqia.exe PID 4824 wrote to memory of 4864 4824 mygus.exe ivqia.exe PID 4824 wrote to memory of 4864 4824 mygus.exe ivqia.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe"C:\Users\Admin\AppData\Local\Temp\a1510e0b0b8b333d63a26bed13436b58d175b34e44be3e09fde76efeb130f8d1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\mygus.exe"C:\Users\Admin\AppData\Local\Temp\mygus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\ivqia.exe"C:\Users\Admin\AppData\Local\Temp\ivqia.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1872
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58ebe2ce36bf8db13f65993dc0c550fbe
SHA15af0c513a485e4fc02bd82d4e0776b4585dca293
SHA256b4a92629d5605aac1390196386f832432c060e4bdbb12611d899f5d209c29b01
SHA512d7c7df9f090d7af178bec8b25a6d3c9291503b2b233d84c4f3b05afcf515ea4bed2c0f85647037953fd68996259df729c6a946f044a99f481cbc2ee02dca1488
-
Filesize
512B
MD59e18dc232c3c429a759f24329983b704
SHA1065a92554f1ac43a6980bcffbf2f5d269b0e6475
SHA25693e310d1369793e2b51a6ed8c6aa60a89d92e08ea4031073293281f13830bce9
SHA512b9f08ef33dd9f2ef12b3dfd0961902133b225079c1f6aba1219f0219f20c59d52db3146a0eb2a886c8c15af3b2eb14cca9ed39bc0e0dc0711c5386ec4cc9011e
-
Filesize
172KB
MD5284cabe981a835dedf7f2465ec8c67d0
SHA1e0e6edae134aa1de77752b62bb4b802693d0fdf0
SHA25630cb91c352772b6d57b6e8a0fe014d01446bfb621bdf1b5120d06042ab474574
SHA512c9ac8a2018b34d4c1b25443b84224c748c65ef9e5d36e60c0ee1fdcebeb24b9832c2c25c8fcef4c9b5738a36c77e571ca9c7f4e5e23aaf1fef50a2a0544987f0
-
Filesize
323KB
MD5ca7912e2f9dde1aa017403e3c3b55b38
SHA1bdf43fa8c8d0c8e764611573eaf4637a7a64ebc8
SHA2561846fb7d86807cb2842e268a10b09da213f69110c44c04c29dcb352f9499303a
SHA512e8808d8403e30a423f3be47270de4b04eec337de65bf605583bb8e354e4763cff6a54c1ec9975b68421e29f55416f692789ff9dc9907d5bb39deed333620aa40