Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 00:19
Behavioral task
behavioral1
Sample
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe
Resource
win7-20240705-en
General
-
Target
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe
-
Size
386KB
-
MD5
7dbb58e723e451b2fd9e72eb5a515a32
-
SHA1
5c3234c56aff1c36746031758b76f126392cd0b7
-
SHA256
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6
-
SHA512
6aa06d5adeba44d180f4621cd46a48bd55bf4a24f7b0332359114da2599c8bfe44bc15b5dc3deb7a51bbd324c5e54bcd8407457caa0ad892bc32c2f0f7cdca9e
-
SSDEEP
6144:tfKUuk3Zz7INHrUP0Q9G9G8rMd1CX4/D1qPDmftZvVhlvDGjaELfDMzPS94k:NBJzsNfIG0IMHCX4b1qLmvvXlrKVfjT
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exedufui.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation dufui.exe -
Executes dropped EXE 2 IoCs
Processes:
dufui.exedetyq.exepid process 3624 dufui.exe 4956 detyq.exe -
Processes:
resource yara_rule behavioral2/memory/532-0-0x0000000000400000-0x0000000000490000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\dufui.exe upx behavioral2/memory/3624-12-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/532-14-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3624-17-0x0000000000400000-0x0000000000490000-memory.dmp upx behavioral2/memory/3624-35-0x0000000000400000-0x0000000000490000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exedufui.execmd.exedetyq.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dufui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language detyq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
detyq.exepid process 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe 4956 detyq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exedufui.exedescription pid process target process PID 532 wrote to memory of 3624 532 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe dufui.exe PID 532 wrote to memory of 3624 532 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe dufui.exe PID 532 wrote to memory of 3624 532 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe dufui.exe PID 532 wrote to memory of 4312 532 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 532 wrote to memory of 4312 532 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 532 wrote to memory of 4312 532 7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe cmd.exe PID 3624 wrote to memory of 4956 3624 dufui.exe detyq.exe PID 3624 wrote to memory of 4956 3624 dufui.exe detyq.exe PID 3624 wrote to memory of 4956 3624 dufui.exe detyq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe"C:\Users\Admin\AppData\Local\Temp\7b10fcb173a0c622cccbc69640b3227dbabd4bf4d94f9e3a580c5c7012e5c2e6.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\dufui.exe"C:\Users\Admin\AppData\Local\Temp\dufui.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\detyq.exe"C:\Users\Admin\AppData\Local\Temp\detyq.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5d99a5f0afa5abf38f0f6ba217b2fef4e
SHA1e2b5bd266d10f7916fe4cf23589a0bd047256c50
SHA2566602f7ea5cf6eafecaad20bc0d8a855780844123f02e69a97d51bed8ee90d97d
SHA512e572e92d778b3f20d3467bb649ad692246f52ca4f4afe22e308c8aab46e437435a1eab043521d2bdb2e3dd987a1b837df1698860b145834a456a79b4dc9f29f7
-
Filesize
241KB
MD5563a51f1a4e5a6374fb32f916aa658b4
SHA18103c7403e8e1168f519a8f59eed23037ba04338
SHA2564fcbf8bad0fa761daa97890ec3cdd04b6b800875a0a4f9200753c04ba69d5a41
SHA512029d489df4045b766852d95b221459c5060bac2d2546aa3716ea082e192e825857c2ce6fc682cec7e23697e1b0ff49c2c49ffc6cced19e16abe916f02cb1f3cf
-
Filesize
386KB
MD58e9bd4e4f9cc91d9765256e158a7022b
SHA18e0934f0d363af548aae5ff1cbdef3c6d0601c82
SHA256daa24eafd4c551aeaf50aa897338884979985651caf3786926c26f7115df09f4
SHA5123b35fc7b6e8a2757836343b84a568936495ef3ede412c04864b6e9958f669cd974cb078395d9476f65eea786b45bdd3e35edb865241de50ab09ea68e5b4ad607
-
Filesize
512B
MD5c905a760f1cb2d31e5ccbff0084ef579
SHA1b36eb9ebaaab504131c18666ee3069e2e9531634
SHA25656ef4a3dc7737fc04b121cd2d6669285ee6a3097283adf98ac9d5050e82cbcfa
SHA512a8e1c26de0df20c9265d5775791dc2d1afc64a2f8df36d5518de1c467a369c40ecf21b3f5e7176cbd013fb423373763b7a1c59e4fb30d1ec1718059e854b39be