Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 11:52
Static task
static1
Behavioral task
behavioral1
Sample
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
Resource
win7-20240729-en
General
-
Target
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
-
Size
331KB
-
MD5
37fe6876c0864c4b1603f415713a8a30
-
SHA1
4daf69b800cf5d258c9fcf511d61e4478f0242f9
-
SHA256
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
-
SHA512
c0285bec719e1ae821fa88d50eb4447d315a36adf13dc48e288381a6f26c0603fb23005c15c7bad0a30c62ae7ced9f82ef0040ccb1f931a4e86347e33f543d4b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exeujqoa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ujqoa.exe -
Executes dropped EXE 2 IoCs
Processes:
ujqoa.exenuzuy.exepid process 628 ujqoa.exe 5080 nuzuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
nuzuy.exe8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exeujqoa.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nuzuy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ujqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
nuzuy.exepid process 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe 5080 nuzuy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exeujqoa.exedescription pid process target process PID 404 wrote to memory of 628 404 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe ujqoa.exe PID 404 wrote to memory of 628 404 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe ujqoa.exe PID 404 wrote to memory of 628 404 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe ujqoa.exe PID 404 wrote to memory of 4512 404 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 404 wrote to memory of 4512 404 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 404 wrote to memory of 4512 404 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 628 wrote to memory of 5080 628 ujqoa.exe nuzuy.exe PID 628 wrote to memory of 5080 628 ujqoa.exe nuzuy.exe PID 628 wrote to memory of 5080 628 ujqoa.exe nuzuy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4512
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54f237e2fc86c1f1f2b92b627c68ffafb
SHA1c0d7607700d7804b07de537051e7fe2ca95d3a3c
SHA256e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2
SHA5124b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7
-
Filesize
512B
MD5b66922e07df073c93a644e5ca075827f
SHA1cac1cc430e92dd90eb355b97cbfd880b6d8b8171
SHA2565adfcb39a77b2361dbe9ef25811cc51f9ccd9f906fe6c7f162af09891336c78e
SHA51295ea7279f524e9d9550683b125b8d41c5cca8dcf03f7f7a0e7385c87981235a11b3161e9e995d07b6b4e59db963995b6f4e553816e663d6dc6bd4f2fd5eb45a0
-
Filesize
172KB
MD5ca9b8f1aeb4ecb5a604f5a3bbf38fb59
SHA134395139279f52805df07434aca840821a29fb8b
SHA2569314175d4bf7f3f56ff2b0380752942ce58a480e16915ffea70a6f03cc7fd37e
SHA5122b5b63074a651213a98223621f1986301834441a82ff0b2d4993d6294a29fc251db6e1594e8b465ce5400537ffd88b5b36504c3f924ed302c776908898a15220
-
Filesize
331KB
MD5e6d9541b402f61ca688a3a4cbbdc1ed1
SHA197e5971a7827a89e0b1a6a611c1ca13c9735b9cd
SHA2565c43d27da8d5361c7eb38180d428f94ce323ed0321231cc54ede12dba54015f4
SHA5129d88390bdc1d6f3c6e405a5581dd713649cfaecdcb47e258359ace15a5d94290ddf0a571dec73d240483e8b566a2b6c323a1b01654bede4b3f3fe91ac88508b0