Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe
Resource
win7-20240708-en
General
-
Target
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe
-
Size
6.5MB
-
MD5
905f253fda7bc0e45dc3441bc786635e
-
SHA1
2271db4c633feb62df4d38c98949723cbfdd862f
-
SHA256
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be
-
SHA512
59667bbc5acca0e25b201f014f93348d916306c13d8f6d060ec72d8aad0722913a46261358e953e1703a83c9fbad04c4e4e79b02adcf9ab2a16f3bc20acbc317
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSe:i0LrA2kHKQHNk3og9unipQyOaOe
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exehovux.exehopyso.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation hovux.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation hopyso.exe -
Executes dropped EXE 3 IoCs
Processes:
hovux.exehopyso.exemejyc.exepid process 4656 hovux.exe 2384 hopyso.exe 3296 mejyc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mejyc.exe upx behavioral2/memory/3296-71-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/3296-75-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exehovux.execmd.exehopyso.exemejyc.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hovux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hopyso.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mejyc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exehovux.exehopyso.exemejyc.exepid process 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe 4656 hovux.exe 4656 hovux.exe 2384 hopyso.exe 2384 hopyso.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe 3296 mejyc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exehovux.exehopyso.exedescription pid process target process PID 5060 wrote to memory of 4656 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe hovux.exe PID 5060 wrote to memory of 4656 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe hovux.exe PID 5060 wrote to memory of 4656 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe hovux.exe PID 5060 wrote to memory of 4988 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 5060 wrote to memory of 4988 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 5060 wrote to memory of 4988 5060 1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe cmd.exe PID 4656 wrote to memory of 2384 4656 hovux.exe hopyso.exe PID 4656 wrote to memory of 2384 4656 hovux.exe hopyso.exe PID 4656 wrote to memory of 2384 4656 hovux.exe hopyso.exe PID 2384 wrote to memory of 3296 2384 hopyso.exe mejyc.exe PID 2384 wrote to memory of 3296 2384 hopyso.exe mejyc.exe PID 2384 wrote to memory of 3296 2384 hopyso.exe mejyc.exe PID 2384 wrote to memory of 4656 2384 hopyso.exe cmd.exe PID 2384 wrote to memory of 4656 2384 hopyso.exe cmd.exe PID 2384 wrote to memory of 4656 2384 hopyso.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe"C:\Users\Admin\AppData\Local\Temp\1661221d219912683c3a62eae6603dda3714f8f602e895c1b2604bc1159d37be.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\hovux.exe"C:\Users\Admin\AppData\Local\Temp\hovux.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\hopyso.exe"C:\Users\Admin\AppData\Local\Temp\hopyso.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\mejyc.exe"C:\Users\Admin\AppData\Local\Temp\mejyc.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:4656
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5472a0a6217b7b2908675502fb682ab84
SHA164bb97f1d7a9cfe144c33c6c09de2f167e55c8f2
SHA256f04c1f21953ca88cce113b66010f2032767301fe9438904e2991fe2b19ffa623
SHA51236544d404f9db1e784ae0c09b2464c318c1f20230f80ad800ce105f9697dfa48ed7d88db92ab8157b6de59e00971cc2a0246683bef639f5741ea9c1c9c0d71f4
-
Filesize
224B
MD5134d4e0b506c6134603c461f9d44628c
SHA1d028bf37514bd9b7f0bef3af792e32a97b3c9679
SHA256b934cf79abffa463ed4cbf29fc19440aa85862bbf76a695c42c89bdd2e5ebdaf
SHA51272a28f67ded722817ef07970420a9e73b5146704563cc1c8ae1b9066cebee916b9bb6dd310dfb56962607824be597019a522f8f6fb09d672d39d702490ff85cf
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD549dad41dbcb86b87dd3335ea89e269da
SHA19e4b75c3ef820b63c15dabfd728c705cfc99fcdf
SHA25619e2739c1dbd79efb3a5b4d5ae7d84590646b44fc7ece0ee72dd1e69da8f76c7
SHA512310b86fd57c224e499e78cdf666bf3817474863bd804e0735904f9d2252a2ab18174710c41454cdb100a28e5b571b133815ade72d5f153537dc416b192a37a23
-
Filesize
6.5MB
MD590ce37df21b783806b4166df0f9c6b86
SHA16aa80fdc542f40f885d4fee7f1c569b5fd7fd0ea
SHA256f0412bcbc2d3d9d0fe26a181911601c3f338de16f46bb46b83c326377c54ddd2
SHA5123a255bdcc899907de8d416e0ed0cadd4a957466e57cbd4cde9569dc2c0292fe43ff1093694dd43f8287c7f21cf8e4a781663a01de8f485f05c6e811664f3a61c
-
Filesize
459KB
MD525e621d03ee847160c9d045a2f63cd6f
SHA1cc173fe01cc0500ca27a78a35b6e279cddbbc653
SHA256ac855e556373c0da16340ffef9dd4c3355d534d9d27b3394be4e5b272e2f201c
SHA512995cc28656a3a86450ae17038dc6a8b9fbd3bffc959ca9497926f6a4c83b6fa503dd4fa5cdd68bd7d629716eb3eebb5af4e5203e0dbc3b7c12a65e6b65518019