3ecb6ac363c0f8fca9abe41f55cd910af636a199eedb8568324f13e5b6c4b925

Analysis

max time kernel
122s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc37628bb3ece722b1f88744ddeb6080N.exe
Size

623KB
MD5

dc37628bb3ece722b1f88744ddeb6080
SHA1

7d35f471cb1710dc9306e219f5d69df775e7ba7a
SHA256

3ecb6ac363c0f8fca9abe41f55cd910af636a199eedb8568324f13e5b6c4b925
SHA512

df3c5261c521a8fd295f0f0c97ee31ab1bba10d215fa158fda026cbccd25cf27dbd3043d08c2c2d0faf2309f18fd9708f0784ef4f1adba903d82329379b184aa
SSDEEP

12288:W3SwGEpzLJMUJMtqSnhgMUmkoZ6Tim60ZW4hBi4hUz812CSj1+0r:W5GElLzBJzo+im/1hgCUz84CSht

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2524	UranUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2992	dc37628bb3ece722b1f88744ddeb6080N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc37628bb3ece722b1f88744ddeb6080N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UranUpdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30
PID 2992 wrote to memory of 2524	2992	dc37628bb3ece722b1f88744ddeb6080N.exe	30

C:\Users\Admin\AppData\Local\Temp\dc37628bb3ece722b1f88744ddeb6080N.exe
"C:\Users\Admin\AppData\Local\Temp\dc37628bb3ece722b1f88744ddeb6080N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\GUM4E7E.tmp\UranUpdate.exe
  C:\Users\Admin\AppData\Local\Temp\GUM4E7E.tmp\UranUpdate.exe /installsource taggedmi /install "appguid={7FAE01F8-9AE1-4dfb-B0E4-6C6E2CB9FF48}&appname=Uran&ap=uran&needsadmin=False&client=1114210893.1468769041
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab518C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM4E7E.tmp\UranUpdate.exe

Filesize
142KB

MD5
8da6a25f041b1659b5d9e04bc11604b7

SHA1
535ea80728b12f80d12f9ad0d6f40e92928f234c

SHA256
41c0d65b52670361ab141edae906ca1420e48626c08d91c8bbc3bf8b905e9513

SHA512
5c7b70eef11a36e11c062221b145b7cbe2070646d5d433d6b5b1dd08af3fa9837b4c97d5adf3a7895290c661735ce5c4f38907196bff90e01651b23a660a804e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM4E7E.tmp\goopdate.dll

Filesize
788KB

MD5
7ec5395bda5e3ff4a086db269672f9b6

SHA1
3be1c11727bc04953632dc3122a5de0d43567ca2

SHA256
9994ac831a4b49aae8d7dc03c723908d6fd8b3979d32b2f31e94d5e893494e3e

SHA512
81bebc80fd689a56e6206a45168b07d34f337e089ca80749921a75e53b2d1452765cf50ef5b7c0ca7bfcdd7c3a4a31d094a35dac43f5a2d45e31a546d6e1c4d0

Download Submit