Analysis
-
max time kernel
119s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
8c998e707315ec9b559a8cb61a188090N.exe
Resource
win7-20240704-en
General
-
Target
8c998e707315ec9b559a8cb61a188090N.exe
-
Size
6.5MB
-
MD5
8c998e707315ec9b559a8cb61a188090
-
SHA1
87b37e77a8703952fb16daff64e2f712485f8e9d
-
SHA256
751a1bfb73fc05bb9915827c69ea6febf9a9b9a9e73046098c5be031b6587912
-
SHA512
94fcd779cabeae0d276a147bb072a778f73caf6f96a56136f16102048c888e43a3ebccf85c556fc793fcb4c34eb6398af6caa4482ed2be6a917a4309254f67d4
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSu:i0LrA2kHKQHNk3og9unipQyOaOu
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8c998e707315ec9b559a8cb61a188090N.exejoepy.exerukery.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 8c998e707315ec9b559a8cb61a188090N.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation joepy.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation rukery.exe -
Executes dropped EXE 3 IoCs
Processes:
joepy.exerukery.exezymav.exepid process 5016 joepy.exe 3044 rukery.exe 1244 zymav.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zymav.exe upx behavioral2/memory/1244-70-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/1244-74-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe8c998e707315ec9b559a8cb61a188090N.exejoepy.execmd.exerukery.exezymav.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c998e707315ec9b559a8cb61a188090N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joepy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rukery.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zymav.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
8c998e707315ec9b559a8cb61a188090N.exejoepy.exerukery.exezymav.exepid process 3556 8c998e707315ec9b559a8cb61a188090N.exe 3556 8c998e707315ec9b559a8cb61a188090N.exe 5016 joepy.exe 5016 joepy.exe 3044 rukery.exe 3044 rukery.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe 1244 zymav.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8c998e707315ec9b559a8cb61a188090N.exejoepy.exerukery.exedescription pid process target process PID 3556 wrote to memory of 5016 3556 8c998e707315ec9b559a8cb61a188090N.exe joepy.exe PID 3556 wrote to memory of 5016 3556 8c998e707315ec9b559a8cb61a188090N.exe joepy.exe PID 3556 wrote to memory of 5016 3556 8c998e707315ec9b559a8cb61a188090N.exe joepy.exe PID 3556 wrote to memory of 1808 3556 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 3556 wrote to memory of 1808 3556 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 3556 wrote to memory of 1808 3556 8c998e707315ec9b559a8cb61a188090N.exe cmd.exe PID 5016 wrote to memory of 3044 5016 joepy.exe rukery.exe PID 5016 wrote to memory of 3044 5016 joepy.exe rukery.exe PID 5016 wrote to memory of 3044 5016 joepy.exe rukery.exe PID 3044 wrote to memory of 1244 3044 rukery.exe zymav.exe PID 3044 wrote to memory of 1244 3044 rukery.exe zymav.exe PID 3044 wrote to memory of 1244 3044 rukery.exe zymav.exe PID 3044 wrote to memory of 1504 3044 rukery.exe cmd.exe PID 3044 wrote to memory of 1504 3044 rukery.exe cmd.exe PID 3044 wrote to memory of 1504 3044 rukery.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\joepy.exe"C:\Users\Admin\AppData\Local\Temp\joepy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\rukery.exe"C:\Users\Admin\AppData\Local\Temp\rukery.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\zymav.exe"C:\Users\Admin\AppData\Local\Temp\zymav.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1504
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD5c00dbd601b4f93ffc7f0050d209906c4
SHA16bcffea011e9bc0f58f945b4df44ad3a5e23a7f4
SHA256371790975c164b3a2059ac1da9a3ff4e2d5edb9f22409b786d5acd4caec43cae
SHA512c757396fa72262e1d7ca906de8dedd9446e6cb3cfc22abd0947423fbf0f7dad6ee296cfab344d11afc54fbbf0380f7d87eb1d936c1b413771bdd3e6f66b54059
-
Filesize
224B
MD5abc7549465caa3417ab2e5a58f03250a
SHA18ae3ba55cca93c8703f45001506458ad00acae33
SHA256e3cd6d8ae3fee7f95da822ca162c65c1219f696e5cf642e13f757b043acaee40
SHA5123623bd4f1610be597402986c397e6b484bee2b031d5f5f0f7a8210b399d5399a921a29f0fa5309169a10c7eabfc6b9989538bb54fcce4decc06e1bf0cbb05e94
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5433f9470cdee864f3a73653a46db9421
SHA1d7cc4ad83bde83cfabf0eb3bfd79dff4f0a0f0b2
SHA256f4cdc192c6611038f96628258b71ba7cdcb2a6787ff18c2f50d3b9d136de0e85
SHA51251efb2d633529f37bbdafc1773a9ab306a67f6b8e504770e0aab1335e44713d60e7a70a758916c64170cee9354a72d11c16d0f2be2f842267618ccd597bebb49
-
Filesize
6.5MB
MD57a937eee07f35dfcaeefeb61472ca110
SHA10ba323999bfe9269bee87628b32cf9ccd7bc711c
SHA256ecfb8a1545904768779d50c9038ceccad6b3a986d3c1fc755f22e47337bff9d8
SHA5120d2232aae79b50ff036099aa1f65d2788051e5d4f72b865a5557dea2815473ff3ae583887b406514bb522d230af7589350dff60ebba77c41934bf435c60def73
-
Filesize
459KB
MD53e3abdb15e483f36c902ce2651ce88b8
SHA11a8fc6478c85778a155a84829fd9e36d947051a1
SHA2566f6ce07ba7237e93def0d2f0067c0717a47c48143594f4e3ef22098b9b16fab2
SHA512332ca8aad9eaa19958d222d29e8f0b2e95ade3f8033c37508bcdc376568bdbb02f3f67c3726e590f591b59cc31d51fb5e2289c1e5dbc07ffdd7ea1db141968a5