Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 10:47
Static task
static1
Behavioral task
behavioral1
Sample
b8f788750bcdec10cdca7daa18c166f0N.exe
Resource
win7-20240704-en
General
-
Target
b8f788750bcdec10cdca7daa18c166f0N.exe
-
Size
324KB
-
MD5
b8f788750bcdec10cdca7daa18c166f0
-
SHA1
5ae561b0a5a5cdfa1aadb20f2355e718670c471c
-
SHA256
2b26868cdea1e236721c55cf842cce7d4a0aec370543c6a819dda8ccb8570d43
-
SHA512
7df0a5b99a15d111ef047eb455243d715cb3d987e1bf043ca7f4124cf2d4db558a2be7b5eecc27ee367b3b41d6942261bde9b80419de04d5b97d60a7a79f7d67
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYuA:vHW138/iXWlK885rKlGSekcj66ciU
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2620 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
wiilg.exenureo.exepid process 2452 wiilg.exe 2032 nureo.exe -
Loads dropped DLL 2 IoCs
Processes:
b8f788750bcdec10cdca7daa18c166f0N.exewiilg.exepid process 2436 b8f788750bcdec10cdca7daa18c166f0N.exe 2452 wiilg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b8f788750bcdec10cdca7daa18c166f0N.exewiilg.execmd.exenureo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8f788750bcdec10cdca7daa18c166f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wiilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nureo.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
nureo.exepid process 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe 2032 nureo.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b8f788750bcdec10cdca7daa18c166f0N.exewiilg.exedescription pid process target process PID 2436 wrote to memory of 2452 2436 b8f788750bcdec10cdca7daa18c166f0N.exe wiilg.exe PID 2436 wrote to memory of 2452 2436 b8f788750bcdec10cdca7daa18c166f0N.exe wiilg.exe PID 2436 wrote to memory of 2452 2436 b8f788750bcdec10cdca7daa18c166f0N.exe wiilg.exe PID 2436 wrote to memory of 2452 2436 b8f788750bcdec10cdca7daa18c166f0N.exe wiilg.exe PID 2436 wrote to memory of 2620 2436 b8f788750bcdec10cdca7daa18c166f0N.exe cmd.exe PID 2436 wrote to memory of 2620 2436 b8f788750bcdec10cdca7daa18c166f0N.exe cmd.exe PID 2436 wrote to memory of 2620 2436 b8f788750bcdec10cdca7daa18c166f0N.exe cmd.exe PID 2436 wrote to memory of 2620 2436 b8f788750bcdec10cdca7daa18c166f0N.exe cmd.exe PID 2452 wrote to memory of 2032 2452 wiilg.exe nureo.exe PID 2452 wrote to memory of 2032 2452 wiilg.exe nureo.exe PID 2452 wrote to memory of 2032 2452 wiilg.exe nureo.exe PID 2452 wrote to memory of 2032 2452 wiilg.exe nureo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe"C:\Users\Admin\AppData\Local\Temp\b8f788750bcdec10cdca7daa18c166f0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\wiilg.exe"C:\Users\Admin\AppData\Local\Temp\wiilg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\nureo.exe"C:\Users\Admin\AppData\Local\Temp\nureo.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD54bdf2c8288ae06e45710056749f1d337
SHA13b88947abd5b1fca78c668f647393a26f0307073
SHA25611e92f37d446d4b84dc610d076e96f67471fa566245d5c0299084a8086b68e2a
SHA51283f8aa91fabc6d745ae8d5efc621da8e951cf3cb5f7b1727ecdc72bcdd5b6d78d2f7c81495befaaaa6a3ecc416b4df6a0c0bcc98cbe5fee86155c51a6a082999
-
Filesize
512B
MD50f197c97bd93a24239da3c685b55332f
SHA16f7d0c721b147f3c5c2584234a770dbbd7df526b
SHA25659486b9d1d2d800e8e4515d85da0586fdc544f154c24458d2067ea8bcacc351a
SHA512fe3895909df0a9ae216c24a6c9348b473af893ced4884e78327b57aef995fdff9ecce56ecaaf050e9ff248e08e190462da17d0225cefbf076713d4e952d26fb3
-
Filesize
172KB
MD573c2a8bccb03eb4bee86971fd7b8748a
SHA18bf11a5b5e750f25a05dfe366e6638163238a238
SHA256f498fe5f3056b87a2bbdf1db74f483d5f20c34b8987bd9cf553faec2f456d9cb
SHA5126c1482e641b2480bcba3fe49417df57db872345a93d11781e9ec51f93825998e92bf38137fac399442b42c433d7126c36fadf73af52c4c24dd7c255fcbe12701
-
Filesize
324KB
MD55482a6c1902767752742709b8fbf1d86
SHA10a99db74890ee7da60458d0e85846ae20ef6a994
SHA2564539ce13c37dce1f70179abefe7a34f23fa8c42448ee8066c4ad531e3ae5a0af
SHA5126f60fe03a17013bd0a7ecafd0fdfa7ea4373e067f709b70914105abd0342445ceccf36a62aee7db58be8107a4eab3283979f32619637f1d6da0135195ad7f562