Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 00:19
Behavioral task
behavioral1
Sample
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe
Resource
win7-20240705-en
General
-
Target
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe
-
Size
386KB
-
MD5
7dbb58e723e451b2fd9e72eb5a515a32
-
SHA1
5c3234c56aff1c36746031758b76f126392cd0b7
-
SHA256
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6
-
SHA512
6aa06d5adeba44d180f4621cd46a48bd55bf4a24f7b0332359114da2599c8bfe44bc15b5dc3deb7a51bbd324c5e54bcd8407457caa0ad892bc32c2f0f7cdca9e
-
SSDEEP
6144:tfKUuk3Zz7INHrUP0Q9G9G8rMd1CX4/D1qPDmftZvVhlvDGjaELfDMzPS94k:NBJzsNfIG0IMHCX4b1qLmvvXlrKVfjT
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2708 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
ezifh.exeilmun.exepid process 2700 ezifh.exe 2192 ilmun.exe -
Loads dropped DLL 2 IoCs
Processes:
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exeezifh.exepid process 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe 2700 ezifh.exe -
Processes:
resource yara_rule behavioral1/memory/2676-0-0x0000000000400000-0x0000000000490000-memory.dmp upx \Users\Admin\AppData\Local\Temp\ezifh.exe upx behavioral1/memory/2676-18-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2700-21-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral1/memory/2700-38-0x0000000000400000-0x0000000000490000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exeezifh.execmd.exeilmun.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ezifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ilmun.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
ilmun.exepid process 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe 2192 ilmun.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exeezifh.exedescription pid process target process PID 2676 wrote to memory of 2700 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe ezifh.exe PID 2676 wrote to memory of 2700 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe ezifh.exe PID 2676 wrote to memory of 2700 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe ezifh.exe PID 2676 wrote to memory of 2700 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe ezifh.exe PID 2676 wrote to memory of 2708 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 2676 wrote to memory of 2708 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 2676 wrote to memory of 2708 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 2676 wrote to memory of 2708 2676 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 2700 wrote to memory of 2192 2700 ezifh.exe ilmun.exe PID 2700 wrote to memory of 2192 2700 ezifh.exe ilmun.exe PID 2700 wrote to memory of 2192 2700 ezifh.exe ilmun.exe PID 2700 wrote to memory of 2192 2700 ezifh.exe ilmun.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe"C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\ezifh.exe"C:\Users\Admin\AppData\Local\Temp\ezifh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\ilmun.exe"C:\Users\Admin\AppData\Local\Temp\ilmun.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5d99a5f0afa5abf38f0f6ba217b2fef4e
SHA1e2b5bd266d10f7916fe4cf23589a0bd047256c50
SHA2566602f7ea5cf6eafecaad20bc0d8a855780844123f02e69a97d51bed8ee90d97d
SHA512e572e92d778b3f20d3467bb649ad692246f52ca4f4afe22e308c8aab46e437435a1eab043521d2bdb2e3dd987a1b837df1698860b145834a456a79b4dc9f29f7
-
Filesize
512B
MD50c6319259e0613acb36047aa9dee83d5
SHA1f99688b42665f3602ac7c75c2602c3549d840422
SHA256a3b314db36771596611b731a476c78c0e22d7f01d0671102051d56d1b0c00b3a
SHA51242662d9e527e932c6c48bf31de64f93174f26f11c038dd9178da1258b50e23d98e47d50c9c6d113ae49d1936271ae870fe800af392f28ad8d801fe460c7ba432
-
Filesize
386KB
MD56986e75ebab12aae4ea67ab626d1e6bd
SHA1a6cc6971457220aa17d1f225f2c8daa7286776d0
SHA256130e02bf5684015d71e7d2dcc0148041a0984bb19d839bfb414db0b12f25b979
SHA512d8323fab690686312c74d0ef13f4f5198682925a5fbec7847d470dc7214d0bc28c1041a70c9e23814bab080283eb37c11de438e45ee642fb7279099990a945f0
-
Filesize
241KB
MD5c7c183c509dbda43c749c8ac747ddc68
SHA12690d36417f8e5fc5490792827f33e710648d1fd
SHA256aea54e7e14bf1c6cac7ffb279cc73f329f2d6dbd3e0f34cadf9343e2c0b9d2ef
SHA512ff464f4080d9b99e1f359abdb4f62f35795c31e0eb9fdb6a44d1edf81141c2041ef1a4484a871e0b1ce0eed9e816b11f927ae1c975fb43c8cc72791dcb8155c8