Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 23:13
Static task
static1
Behavioral task
behavioral1
Sample
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
Resource
win7-20240903-en
General
-
Target
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe
-
Size
333KB
-
MD5
4db07e5916f1df61e29be73c51e152dd
-
SHA1
f4d13b63c57e15491cedab6425982c21950605de
-
SHA256
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b
-
SHA512
dc238854a7cdc6161084b09c0e6415a8aaf7426c138f1e99c5d5174ea47488c0f28fa378c238d0bfb8cc91b1f5ba30b5664e399b12f1bd1a995941a190bb2a57
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYg:vHW138/iXWlK885rKlGSekcj66ciB
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exehitoc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation hitoc.exe -
Executes dropped EXE 2 IoCs
Processes:
hitoc.exeweybw.exepid process 1520 hitoc.exe 5052 weybw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
hitoc.execmd.exeweybw.exe71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hitoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language weybw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
weybw.exepid process 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe 5052 weybw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exehitoc.exedescription pid process target process PID 2204 wrote to memory of 1520 2204 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hitoc.exe PID 2204 wrote to memory of 1520 2204 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hitoc.exe PID 2204 wrote to memory of 1520 2204 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe hitoc.exe PID 2204 wrote to memory of 4304 2204 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 2204 wrote to memory of 4304 2204 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 2204 wrote to memory of 4304 2204 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe cmd.exe PID 1520 wrote to memory of 5052 1520 hitoc.exe weybw.exe PID 1520 wrote to memory of 5052 1520 hitoc.exe weybw.exe PID 1520 wrote to memory of 5052 1520 hitoc.exe weybw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\hitoc.exe"C:\Users\Admin\AppData\Local\Temp\hitoc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\weybw.exe"C:\Users\Admin\AppData\Local\Temp\weybw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5052
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5061e1a7b6dd73689632ea9992e4df62f
SHA1e30e7d684cb4a1d70e86c807f21d2a75c2bd4650
SHA2567d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c
SHA51262e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5
-
Filesize
512B
MD5bc419d2d468f8008aa9d944c24f8aad9
SHA1e47aa37b355deb18941c4cabbbf81602a2ceb629
SHA2568ecbf27be9a3b09041ffa3f7fb4a013c327daee37b251c2d54c3580b56556a19
SHA51254f1533731d355e1ddd5cbd2aa83b3941fd97ab8be0e42e251a79f13051baab2c6c7a80fb43825c192e1a835bec5076cb72940afa4f2a1983893a2ea8fc3075a
-
Filesize
333KB
MD59ab6980564e7d735e8e1b28856aca443
SHA14bf9d6777a47adbefc60b71c2c6786ad4babfd0d
SHA25608d0844c74dc10be43c22853d09f68d05b02e603e6c244ecf5fa6af6a2a33a5a
SHA512ea3747a81d18ff6da6faf8897f97d8c077dce954a8adbf3228abf3fd20d53b6210d9d37307441aabc052971e4adb5c829215f62992275801060eb31cee9d94b3
-
Filesize
172KB
MD548a5bf97c43bef50a63c2e6a572d6a37
SHA1c60dc436e5773857bba41ade8e12cb77b3e8d946
SHA25624f798f430539d5d34c28ec655c4cd5d71c77ef09bc4a8e907614857dd9df194
SHA512df209b8c945d7cc72588d2777676596755f2809caa20e4bb26f97b24448ee7ab40f4ec8e8b7e79e4bff08f84460350ee417d6d344de8ec8984479b7fa19c3169