Analysis
-
max time kernel
115s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 22:33
Static task
static1
Behavioral task
behavioral1
Sample
0f03916e5764030aecb65ae5137e6780N.exe
Resource
win7-20240705-en
General
-
Target
0f03916e5764030aecb65ae5137e6780N.exe
-
Size
6.5MB
-
MD5
0f03916e5764030aecb65ae5137e6780
-
SHA1
3e8c85be4101ab8a0c01cbe82cbf880b12da2cc9
-
SHA256
32d5120fdeeee7bd1dc0a6b14579d2668747966add76c2eb1e8b4a7d1314c2bd
-
SHA512
8a1d45fe4c5bb44ad13ae15b0f34cbaea00136f9a9a36aceee77704cceaadcf91399c5467e780cc0482cc51a6884131ba994ea02e45ac9a10d9c584b0a93732f
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0f03916e5764030aecb65ae5137e6780N.exeapfyv.exesecuiw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation 0f03916e5764030aecb65ae5137e6780N.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation apfyv.exe Key value queried \REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\Control Panel\International\Geo\Nation secuiw.exe -
Executes dropped EXE 3 IoCs
Processes:
apfyv.exesecuiw.exeahkeh.exepid process 4816 apfyv.exe 2216 secuiw.exe 4796 ahkeh.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ahkeh.exe upx behavioral2/memory/4796-71-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/4796-75-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/4796-76-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
secuiw.exeahkeh.execmd.exe0f03916e5764030aecb65ae5137e6780N.exeapfyv.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language secuiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ahkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f03916e5764030aecb65ae5137e6780N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apfyv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
0f03916e5764030aecb65ae5137e6780N.exeapfyv.exesecuiw.exeahkeh.exepid process 5100 0f03916e5764030aecb65ae5137e6780N.exe 5100 0f03916e5764030aecb65ae5137e6780N.exe 4816 apfyv.exe 4816 apfyv.exe 2216 secuiw.exe 2216 secuiw.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe 4796 ahkeh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
0f03916e5764030aecb65ae5137e6780N.exeapfyv.exesecuiw.exedescription pid process target process PID 5100 wrote to memory of 4816 5100 0f03916e5764030aecb65ae5137e6780N.exe apfyv.exe PID 5100 wrote to memory of 4816 5100 0f03916e5764030aecb65ae5137e6780N.exe apfyv.exe PID 5100 wrote to memory of 4816 5100 0f03916e5764030aecb65ae5137e6780N.exe apfyv.exe PID 5100 wrote to memory of 5112 5100 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 5100 wrote to memory of 5112 5100 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 5100 wrote to memory of 5112 5100 0f03916e5764030aecb65ae5137e6780N.exe cmd.exe PID 4816 wrote to memory of 2216 4816 apfyv.exe secuiw.exe PID 4816 wrote to memory of 2216 4816 apfyv.exe secuiw.exe PID 4816 wrote to memory of 2216 4816 apfyv.exe secuiw.exe PID 2216 wrote to memory of 4796 2216 secuiw.exe ahkeh.exe PID 2216 wrote to memory of 4796 2216 secuiw.exe ahkeh.exe PID 2216 wrote to memory of 4796 2216 secuiw.exe ahkeh.exe PID 2216 wrote to memory of 3876 2216 secuiw.exe cmd.exe PID 2216 wrote to memory of 3876 2216 secuiw.exe cmd.exe PID 2216 wrote to memory of 3876 2216 secuiw.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f03916e5764030aecb65ae5137e6780N.exe"C:\Users\Admin\AppData\Local\Temp\0f03916e5764030aecb65ae5137e6780N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\apfyv.exe"C:\Users\Admin\AppData\Local\Temp\apfyv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\secuiw.exe"C:\Users\Admin\AppData\Local\Temp\secuiw.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\ahkeh.exe"C:\Users\Admin\AppData\Local\Temp\ahkeh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3876
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:5112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD595db8a2443a10694b474c273e2c9596e
SHA1ce51ced277fc8478549c230e8525b44af0a45447
SHA2569c4dd9ad4f9e3e9bf799d74b2fd14df458ff3ec558ed5f0c6400d3211312c92f
SHA512199bbe735620d4c2912c2616fb37470be4c440c672b48b9357a7908b5807f4d18a401e6dba2d6b2341bd2b17eedc69f073dcbb4a606124b6bb4de5823913f399
-
Filesize
278B
MD5056b47c36a5be7c84a84776d04778058
SHA19a43ea0351f2edb7b5905e441a06266af51eb87e
SHA256f40399ae65f46bd068865dab1d5725b49ec14f6b45304e5c0494300bf2d6ce20
SHA512125abd5fab8f2ceba9786eab0c36684e1e24f972af7345a28a3356d8a2678db5832bddce79a784fb40ad546d1942df5c4b0b631f8c6f2da2580bdcb7026e6f8a
-
Filesize
459KB
MD506e5de9f8da905a2e6ed8e50f3951789
SHA13d1b0e009731a53f82d0d61504de60f8cdcae448
SHA25621087158cb515e8eb2dd7e8d801e6b8cb1dd59939eff54daf98325d60758f414
SHA5124a0748f32f8cf3de3ddaaef392cccde1022510d32380a1b69a582c17ac335e6768f1b88e4c7403a366a2dee7917e7401c2dc657c234c623780df61265c562b7c
-
Filesize
6.5MB
MD5e8b8a792a5d4e72956929c75c0c338bf
SHA1a54839ef7c9c71d67c80ffa20bc18abd0c586334
SHA256bef70188c6035c298fc0c2af1e4a2d33ee1d9104aa99093df577f8920b5486ae
SHA512f8f57dd82fa1e9ea44d374e69943c7e87fec01bb6b944e24f1c7785035b216627138440db45da808feea3da943fff2d832e7e832f7d68293a73dfc5a9229591b
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD53ea5b49debd50bbd2352e19155f6c363
SHA19aa1c3a05743a549df5dbf819aa326f3c014e3c4
SHA25695ed20ce45d55234275ce08cfa31a64a0208d56fba6c6a8f0a8f1aafad122901
SHA512ded9abab38f978285e13dbfb82bebf6cb85966f25e7802dad04abb93de17f081f102b0271b78f927468b1217799b3091ece4e4beca8dfa1df68797a9024c1f0d