Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 06:30 UTC
Static task
static1
Behavioral task
behavioral1
Sample
95ee71927bce9ff4ae2a236329b7aa20N.exe
Resource
win7-20240705-en
General
-
Target
95ee71927bce9ff4ae2a236329b7aa20N.exe
-
Size
6.5MB
-
MD5
95ee71927bce9ff4ae2a236329b7aa20
-
SHA1
1056f0228501dd256dd55ff60ec7d21be0020432
-
SHA256
ce8db332fe75b98361a0dc3b7b9bfc5456df31a291d61db244169ac55dfc4537
-
SHA512
b15c5a253d131ce391a6ca30842394ff032a57c51410f937a11225373c3f19a8555c36169bb121be4110e2d2bead53be6d41bdd004b80b4278341b6d558e03cd
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSH:i0LrA2kHKQHNk3og9unipQyOaOH
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
pid Process 2928 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1076 jukuc.exe 2284 sukuik.exe 852 izfoh.exe -
Loads dropped DLL 5 IoCs
pid Process 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 1076 jukuc.exe 1076 jukuc.exe 2284 sukuik.exe -
resource yara_rule behavioral1/files/0x000900000001722a-157.dat upx behavioral1/memory/852-163-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/2284-159-0x0000000004830000-0x00000000049C9000-memory.dmp upx behavioral1/memory/852-175-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95ee71927bce9ff4ae2a236329b7aa20N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jukuc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sukuik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 1076 jukuc.exe 2284 sukuik.exe 852 izfoh.exe 852 izfoh.exe 852 izfoh.exe 852 izfoh.exe 852 izfoh.exe 852 izfoh.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1076 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 31 PID 1368 wrote to memory of 1076 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 31 PID 1368 wrote to memory of 1076 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 31 PID 1368 wrote to memory of 1076 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 31 PID 1368 wrote to memory of 2928 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 32 PID 1368 wrote to memory of 2928 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 32 PID 1368 wrote to memory of 2928 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 32 PID 1368 wrote to memory of 2928 1368 95ee71927bce9ff4ae2a236329b7aa20N.exe 32 PID 1076 wrote to memory of 2284 1076 jukuc.exe 34 PID 1076 wrote to memory of 2284 1076 jukuc.exe 34 PID 1076 wrote to memory of 2284 1076 jukuc.exe 34 PID 1076 wrote to memory of 2284 1076 jukuc.exe 34 PID 2284 wrote to memory of 852 2284 sukuik.exe 35 PID 2284 wrote to memory of 852 2284 sukuik.exe 35 PID 2284 wrote to memory of 852 2284 sukuik.exe 35 PID 2284 wrote to memory of 852 2284 sukuik.exe 35 PID 2284 wrote to memory of 2856 2284 sukuik.exe 36 PID 2284 wrote to memory of 2856 2284 sukuik.exe 36 PID 2284 wrote to memory of 2856 2284 sukuik.exe 36 PID 2284 wrote to memory of 2856 2284 sukuik.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe"C:\Users\Admin\AppData\Local\Temp\95ee71927bce9ff4ae2a236329b7aa20N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\jukuc.exe"C:\Users\Admin\AppData\Local\Temp\jukuc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\sukuik.exe"C:\Users\Admin\AppData\Local\Temp\sukuik.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\izfoh.exe"C:\Users\Admin\AppData\Local\Temp\izfoh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD5a03a685eb198f629caf9300ec1eb2b31
SHA18dc3cd02a0cef1a2d1182b142fb1dc8f56f146d7
SHA256fb6ce3d0667c8fb9c07a3f43b0d088d8e5209bddb685da2c5646bf57b8cf090f
SHA512dbd434caf2cbbff4db888e742413f36e6e8d08ee9717efe04e681ee0b64a3e9b6f466a5dd48af167fe80bc224f31337177257cee23d7981b80f85bc6e524dfb4
-
Filesize
224B
MD54f2545c32a24540148661a9f8df6b347
SHA13ae95776c56c623e0d92c9765878e639e5cd5d37
SHA2560875ef115e23a8372ad5b849709f475a23c48368596ca19a679723aa5eb4abe6
SHA512ca0decf5355be90e35d7ef5f041675a20bdbd863819daeb47ca9abd6de3ffbd3d1e007711591ccce34f1d2ea0ff2165709c3b66b880e362f90108279af8a3b5a
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5a03b241bccdd1ad19de05ddbccd96a26
SHA15b4cb489a051d320cdd23250b04a0c10a1a37e94
SHA25603373230388af3ec839dea2ce5c4d8b7cfa57d84cea07170e57653b284343379
SHA512110ec885d4151b685d4aa5a352b201be62f8657cbcd33f8338501bd87944cdbd24a1afa73af7a1a0596ad53757a209cc75f358d6572fa531e057e82424dd0b32
-
Filesize
6.5MB
MD5d4ddc2ed96f0398bae2126b8703568c8
SHA12def643e4d9734eae071698a4180241aabdbe516
SHA2564091aaccb2e5d19d9525848359f14f6f7acd68732c074258722acc3d006a52ca
SHA5120affc1fb9c1bcba14d3af0cd862d7e6c8eaf29ca90f9ba0a45be2508c2e0b2305c206f77435ef3a2bb4a0d12d4f14deaedb96fd0e0ad0ba1a2b809f7022c5cbc
-
Filesize
459KB
MD52a6ff514d3e112f3af0148207ef245db
SHA15adad09ec83d29a37205732a60d1eb1e41dd6f67
SHA256690338f69536122e4dc0fd2554903ed41075e20e9fc697efd1d85eab6f035b3f
SHA51209757e50cb4aa80cd9aefde07bae8a4016a5aa3a8259b3da6bd6e4e4f9883dbf2d39b69676a88212293be3f5e167fdf56c4840b7b329d4d5d8d1a52082669fba