Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe
Resource
win7-20240704-en
General
-
Target
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe
-
Size
6.4MB
-
MD5
8ed0d73e075de1ced86005ec0de71716
-
SHA1
9a1dd2d7b84d68d212855da11a9f71d4410e76f3
-
SHA256
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a
-
SHA512
47c22160935dc479c3e41469fb8200a13537f9da7f4bf1a4fcb14510440a74610ea5d1442a75222e2588692c47b68deb990b94a96dd814e0a496253802f3617d
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSj:i0LrA2kHKQHNk3og9unipQyOaOj
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeniwob.exepoupko.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation niwob.exe Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation poupko.exe -
Executes dropped EXE 3 IoCs
Processes:
niwob.exepoupko.exesehen.exepid process 3412 niwob.exe 432 poupko.exe 4896 sehen.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\sehen.exe upx behavioral2/memory/4896-69-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/4896-74-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/4896-75-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
poupko.exesehen.execmd.exe8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeniwob.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poupko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sehen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language niwob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeniwob.exepoupko.exesehen.exepid process 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe 3412 niwob.exe 3412 niwob.exe 432 poupko.exe 432 poupko.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe 4896 sehen.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exeniwob.exepoupko.exedescription pid process target process PID 2900 wrote to memory of 3412 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe niwob.exe PID 2900 wrote to memory of 3412 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe niwob.exe PID 2900 wrote to memory of 3412 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe niwob.exe PID 2900 wrote to memory of 4420 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 2900 wrote to memory of 4420 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 2900 wrote to memory of 4420 2900 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe cmd.exe PID 3412 wrote to memory of 432 3412 niwob.exe poupko.exe PID 3412 wrote to memory of 432 3412 niwob.exe poupko.exe PID 3412 wrote to memory of 432 3412 niwob.exe poupko.exe PID 432 wrote to memory of 4896 432 poupko.exe sehen.exe PID 432 wrote to memory of 4896 432 poupko.exe sehen.exe PID 432 wrote to memory of 4896 432 poupko.exe sehen.exe PID 432 wrote to memory of 2976 432 poupko.exe cmd.exe PID 432 wrote to memory of 2976 432 poupko.exe cmd.exe PID 432 wrote to memory of 2976 432 poupko.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\niwob.exe"C:\Users\Admin\AppData\Local\Temp\niwob.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\poupko.exe"C:\Users\Admin\AppData\Local\Temp\poupko.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\sehen.exe"C:\Users\Admin\AppData\Local\Temp\sehen.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5346f69104506fcfed4739daaa518df25
SHA181a9839e844efc8dbd6b66be85abe247eade0204
SHA2568e8087aed816ad06ff3ab6e6cb8849af1333bb9f68a79760c28200071dbff221
SHA51235fedb8ed5a68c8b33c7d565f84ba15baed983eb9ace6ad389b20f3cfc9146802d5e858b45d38156984a55cbd77407e188c8f6b23786d164f6e79787beb3aaad
-
Filesize
340B
MD58ada5a454e2d31b1f264224e2a058239
SHA1ace150f1a49ba028bce64aaa5357ed536a19e336
SHA2568b4c48523560c12ff89d556d67243e75f8e8880d3cfb9263a62ae935042a3f95
SHA5123562dd4d437f2881f4849c5003c40377082e4b71835d67f17016b8b25f3802487caac941c4ebc078a76c32607959fd285ce817f1c86c3e7c6f6c55974a75e8f6
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5fe28784d002e188196edb7f2f70f4bc8
SHA165e8555bcfd60cb3c12ae63a420fffc12a70bfc5
SHA2569bafab7c6be6ed736aa3a7d80dffb2ba0496dd7ac3e913cc13ff02f576a466a8
SHA512e1e11a99efe6dd39dd341beb9f5dd4d69c622fab0e9b51f0bd0a59baef430eaeab7dcc91d26271874753e1fe3c24bdf132d3e721206e8cecf5e9aa189adbc133
-
Filesize
6.4MB
MD53766b37aecf3d9600fe2746734c109c6
SHA174ad2808cdbcb3566c25339a8272bc4142177eaa
SHA256710aae7c722543346ec8a99e1d21baf454e0fb95adf21440ccc78ae7cf502a25
SHA512c3712004c595151277164308e1fb27ca873ddf826f911dddce2708c32fd188ad538d416972e558be956840de275f9aba2f56208bde65478206279cdd5e24c1cf
-
Filesize
459KB
MD5491354bf8ecab3bc3a5c415d30ae8a4c
SHA12fea6d7393d539bdeaa1242b05a8f81241d97745
SHA256a7b815df1c5b92bc0744ce52658be5b7d5b64c2d60d1683e232c6a7d49a1a74b
SHA512abd53e5710e7b9fc4dc68837abc73e85356a87ab9174a5c2669deaeb6d34789330beafd93f15a84eb87692b15eb6a22b2aed80ba925aef6d1d0b1ff050d1f370