Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe
Resource
win7-20240704-en
General
-
Target
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe
-
Size
6.4MB
-
MD5
8ed0d73e075de1ced86005ec0de71716
-
SHA1
9a1dd2d7b84d68d212855da11a9f71d4410e76f3
-
SHA256
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a
-
SHA512
47c22160935dc479c3e41469fb8200a13537f9da7f4bf1a4fcb14510440a74610ea5d1442a75222e2588692c47b68deb990b94a96dd814e0a496253802f3617d
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSj:i0LrA2kHKQHNk3og9unipQyOaOj
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2820 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
qiupn.exeyhkezy.exewexuk.exepid process 2840 qiupn.exe 644 yhkezy.exe 2580 wexuk.exe -
Loads dropped DLL 5 IoCs
Processes:
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeqiupn.exeyhkezy.exepid process 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe 2840 qiupn.exe 2840 qiupn.exe 644 yhkezy.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\wexuk.exe upx behavioral1/memory/2580-170-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/2580-176-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeqiupn.exeyhkezy.exewexuk.execmd.exe8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiupn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yhkezy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wexuk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeqiupn.exeyhkezy.exewexuk.exepid process 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe 2840 qiupn.exe 644 yhkezy.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe 2580 wexuk.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeqiupn.exeyhkezy.exedescription pid process target process PID 1748 wrote to memory of 2840 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe qiupn.exe PID 1748 wrote to memory of 2840 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe qiupn.exe PID 1748 wrote to memory of 2840 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe qiupn.exe PID 1748 wrote to memory of 2840 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe qiupn.exe PID 1748 wrote to memory of 2820 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 1748 wrote to memory of 2820 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 1748 wrote to memory of 2820 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 1748 wrote to memory of 2820 1748 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 2840 wrote to memory of 644 2840 qiupn.exe yhkezy.exe PID 2840 wrote to memory of 644 2840 qiupn.exe yhkezy.exe PID 2840 wrote to memory of 644 2840 qiupn.exe yhkezy.exe PID 2840 wrote to memory of 644 2840 qiupn.exe yhkezy.exe PID 644 wrote to memory of 2580 644 yhkezy.exe wexuk.exe PID 644 wrote to memory of 2580 644 yhkezy.exe wexuk.exe PID 644 wrote to memory of 2580 644 yhkezy.exe wexuk.exe PID 644 wrote to memory of 2580 644 yhkezy.exe wexuk.exe PID 644 wrote to memory of 1292 644 yhkezy.exe cmd.exe PID 644 wrote to memory of 1292 644 yhkezy.exe cmd.exe PID 644 wrote to memory of 1292 644 yhkezy.exe cmd.exe PID 644 wrote to memory of 1292 644 yhkezy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\qiupn.exe"C:\Users\Admin\AppData\Local\Temp\qiupn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\yhkezy.exe"C:\Users\Admin\AppData\Local\Temp\yhkezy.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\wexuk.exe"C:\Users\Admin\AppData\Local\Temp\wexuk.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1292
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58ada5a454e2d31b1f264224e2a058239
SHA1ace150f1a49ba028bce64aaa5357ed536a19e336
SHA2568b4c48523560c12ff89d556d67243e75f8e8880d3cfb9263a62ae935042a3f95
SHA5123562dd4d437f2881f4849c5003c40377082e4b71835d67f17016b8b25f3802487caac941c4ebc078a76c32607959fd285ce817f1c86c3e7c6f6c55974a75e8f6
-
Filesize
224B
MD5353477e1fe864c2fdda6a63b9a6241d1
SHA1b945bbbdab042f117abe5d04d57faf13c322632d
SHA2560282f9b6f828db1026edebb08f3093ab8a808394379f2ccfe2f1ed13dd284385
SHA512d47f8b272d3e26bc64e65ed02f64966251e29f9e2e3e1134fffd179dc141aa00af96e592d6baebff02869c11741cea7e7c6d0acce1356c44e0d7a172acaec013
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5ddf453996fcae41217f47c69330d96f9
SHA178c965a3ae16d3e4a4ad8dd2b3d9d5c2d9a59648
SHA2560477f2bda157e996a3a9006c662ece9bff08cc4d5b8017d21b953e4198dd5e72
SHA512b7dd073dd202f1201b8132747bbc0f8c359e6aa05297213bfbb871075d4939f9b350ec473c70773e668e6c5fc053595428d660eca490d71b55ece869bee98998
-
Filesize
6.4MB
MD5d166e351b50daaefb2598c6f526d3f3b
SHA15cc7a8a466d1f1e0bdae934e89751f5397eb5277
SHA25673623dd569b76554cb3435a8730300f73fe337390ebb574eb6c145e4c3ef81ea
SHA5127783865c8c8c233d1f8eb1c7e397a57ea1adc57ae9fdbf3a1875d72e1876fe5c9a0457837dbf38c8332721b640465b9466465474362fb7d836f393e32177de06
-
Filesize
459KB
MD56860a6e24cff6ddbbca2bd295484a1fc
SHA13a4edc0924c51b13a560e3dc2143b3fe5603cb24
SHA2564066d43a0c8d3e5b41d86a813bf9e4a9db8c4ae3437da1ecbf67ec44b999b561
SHA51292f82f1192392cbcc18340a643b664eb1e0d84f1ae7ac73fca6212dd9339a71571741600d7d6fbe8228cbe14949416766dbc2e5c581da2ae41c7f5c7686908bd