Analysis
-
max time kernel
149s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
Resource
win7-20241010-en
General
-
Target
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
-
Size
333KB
-
MD5
c58a33997c726970f95036ac10700ea0
-
SHA1
6f1de5eb343eac83e5655f700cbd26df8ce0b5e8
-
SHA256
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868
-
SHA512
31b20d9386fa879ec1a8f325359a4da9dfd16d1cde3ed40eac08b622a0b281ecf2fea45050fe0fa588a89d815f199f939896e7f444c1098e3350dbd4c73b8449
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYn:vHW138/iXWlK885rKlGSekcj66cie
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2820 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
mirut.exeriabn.exepid process 2436 mirut.exe 3068 riabn.exe -
Loads dropped DLL 2 IoCs
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exemirut.exepid process 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe 2436 mirut.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exemirut.execmd.exeriabn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mirut.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language riabn.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
riabn.exepid process 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe 3068 riabn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exemirut.exedescription pid process target process PID 2904 wrote to memory of 2436 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe mirut.exe PID 2904 wrote to memory of 2436 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe mirut.exe PID 2904 wrote to memory of 2436 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe mirut.exe PID 2904 wrote to memory of 2436 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe mirut.exe PID 2904 wrote to memory of 2820 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2904 wrote to memory of 2820 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2904 wrote to memory of 2820 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2904 wrote to memory of 2820 2904 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 2436 wrote to memory of 3068 2436 mirut.exe riabn.exe PID 2436 wrote to memory of 3068 2436 mirut.exe riabn.exe PID 2436 wrote to memory of 3068 2436 mirut.exe riabn.exe PID 2436 wrote to memory of 3068 2436 mirut.exe riabn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\mirut.exe"C:\Users\Admin\AppData\Local\Temp\mirut.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\riabn.exe"C:\Users\Admin\AppData\Local\Temp\riabn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5af07bbbf99824bb85d4b9b850a1aa6a4
SHA1b8ec12968efb0a2df10777d10ed34e1d28789bbe
SHA256e56caf3c576e3fa94afb3be10f6fc9ee44bc135e1ca1889bb1605da68e5aaf56
SHA5120d593fc865d89460b465d24d02ecf54772bb1503bc27b53f76cc40d805c10c44f61ff8e7d0000ec4ffdd52be3fd8f3c52d4177bb08f10792751269d6601153b9
-
Filesize
512B
MD56850c5a93212a7b3d3f141dae7260aa8
SHA1686a4aa22971128df1db62c31f47bb36c3213627
SHA256553420faff7d930ec671ea49e194d5ec4a6452d983766acaa2abc5c7fd7a836b
SHA512c87b5d76e0ac59b8be93c380d514b2363aba7ea02159cd863ed7d7fafcc42a740cddbe9d0ebc4ef7a3b0c626f2e479515ebfae5dd3595c1c4dbe1c6876ffc7e3
-
Filesize
333KB
MD5e615ae092b985fb2f5882b63f1cee16d
SHA12516cb9d5a75c87a2139f057dabaf042fbae1f29
SHA25636228f9ff3b2513f711fb7d367ce5c725d068615a332369b3982e9b0f5f82307
SHA512dc1a57844dc2726a3004d7790fbe0b9d126fbd6a1022ebb01f7b84d36c1b3ebbcce3e84d4efa2f851284170282a7bf242b0d0ddcdf2ababb38e1d745fa90429d
-
Filesize
172KB
MD51d3d898e536a535f27af57d2b9a75890
SHA1256d35ccc88c0f6d4acd2582293bb218cc014b08
SHA256839eb40d1b6415fa4f56ebfcbe60e33b10b2b8f174244391d8ca6daaa6917007
SHA5127da931b0efba9016a6c9406ccfd613205477e2de6c16c1f7ce008747ca377ea1d53eb3a48c6a1ad2eeaf18c2aedac71a93711309519cdb7603c8ed66efe9d601