Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 10:34
Behavioral task
behavioral1
Sample
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
Resource
win7-20240903-en
General
-
Target
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
-
Size
331KB
-
MD5
bf8ae2db32725e0025a55c1eddd84c70
-
SHA1
1f7fa30f1207dfba715c0c1ddbb5a557e1753087
-
SHA256
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc
-
SHA512
9959eb75a59623d7bd9a9f9aa6b442244c94bd752a28cd6b3fa8dcddf9bbf7a4ff1296550f2e3df1b9d6ad8c2ff63d9b2c437d948b08064e3bc502df7c66393a
-
SSDEEP
3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisO:Nd7rpL43btmQ58Z27zw39gY2FeZhmzZ
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mogoe.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
todute.exeb8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exequtef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation todute.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation qutef.exe -
Executes dropped EXE 3 IoCs
Processes:
qutef.exetodute.exemogoe.exepid process 2192 qutef.exe 1084 todute.exe 4484 mogoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mogoe.execmd.exeb8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exequtef.exetodute.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mogoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qutef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language todute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
mogoe.exepid process 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe 4484 mogoe.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exequtef.exetodute.exedescription pid process target process PID 2876 wrote to memory of 2192 2876 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe qutef.exe PID 2876 wrote to memory of 2192 2876 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe qutef.exe PID 2876 wrote to memory of 2192 2876 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe qutef.exe PID 2876 wrote to memory of 3340 2876 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2876 wrote to memory of 3340 2876 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2876 wrote to memory of 3340 2876 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2192 wrote to memory of 1084 2192 qutef.exe todute.exe PID 2192 wrote to memory of 1084 2192 qutef.exe todute.exe PID 2192 wrote to memory of 1084 2192 qutef.exe todute.exe PID 1084 wrote to memory of 4484 1084 todute.exe mogoe.exe PID 1084 wrote to memory of 4484 1084 todute.exe mogoe.exe PID 1084 wrote to memory of 4484 1084 todute.exe mogoe.exe PID 1084 wrote to memory of 232 1084 todute.exe cmd.exe PID 1084 wrote to memory of 232 1084 todute.exe cmd.exe PID 1084 wrote to memory of 232 1084 todute.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\qutef.exe"C:\Users\Admin\AppData\Local\Temp\qutef.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\todute.exe"C:\Users\Admin\AppData\Local\Temp\todute.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\mogoe.exe"C:\Users\Admin\AppData\Local\Temp\mogoe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:232
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5db530785ddab2262c4b5581640b46cb2
SHA1663b49c33e19a146389ca6d2e693c0408d764954
SHA256dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827
SHA5125eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd
-
Filesize
224B
MD50326c66ef3f645c841ef91e7a9cfe041
SHA1cd2b6d5a77f60ff06cb77d3f4d0da6384f82eba6
SHA2567b864ba99c88bda89889d279281814e18eea1a40a03c232d8f8775edf215251a
SHA512e665a6bc9ec659fd662d2fee18000b3c7229bd8b0f1d5fb15431493dd6917da6bb36f7eaa96f9a21a999388a7902fb7fe9afc0a54ecdb0ce149848791ca83619
-
Filesize
512B
MD56be4f0ec451ceb33cba5b90c14332bd8
SHA17d4049e6bc68856244592fe27646feeb4e16ac82
SHA256747a690dbe806fb478e3dfca7eb0b7c10d4a3b1e94ac7b7235fe13066645c33a
SHA51273ab9d15b9244b67d6662138964413002b2056d062892fa9a0cb24f697186fa50f7896a8f21fe2aaa6de32e0bc0a8089315222df6e0e430859897c24054af86e
-
Filesize
136KB
MD5767ab3b03753317366e7a8fa5f4ddf37
SHA16934ac2dba9d989b9096d9024a83b34f2b24c8dd
SHA256e0fc194ac09db7d5a9fcc69034e72e685d13bfef757716842fb4dd5a0458025b
SHA512c7e01d90f4088e25b7603ed36a15065632e09d6f739b94449937f38ec362b2ceb5cfcc54d48445a3e7625ec91212492c72f66ece3009c783f830e3125d6e7f86
-
Filesize
331KB
MD58b04d1a48eb3921ef0a0cf1fa705d89e
SHA15211d69351227caa5c26e857d1f4ae276e4b0f88
SHA256006d49bb0674584e14ac70bf30df37afc0a540371565aa9f9a56a49ca56882dc
SHA512550bb0b37e699d93c0e2f0c49b3fab139758ca1c86d68c166daf0e8a83506f042f7ba23eeebf2983f78d6f4b4325c809b6955d562f06a66985caf31220de78d4