Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
434927414b3d9bb823b1fbd9e6004850N.exe
Resource
win7-20240704-en
General
-
Target
434927414b3d9bb823b1fbd9e6004850N.exe
-
Size
331KB
-
MD5
434927414b3d9bb823b1fbd9e6004850
-
SHA1
65d17adea257f844a0bd72cf36ac5db66c236163
-
SHA256
ed6ea4d610a46302552d12c74f259d7d5eddfff04f6263241ffdac17d9cf6e91
-
SHA512
eb9a6ae7859380769f5dd30a29b78497b1c747486fd0d3fece8a039907754b0ef1adfb8f81f5ec8565d73429c435fa5726ab4c7d23da321875a5bcb5d20045f6
-
SSDEEP
6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/iT:ytCLD7+51gxeq3gOU9EEQrhMM
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3000 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
tuavu.exebexipy.exeziheq.exepid process 2072 tuavu.exe 2836 bexipy.exe 816 ziheq.exe -
Loads dropped DLL 5 IoCs
Processes:
434927414b3d9bb823b1fbd9e6004850N.exetuavu.exebexipy.exepid process 2068 434927414b3d9bb823b1fbd9e6004850N.exe 2068 434927414b3d9bb823b1fbd9e6004850N.exe 2072 tuavu.exe 2072 tuavu.exe 2836 bexipy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
434927414b3d9bb823b1fbd9e6004850N.execmd.exetuavu.exebexipy.exeziheq.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 434927414b3d9bb823b1fbd9e6004850N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuavu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bexipy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziheq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ziheq.exepid process 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe 816 ziheq.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
434927414b3d9bb823b1fbd9e6004850N.exetuavu.exebexipy.exedescription pid process target process PID 2068 wrote to memory of 2072 2068 434927414b3d9bb823b1fbd9e6004850N.exe tuavu.exe PID 2068 wrote to memory of 2072 2068 434927414b3d9bb823b1fbd9e6004850N.exe tuavu.exe PID 2068 wrote to memory of 2072 2068 434927414b3d9bb823b1fbd9e6004850N.exe tuavu.exe PID 2068 wrote to memory of 2072 2068 434927414b3d9bb823b1fbd9e6004850N.exe tuavu.exe PID 2068 wrote to memory of 3000 2068 434927414b3d9bb823b1fbd9e6004850N.exe cmd.exe PID 2068 wrote to memory of 3000 2068 434927414b3d9bb823b1fbd9e6004850N.exe cmd.exe PID 2068 wrote to memory of 3000 2068 434927414b3d9bb823b1fbd9e6004850N.exe cmd.exe PID 2068 wrote to memory of 3000 2068 434927414b3d9bb823b1fbd9e6004850N.exe cmd.exe PID 2072 wrote to memory of 2836 2072 tuavu.exe bexipy.exe PID 2072 wrote to memory of 2836 2072 tuavu.exe bexipy.exe PID 2072 wrote to memory of 2836 2072 tuavu.exe bexipy.exe PID 2072 wrote to memory of 2836 2072 tuavu.exe bexipy.exe PID 2836 wrote to memory of 816 2836 bexipy.exe ziheq.exe PID 2836 wrote to memory of 816 2836 bexipy.exe ziheq.exe PID 2836 wrote to memory of 816 2836 bexipy.exe ziheq.exe PID 2836 wrote to memory of 816 2836 bexipy.exe ziheq.exe PID 2836 wrote to memory of 1304 2836 bexipy.exe cmd.exe PID 2836 wrote to memory of 1304 2836 bexipy.exe cmd.exe PID 2836 wrote to memory of 1304 2836 bexipy.exe cmd.exe PID 2836 wrote to memory of 1304 2836 bexipy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe"C:\Users\Admin\AppData\Local\Temp\434927414b3d9bb823b1fbd9e6004850N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\tuavu.exe"C:\Users\Admin\AppData\Local\Temp\tuavu.exe" hi2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\bexipy.exe"C:\Users\Admin\AppData\Local\Temp\bexipy.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\ziheq.exe"C:\Users\Admin\AppData\Local\Temp\ziheq.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:816
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD56e7fbaae10a0e33d5d4de64ebb9ae2d1
SHA1f7c0055bf69a6ceeecac7d6923aaf4f6e2127491
SHA2562e68488559194c6252e03d5d6127ec84b4f8d2570182600d7c5f424c8606d688
SHA512a4ffbb622de18ce97775bd11c0dbb2c00579d773e139276f88bea4032ba8394dc387d0d4cd2593bc6e938bd83050cd6bd37cd2ae61a22170ea7f5425588db796
-
Filesize
224B
MD5f390a382077a9e3dc1c9539c0ca4747e
SHA1137ae28093a106fb32d37cd6073c0e911ba45f24
SHA256293fbd6c74e6d0167f4cb80f5594e0dee42de9f21d7ed33a9342674c873a373c
SHA51276ef7be0254c710578c639867a1502206313315a779b4e5f2ff69ab96287a9c268b9a7296cc84fdf7641ff5cf2fa593c94829370a27e7f1f933b0dd6fcf72564
-
Filesize
512B
MD507e27cfec7f749c49c203efb0289453e
SHA16bc4a62e95b90911bdd618d5e9883bd9a181acf7
SHA256a9b0efdb735752e948dff2c3e532882f0b29fe31d134a99dd49f79d40b25e876
SHA512834b3d8b076834908e51d1546012d9791e7d9c3dcdb969b994a9e12a4d0d2f99837f194a7a345f9d8589b92cbd7406eab2821a94108cc8e89b298fb07162a482
-
Filesize
332KB
MD5d36393e055f616d51bf91f7df8a24eb6
SHA10487265da00199c814091d306bbb3e1a5a6c3ecc
SHA25654227490a7d947b20e186a9325a3509a0c7a85316dc75a658f44be6263f5bf24
SHA512d83a70881b90d32cc13c19f772655d5e4e0bfbc681777d65561c25504056f53bd71710825c4dbbf386db157cc45b22785310eee489fe30a869e3521e78de19a1
-
Filesize
332KB
MD58325b9dafc7f2b7beed0170c4081c7d6
SHA11115bc23f2323a2dff82a31e1348089ce334ee9c
SHA2568cf72f1f54b95ef559ba5df852519f5b9f4e46d70a5afd5b44478c9f44576ead
SHA512e009997efb557da4c75e18aea25738aef18509d3b7d7a0840a89ce1b48b8c2cca0633c2675a6eff787540ffbac9c83b3db0de9d3f45d4c6ae06663845059bcff
-
Filesize
223KB
MD51756437b41f115ec113291cdf01fd23d
SHA13962323bc753d69bf51436f12bb14c4f7e322c53
SHA2569897eed9b10531e904dea938f85e091c68ad85b3375d8c1cb268cc3b545e911b
SHA512c42d0f7f7b51a58075533a458d6fadf1fe965ae94edc2feac76d72455e093f35ff68e8a047a6a4ebde6bb09d34999528377980df45d4026ad6aca6a3407a86c9