Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 09:37
Static task
static1
Behavioral task
behavioral1
Sample
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
Resource
win7-20240903-en
General
-
Target
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
-
Size
333KB
-
MD5
c58a33997c726970f95036ac10700ea0
-
SHA1
6f1de5eb343eac83e5655f700cbd26df8ce0b5e8
-
SHA256
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868
-
SHA512
31b20d9386fa879ec1a8f325359a4da9dfd16d1cde3ed40eac08b622a0b281ecf2fea45050fe0fa588a89d815f199f939896e7f444c1098e3350dbd4c73b8449
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYn:vHW138/iXWlK885rKlGSekcj66cie
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 572 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
tujoo.exeojhig.exepid process 2356 tujoo.exe 2300 ojhig.exe -
Loads dropped DLL 2 IoCs
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exetujoo.exepid process 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe 2356 tujoo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exetujoo.execmd.exeojhig.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tujoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojhig.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
ojhig.exepid process 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe 2300 ojhig.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exetujoo.exedescription pid process target process PID 2848 wrote to memory of 2356 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe tujoo.exe PID 2848 wrote to memory of 2356 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe tujoo.exe PID 2848 wrote to memory of 2356 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe tujoo.exe PID 2848 wrote to memory of 2356 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe tujoo.exe PID 2848 wrote to memory of 572 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2848 wrote to memory of 572 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2848 wrote to memory of 572 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2848 wrote to memory of 572 2848 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2356 wrote to memory of 2300 2356 tujoo.exe ojhig.exe PID 2356 wrote to memory of 2300 2356 tujoo.exe ojhig.exe PID 2356 wrote to memory of 2300 2356 tujoo.exe ojhig.exe PID 2356 wrote to memory of 2300 2356 tujoo.exe ojhig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\tujoo.exe"C:\Users\Admin\AppData\Local\Temp\tujoo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\ojhig.exe"C:\Users\Admin\AppData\Local\Temp\ojhig.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5af07bbbf99824bb85d4b9b850a1aa6a4
SHA1b8ec12968efb0a2df10777d10ed34e1d28789bbe
SHA256e56caf3c576e3fa94afb3be10f6fc9ee44bc135e1ca1889bb1605da68e5aaf56
SHA5120d593fc865d89460b465d24d02ecf54772bb1503bc27b53f76cc40d805c10c44f61ff8e7d0000ec4ffdd52be3fd8f3c52d4177bb08f10792751269d6601153b9
-
Filesize
512B
MD5266ccf4698558df683501cfcf58c1238
SHA1a5477c9ef8f480c6532b2e8778207c098ecb363b
SHA2565b289f9df4f99e29c2bd0a5dfb6db859c7d0f2be1dfaef2c268addbd40c84a3c
SHA512216010137a6ebde462bd06beb35018a25930f1c2a9f85593515d6edecb2688760d31a8ebe6b60eb9b56bedd104bd835029010a2e564a716a40c77e606dcf2c3b
-
Filesize
172KB
MD52fc58de5820c71ed97df786fbf7905a2
SHA19829ab82542be273ec089f3c8cc46e32a7ffbeaa
SHA256c2e51b307ee947842e0ff121acb2f0845932838931b9a9b3998972bc1f71f47f
SHA512f9a2bdf8d644217bcf0884272a6a1c5fdbe9adfa64a9d34ae05dcc86b4644a1fa5a941f3865b9370eb529930dd99b323af2152902161551214fd388da17bebfe
-
Filesize
333KB
MD52607cc361f66e34d48cf49578b3f33f8
SHA1de388472d33ea840341443e837e0de37c73eaa3c
SHA256c29bc38061e2859d833ab213054468b1b316c06ca22ecbb63902989bdfbc9f29
SHA51245c2b76a301258b12b607d0112bae460f2d4a846cd657343b68ae9cbb6479a7391059cc62fac713d90d568696a597943a673c34ae63e5c608d3a1e1838bd51f6