Analysis
-
max time kernel
119s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
8c998e707315ec9b559a8cb61a188090N.exe
Resource
win7-20240704-en
General
-
Target
8c998e707315ec9b559a8cb61a188090N.exe
-
Size
6.5MB
-
MD5
8c998e707315ec9b559a8cb61a188090
-
SHA1
87b37e77a8703952fb16daff64e2f712485f8e9d
-
SHA256
751a1bfb73fc05bb9915827c69ea6febf9a9b9a9e73046098c5be031b6587912
-
SHA512
94fcd779cabeae0d276a147bb072a778f73caf6f96a56136f16102048c888e43a3ebccf85c556fc793fcb4c34eb6398af6caa4482ed2be6a917a4309254f67d4
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSu:i0LrA2kHKQHNk3og9unipQyOaOu
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2304 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
gujyf.exexisiif.exebynii.exepid process 2584 gujyf.exe 452 xisiif.exe 556 bynii.exe -
Loads dropped DLL 5 IoCs
Processes:
8c998e707315ec9b559a8cb61a188090N.exegujyf.exexisiif.exepid process 2732 8c998e707315ec9b559a8cb61a188090N.exe 2732 8c998e707315ec9b559a8cb61a188090N.exe 2584 gujyf.exe 2584 gujyf.exe 452 xisiif.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\bynii.exe upx behavioral1/memory/452-161-0x00000000041B0000-0x0000000004349000-memory.dmp upx behavioral1/memory/556-163-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/556-176-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8c998e707315ec9b559a8cb61a188090N.exegujyf.execmd.exexisiif.exebynii.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c998e707315ec9b559a8cb61a188090N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gujyf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xisiif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bynii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
8c998e707315ec9b559a8cb61a188090N.exegujyf.exexisiif.exebynii.exepid process 2732 8c998e707315ec9b559a8cb61a188090N.exe 2584 gujyf.exe 452 xisiif.exe 556 bynii.exe 556 bynii.exe 556 bynii.exe 556 bynii.exe 556 bynii.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
8c998e707315ec9b559a8cb61a188090N.exegujyf.exexisiif.exedescription pid process target process PID 2732 wrote to memory of 2584 2732 8c998e707315ec9b559a8cb61a188090N.exe gujyf.exe PID 2732 wrote to memory of 2584 2732 8c998e707315ec9b559a8cb61a188090N.exe gujyf.exe PID 2732 wrote to memory of 2584 2732 8c998e707315ec9b559a8cb61a188090N.exe gujyf.exe PID 2732 wrote to memory of 2584 2732 8c998e707315ec9b559a8cb61a188090N.exe gujyf.exe PID 2732 wrote to memory of 2304 2732 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 2732 wrote to memory of 2304 2732 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 2732 wrote to memory of 2304 2732 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 2732 wrote to memory of 2304 2732 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 2584 wrote to memory of 452 2584 gujyf.exe xisiif.exe PID 2584 wrote to memory of 452 2584 gujyf.exe xisiif.exe PID 2584 wrote to memory of 452 2584 gujyf.exe xisiif.exe PID 2584 wrote to memory of 452 2584 gujyf.exe xisiif.exe PID 452 wrote to memory of 556 452 xisiif.exe bynii.exe PID 452 wrote to memory of 556 452 xisiif.exe bynii.exe PID 452 wrote to memory of 556 452 xisiif.exe bynii.exe PID 452 wrote to memory of 556 452 xisiif.exe bynii.exe PID 452 wrote to memory of 1132 452 xisiif.exe cmd.exe PID 452 wrote to memory of 1132 452 xisiif.exe cmd.exe PID 452 wrote to memory of 1132 452 xisiif.exe cmd.exe PID 452 wrote to memory of 1132 452 xisiif.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\gujyf.exe"C:\Users\Admin\AppData\Local\Temp\gujyf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\xisiif.exe"C:\Users\Admin\AppData\Local\Temp\xisiif.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\bynii.exe"C:\Users\Admin\AppData\Local\Temp\bynii.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1132
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5bed9430cdb2ea12464bd91b7285b1544
SHA19212215cc411c72612cab24411e1fbd8ce6787ad
SHA2562abc4fbf370d5ff40382fcf986d7589799c807839d91b77ab40859a1b78b8d3f
SHA5125877b392002abd199a7d40b7f28c0b04d840423b64dc9063ff5f64dbed5d73f6683239daaef6575513d3867b597bb1ece3df69766604036489f9f45d57ba3f37
-
Filesize
278B
MD5c00dbd601b4f93ffc7f0050d209906c4
SHA16bcffea011e9bc0f58f945b4df44ad3a5e23a7f4
SHA256371790975c164b3a2059ac1da9a3ff4e2d5edb9f22409b786d5acd4caec43cae
SHA512c757396fa72262e1d7ca906de8dedd9446e6cb3cfc22abd0947423fbf0f7dad6ee296cfab344d11afc54fbbf0380f7d87eb1d936c1b413771bdd3e6f66b54059
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5581bd5273f17f124e1ade1764ed854bc
SHA12ba926b3b8a3ee1d3ada189b608b3a0e97949265
SHA25619072ad4fd29862d1fb1b1890374023f6e347ff28a72c1beffdcaac4f34f5860
SHA5122dd4bdbaf15b9468922e2fc6ac06c27ca71b25ab08089071df040afd612b320c59f539e87f5ae81463e7eb4946208a90bbb6a9a3fe747438c909a4648cd5135a
-
Filesize
459KB
MD515c806cb8bc43724b6253363d96d74f5
SHA1f3c66c83bfe6d65faf7966fe349413a20fbd96ba
SHA256efe0b6e41d638472ded5158bcf132438aaa86abcfdf43a326263d5655565218e
SHA5126ad3e682a74ef94fd7ff8f4b9db4cedd798095f725cd14a58dd92a955f53504534ca243eda34b8a48ee741d28274146d059f0599034c190589a4c1a41167fc64
-
Filesize
6.5MB
MD5ecae46589a5c273c23ded35c46dae687
SHA1fcf15ce57874dc7791283608841c9e592ca23818
SHA256da1a8613cf68fc0241b14ca5f795e252489fb74c490dc7f4d2a73fea0d49db20
SHA512de8a26659b06805c34bd123dac6179fab6e59efa1be355b5130be94248cb0fa866b2ad7d3bd72f6d6cc0e28113532dd9c39153f2eddb12d589e503be16dcd1cf