Analysis
-
max time kernel
149s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
Resource
win7-20240729-en
General
-
Target
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
-
Size
331KB
-
MD5
37fe6876c0864c4b1603f415713a8a30
-
SHA1
4daf69b800cf5d258c9fcf511d61e4478f0242f9
-
SHA256
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
-
SHA512
c0285bec719e1ae821fa88d50eb4447d315a36adf13dc48e288381a6f26c0603fb23005c15c7bad0a30c62ae7ced9f82ef0040ccb1f931a4e86347e33f543d4b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2792 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
loaxu.exeawujx.exepid process 1748 loaxu.exe 2868 awujx.exe -
Loads dropped DLL 2 IoCs
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exeloaxu.exepid process 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe 1748 loaxu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exeloaxu.execmd.exeawujx.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language loaxu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awujx.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
awujx.exepid process 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe 2868 awujx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exeloaxu.exedescription pid process target process PID 2296 wrote to memory of 1748 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe loaxu.exe PID 2296 wrote to memory of 1748 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe loaxu.exe PID 2296 wrote to memory of 1748 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe loaxu.exe PID 2296 wrote to memory of 1748 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe loaxu.exe PID 2296 wrote to memory of 2792 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 2296 wrote to memory of 2792 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 2296 wrote to memory of 2792 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 2296 wrote to memory of 2792 2296 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 1748 wrote to memory of 2868 1748 loaxu.exe awujx.exe PID 1748 wrote to memory of 2868 1748 loaxu.exe awujx.exe PID 1748 wrote to memory of 2868 1748 loaxu.exe awujx.exe PID 1748 wrote to memory of 2868 1748 loaxu.exe awujx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\loaxu.exe"C:\Users\Admin\AppData\Local\Temp\loaxu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\awujx.exe"C:\Users\Admin\AppData\Local\Temp\awujx.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54f237e2fc86c1f1f2b92b627c68ffafb
SHA1c0d7607700d7804b07de537051e7fe2ca95d3a3c
SHA256e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2
SHA5124b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7
-
Filesize
512B
MD51528cb2dbf1e7e03ec96f5aeb6fee5f6
SHA19117d274e63ad1fdeebdd966b5331d83471eb7b1
SHA2562255a0548e70b8d750b14e89ad07f0fcb09dbbf7b83568a660e8ddcb340a36f6
SHA512d3f032f1a8192e6c14e8e06afb918710568f49336d934e96aeafadf5bb5d8b5e350c40db31b1d827d89bfaba5979c2cb69ba3c656174aca782551cc856f0be18
-
Filesize
172KB
MD576cd1fcdb6d5878c4af057641d093fc7
SHA1954a523d6723ecbcec808c38cb13122b0c619daa
SHA25644d7adae420055b55a7be2533caee02910f43cc9b10bc1547770700d2c85b371
SHA5124046612c5417581ef66bb3de8fd78c22e507df4bf30471c2c9b3c3dcad74702da8401770ebf7ca60e83e2991b3169d6f212a3a726966118bf6f7d7bed9996c99
-
Filesize
331KB
MD5403e0aa177f509f25090c542ca0767eb
SHA10d20f6e4df03f1553c3debea32d8a80871a04d77
SHA2568a93073a1783a2cabf29d7b11964660fba85be90bde5e52175097482b39da79e
SHA512576d3afe18395cf948501d922cb42d07154917396101e3dce0755373c2c7d8501ef19c574482530674084a6b09880bc720848a391a3843d508e4219457e12d52