Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 23:13
Static task
static1
Behavioral task
behavioral1
Sample
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
Resource
win7-20240903-en
General
-
Target
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
-
Size
333KB
-
MD5
4db07e5916f1df61e29be73c51e152dd
-
SHA1
f4d13b63c57e15491cedab6425982c21950605de
-
SHA256
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b
-
SHA512
dc238854a7cdc6161084b09c0e6415a8aaf7426c138f1e99c5d5174ea47488c0f28fa378c238d0bfb8cc91b1f5ba30b5664e399b12f1bd1a995941a190bb2a57
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYg:vHW138/iXWlK885rKlGSekcj66ciB
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2604 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
hohab.exefuqic.exepid process 2588 hohab.exe 1920 fuqic.exe -
Loads dropped DLL 2 IoCs
Processes:
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exehohab.exepid process 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe 2588 hohab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exefuqic.exe71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exehohab.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hohab.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
fuqic.exepid process 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe 1920 fuqic.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exehohab.exedescription pid process target process PID 2656 wrote to memory of 2588 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hohab.exe PID 2656 wrote to memory of 2588 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hohab.exe PID 2656 wrote to memory of 2588 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hohab.exe PID 2656 wrote to memory of 2588 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hohab.exe PID 2656 wrote to memory of 2604 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 2656 wrote to memory of 2604 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 2656 wrote to memory of 2604 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 2656 wrote to memory of 2604 2656 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 2588 wrote to memory of 1920 2588 hohab.exe fuqic.exe PID 2588 wrote to memory of 1920 2588 hohab.exe fuqic.exe PID 2588 wrote to memory of 1920 2588 hohab.exe fuqic.exe PID 2588 wrote to memory of 1920 2588 hohab.exe fuqic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\hohab.exe"C:\Users\Admin\AppData\Local\Temp\hohab.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\fuqic.exe"C:\Users\Admin\AppData\Local\Temp\fuqic.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5061e1a7b6dd73689632ea9992e4df62f
SHA1e30e7d684cb4a1d70e86c807f21d2a75c2bd4650
SHA2567d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c
SHA51262e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5
-
Filesize
512B
MD5711c59f36f3a5ded3a8a23b87ad57524
SHA148308d26c085a048c8a387524f0f854233ca1ae8
SHA2567f8387f94d7102d587de3e0f07c59ac43ea1bf2a398fc6fa914e8108db9dc236
SHA512a4929ed98abf4b6624fcf7245ef183cce2ef89e4c63a47a4dca060f77c10c22d24d924c541edaf3cb7303e27cd54f7940db1df9ec80a99fc267165a9e43b99c7
-
Filesize
172KB
MD5d2821f8b9da182be09677bafb56e92ba
SHA137ebca909fc2fe945f803618e61eb1fe10932068
SHA2562df885d307cf14d137b9f5a24783ef1877ec42d06b502ab85a9344a37a6463a7
SHA512389b607b2937499409b8f7f87f6cfe94ebdc795ea733f228e9a7c9a9409d7e61de7b64d3aa2577de1829a6191da3fc26fdb844eb3c712b0f54c417bd128df9d5
-
Filesize
333KB
MD59941d977f3f363bdcf6b0e61cb6da44d
SHA11946600e6bf1b10c469e47066bd50f8ae6cb3bff
SHA256944dc36c1191e53f4a2d237d8029f84ef08c59dcbe748a651f348443095dc90c
SHA512a3b3be23db0331b8a5696673d40834a3c4c598d02d0b5f9ea0ed607d255b0599dc913d33a5dfa287ec093155613616416ee2c445a7d3a5cb0e8b2357532c5ecf