Analysis
-
max time kernel
148s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe
Resource
win7-20240708-en
General
-
Target
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe
-
Size
6.5MB
-
MD5
905f253fda7bc0e45dc3441bc786635e
-
SHA1
2271db4c633feb62df4d38c98949723cbfdd862f
-
SHA256
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be
-
SHA512
59667bbc5acca0e25b201f014f93348d916306c13d8f6d060ec72d8aad0722913a46261358e953e1703a83c9fbad04c4e4e79b02adcf9ab2a16f3bc20acbc317
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSe:i0LrA2kHKQHNk3og9unipQyOaOe
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2572 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
mytio.exepixeuj.exehaelg.exepid process 2788 mytio.exe 1148 pixeuj.exe 900 haelg.exe -
Loads dropped DLL 5 IoCs
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exemytio.exepixeuj.exepid process 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe 2788 mytio.exe 2788 mytio.exe 1148 pixeuj.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\haelg.exe upx behavioral1/memory/900-168-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/900-174-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exemytio.execmd.exepixeuj.exehaelg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mytio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pixeuj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language haelg.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exemytio.exepixeuj.exehaelg.exepid process 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe 2788 mytio.exe 1148 pixeuj.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe 900 haelg.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exemytio.exepixeuj.exedescription pid process target process PID 536 wrote to memory of 2788 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe mytio.exe PID 536 wrote to memory of 2788 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe mytio.exe PID 536 wrote to memory of 2788 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe mytio.exe PID 536 wrote to memory of 2788 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe mytio.exe PID 536 wrote to memory of 2572 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 536 wrote to memory of 2572 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 536 wrote to memory of 2572 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 536 wrote to memory of 2572 536 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 2788 wrote to memory of 1148 2788 mytio.exe pixeuj.exe PID 2788 wrote to memory of 1148 2788 mytio.exe pixeuj.exe PID 2788 wrote to memory of 1148 2788 mytio.exe pixeuj.exe PID 2788 wrote to memory of 1148 2788 mytio.exe pixeuj.exe PID 1148 wrote to memory of 900 1148 pixeuj.exe haelg.exe PID 1148 wrote to memory of 900 1148 pixeuj.exe haelg.exe PID 1148 wrote to memory of 900 1148 pixeuj.exe haelg.exe PID 1148 wrote to memory of 900 1148 pixeuj.exe haelg.exe PID 1148 wrote to memory of 1592 1148 pixeuj.exe cmd.exe PID 1148 wrote to memory of 1592 1148 pixeuj.exe cmd.exe PID 1148 wrote to memory of 1592 1148 pixeuj.exe cmd.exe PID 1148 wrote to memory of 1592 1148 pixeuj.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe"C:\Users\Admin\AppData\Local\Temp\1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\mytio.exe"C:\Users\Admin\AppData\Local\Temp\mytio.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\pixeuj.exe"C:\Users\Admin\AppData\Local\Temp\pixeuj.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\haelg.exe"C:\Users\Admin\AppData\Local\Temp\haelg.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:900
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5472a0a6217b7b2908675502fb682ab84
SHA164bb97f1d7a9cfe144c33c6c09de2f167e55c8f2
SHA256f04c1f21953ca88cce113b66010f2032767301fe9438904e2991fe2b19ffa623
SHA51236544d404f9db1e784ae0c09b2464c318c1f20230f80ad800ce105f9697dfa48ed7d88db92ab8157b6de59e00971cc2a0246683bef639f5741ea9c1c9c0d71f4
-
Filesize
224B
MD5a931ff11550e1e7d325d837a443b9ff9
SHA117647f1376597d71522136c5a0872c0381f84e60
SHA25694bda0d8185a2a05dc084081ddc69cf0d753e74723d891813d82b8279bb80489
SHA5126206fad339d6e99d28986f84aa55d6ec69a46c3ae1fededfe13de6e57928e952fe70ad61c246254c87daf86452e494615b2f9aa3a680447d3d918d81f166093b
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5d40763e4089f79955d6b7a3289cbeab9
SHA18b12fb5715a01de5b1ee73e801521a681cd4d4ea
SHA256136a698fb2849ce46bebffe64392044c5a0c3d122ad4d5f6090a0012f1edc92e
SHA51249d6ccf70aac4d5a5b87aa27e708d6fccfce2a7fe7ce78350d6b13e10d08a03d570532ac4e168256a3b2f48c0da8e9c1aa92a88670f1ae5faa484f5f5761b0f0
-
Filesize
6.5MB
MD539cee0450bfa8e9e58464bfecd33e844
SHA11c339e62d86d9eefed8e971e3b33a94483bc0bbe
SHA2564dfb0955405f96f9695fa3cd305f1caac09fe3ed48ac136a687ce2bd6a001a63
SHA512ecb9026cc35eff8af94b8d96345f003bda79a47c6ec013faf2f811394de5c0154d714ba906636b64ee85cb4cfff7e1d61de5707243ed2ee1b2f9aa0e5a776aea
-
Filesize
459KB
MD5bb05484924b583191b0f1df3276ff135
SHA1a216a6eca14d476127501e8463104c8a065aeb5e
SHA256ebffc5948583716710404a182d13f175bde90c9e78e7fda2d9440fb7665bbfc2
SHA512a9d5f03858f98bf3bcf6a95ed2d09b81b65c9f5321b5a0ba0250ca0c7a0ef97e311d69903a3285f8c55f016f9ce6243b214e80e8e651ff781e1977c427153d27