Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 22:33
Static task
static1
Behavioral task
behavioral1
Sample
0f03916e5764030aecb65ae5137e6780N.exe
Resource
win7-20240705-en
General
-
Target
0f03916e5764030aecb65ae5137e6780N.exe
-
Size
6.5MB
-
MD5
0f03916e5764030aecb65ae5137e6780
-
SHA1
3e8c85be4101ab8a0c01cbe82cbf880b12da2cc9
-
SHA256
32d5120fdeeee7bd1dc0a6b14579d2668747966add76c2eb1e8b4a7d1314c2bd
-
SHA512
8a1d45fe4c5bb44ad13ae15b0f34cbaea00136f9a9a36aceee77704cceaadcf91399c5467e780cc0482cc51a6884131ba994ea02e45ac9a10d9c584b0a93732f
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2504 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
afmut.exemorunu.exexufiy.exepid process 2900 afmut.exe 1664 morunu.exe 1920 xufiy.exe -
Loads dropped DLL 5 IoCs
Processes:
0f03916e5764030aecb65ae5137e6780N.exeafmut.exemorunu.exepid process 2576 0f03916e5764030aecb65ae5137e6780N.exe 2576 0f03916e5764030aecb65ae5137e6780N.exe 2900 afmut.exe 2900 afmut.exe 1664 morunu.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\xufiy.exe upx behavioral1/memory/1664-161-0x0000000004A80000-0x0000000004C19000-memory.dmp upx behavioral1/memory/1920-163-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/1920-176-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0f03916e5764030aecb65ae5137e6780N.execmd.exeafmut.exemorunu.exexufiy.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f03916e5764030aecb65ae5137e6780N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afmut.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language morunu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xufiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
0f03916e5764030aecb65ae5137e6780N.exeafmut.exemorunu.exexufiy.exepid process 2576 0f03916e5764030aecb65ae5137e6780N.exe 2900 afmut.exe 1664 morunu.exe 1920 xufiy.exe 1920 xufiy.exe 1920 xufiy.exe 1920 xufiy.exe 1920 xufiy.exe 1920 xufiy.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0f03916e5764030aecb65ae5137e6780N.exeafmut.exemorunu.exedescription pid process target process PID 2576 wrote to memory of 2900 2576 0f03916e5764030aecb65ae5137e6780N.exe afmut.exe PID 2576 wrote to memory of 2900 2576 0f03916e5764030aecb65ae5137e6780N.exe afmut.exe PID 2576 wrote to memory of 2900 2576 0f03916e5764030aecb65ae5137e6780N.exe afmut.exe PID 2576 wrote to memory of 2900 2576 0f03916e5764030aecb65ae5137e6780N.exe afmut.exe PID 2576 wrote to memory of 2504 2576 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 2576 wrote to memory of 2504 2576 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 2576 wrote to memory of 2504 2576 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 2576 wrote to memory of 2504 2576 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 2900 wrote to memory of 1664 2900 afmut.exe morunu.exe PID 2900 wrote to memory of 1664 2900 afmut.exe morunu.exe PID 2900 wrote to memory of 1664 2900 afmut.exe morunu.exe PID 2900 wrote to memory of 1664 2900 afmut.exe morunu.exe PID 1664 wrote to memory of 1920 1664 morunu.exe xufiy.exe PID 1664 wrote to memory of 1920 1664 morunu.exe xufiy.exe PID 1664 wrote to memory of 1920 1664 morunu.exe xufiy.exe PID 1664 wrote to memory of 1920 1664 morunu.exe xufiy.exe PID 1664 wrote to memory of 2516 1664 morunu.exe cmd.exe PID 1664 wrote to memory of 2516 1664 morunu.exe cmd.exe PID 1664 wrote to memory of 2516 1664 morunu.exe cmd.exe PID 1664 wrote to memory of 2516 1664 morunu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f03916e5764030aecb65ae5137e6780N.exe"C:\Users\Admin\AppData\Local\Temp\0f03916e5764030aecb65ae5137e6780N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\afmut.exe"C:\Users\Admin\AppData\Local\Temp\afmut.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\morunu.exe"C:\Users\Admin\AppData\Local\Temp\morunu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\xufiy.exe"C:\Users\Admin\AppData\Local\Temp\xufiy.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD59b4d093db32452ddadf6dd69b660cff7
SHA1332d16c6b104021adebe8c00e6c21575b0d9de8f
SHA256e729b2ed24ec1b7304aae4cd99434a365f6e3d3c51e2ea1f9da33092891d0ecc
SHA51237fbb023cf2283921e81c6e89460b98b32c384549214bd1e2354eee9183d3d129a8ef08e991145ceee8d8094248e8ce7daadd2495046c70d0b8f74d2f7a104fc
-
Filesize
278B
MD5056b47c36a5be7c84a84776d04778058
SHA19a43ea0351f2edb7b5905e441a06266af51eb87e
SHA256f40399ae65f46bd068865dab1d5725b49ec14f6b45304e5c0494300bf2d6ce20
SHA512125abd5fab8f2ceba9786eab0c36684e1e24f972af7345a28a3356d8a2678db5832bddce79a784fb40ad546d1942df5c4b0b631f8c6f2da2580bdcb7026e6f8a
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD571b33260263d537639b02c1fa4fc3b69
SHA1b6787402be8adce3ac80540d5b6e3f88a0c8a183
SHA2560f1ca552c05b7fb0db182a5047e8660c90d86b2b467320f901933d193061ced0
SHA5124abfa573216457297ae29f80218c132a6f95115cb75f5023086868c7e6d252ca79e3c227f1ed8733f76112068f453c0d8489943e3c167dcf60c4728a199930f0
-
Filesize
6.5MB
MD5794abee7447f594c50069bbdac4ee1e3
SHA180651c4ea7abe329505337fcde9883b6503de7df
SHA256ac61fc4e586347f33372d7008268055c31431a45c0ff08ea99acddac8bb23cac
SHA512e793e8bf9b1ab5e31ec8b1dd98c8116c94efbd716997f840acacd0d04e2435a4a1dabd0b83fa5fcdcc81569bbb444c27b933e9b579121537293c7b3b99cd2873
-
Filesize
459KB
MD58fb8af39afbad0238842e776f1322885
SHA15227ae583f014e95a10dd21b3fb475b427122f2e
SHA256b5359e1e814dbe5cb98d988341fa6a861dee62eb250e398ec5d5863353c8302a
SHA51207333aed65c7dd43254662e16093b193713fe1bf429a100714e074f226c630a1dd33bf96a81703d4acf0090d4c3afdeb18ac5841ba1cbb857e48ddfa6c2b49a4