Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
Resource
win7-20241010-en
General
-
Target
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe
-
Size
333KB
-
MD5
c58a33997c726970f95036ac10700ea0
-
SHA1
6f1de5eb343eac83e5655f700cbd26df8ce0b5e8
-
SHA256
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868
-
SHA512
31b20d9386fa879ec1a8f325359a4da9dfd16d1cde3ed40eac08b622a0b281ecf2fea45050fe0fa588a89d815f199f939896e7f444c1098e3350dbd4c73b8449
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYn:vHW138/iXWlK885rKlGSekcj66cie
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exeholiw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation holiw.exe -
Executes dropped EXE 2 IoCs
Processes:
holiw.exeiqrun.exepid process 4364 holiw.exe 3788 iqrun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exeholiw.execmd.exeiqrun.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language holiw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iqrun.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
iqrun.exepid process 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe 3788 iqrun.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exeholiw.exedescription pid process target process PID 4624 wrote to memory of 4364 4624 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe holiw.exe PID 4624 wrote to memory of 4364 4624 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe holiw.exe PID 4624 wrote to memory of 4364 4624 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe holiw.exe PID 4624 wrote to memory of 1276 4624 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 4624 wrote to memory of 1276 4624 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 4624 wrote to memory of 1276 4624 def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe cmd.exe PID 4364 wrote to memory of 3788 4364 holiw.exe iqrun.exe PID 4364 wrote to memory of 3788 4364 holiw.exe iqrun.exe PID 4364 wrote to memory of 3788 4364 holiw.exe iqrun.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"C:\Users\Admin\AppData\Local\Temp\def25c03fa68d007f62b5b8ca42175194dafa4ad54b73248b382578679ce1868N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\holiw.exe"C:\Users\Admin\AppData\Local\Temp\holiw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\iqrun.exe"C:\Users\Admin\AppData\Local\Temp\iqrun.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5af07bbbf99824bb85d4b9b850a1aa6a4
SHA1b8ec12968efb0a2df10777d10ed34e1d28789bbe
SHA256e56caf3c576e3fa94afb3be10f6fc9ee44bc135e1ca1889bb1605da68e5aaf56
SHA5120d593fc865d89460b465d24d02ecf54772bb1503bc27b53f76cc40d805c10c44f61ff8e7d0000ec4ffdd52be3fd8f3c52d4177bb08f10792751269d6601153b9
-
Filesize
512B
MD5aaa3f15a02d22da7daf8bfeea2c5949e
SHA1df63dfe669f34a7c5f6210e636feb7d393def7db
SHA2562df1b2e35509f7571d5e3cb628dfeb86afc5b6d70b1c57cb29f275adf77d366a
SHA512f9df2d02fe28610629f936dbf4456488a49482030ddad799f5868ce1c041cb02aceddb4f6532d15564c720133817d071d4dbff198af6e01f489db1d8bfbfab96
-
Filesize
333KB
MD510e397c9dbf60a0a3faa18599df606fa
SHA18644c3bc0e382cc0e6755b1cf69049b03289d81b
SHA256a3af35cdadbcde95785ce8412ee2ea44dbc26aa403d66aedffdca89562e26aab
SHA5124109ae460dcba51835fda55bb2c15151733d9ae4a6f8dd7aea0f29ccb83d6a5bf26d524025109b7551410df4e981091bc96c462b3af475c5173459a2edc5c6fe
-
Filesize
172KB
MD503d60a80f4ecf957a9bc2df8f2f5cb27
SHA16ba25335f442c9a0d2f451849252f67207b847f4
SHA256c0ab7fb49c95cc18a4db23b54df28d2c338a33aef194366f9e273d8b6408054a
SHA512b2547a89f9c9fa17ddf10dbeea6eae385310dfd9811d2e2e38dd1c9c894ccf2160915325f625c44ba6f34195d7569f3433bae2f78cdedac8dbb2640e8c4b9d78