Analysis
-
max time kernel
120s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 11:43
Static task
static1
Behavioral task
behavioral1
Sample
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
Resource
win7-20240903-en
General
-
Target
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
-
Size
331KB
-
MD5
37fe6876c0864c4b1603f415713a8a30
-
SHA1
4daf69b800cf5d258c9fcf511d61e4478f0242f9
-
SHA256
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
-
SHA512
c0285bec719e1ae821fa88d50eb4447d315a36adf13dc48e288381a6f26c0603fb23005c15c7bad0a30c62ae7ced9f82ef0040ccb1f931a4e86347e33f543d4b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2928 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
gexyf.exekyyrw.exepid process 1936 gexyf.exe 2560 kyyrw.exe -
Loads dropped DLL 2 IoCs
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exegexyf.exepid process 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe 1936 gexyf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
kyyrw.exe8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exegexyf.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kyyrw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gexyf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
kyyrw.exepid process 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe 2560 kyyrw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exegexyf.exedescription pid process target process PID 1672 wrote to memory of 1936 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe gexyf.exe PID 1672 wrote to memory of 1936 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe gexyf.exe PID 1672 wrote to memory of 1936 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe gexyf.exe PID 1672 wrote to memory of 1936 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe gexyf.exe PID 1672 wrote to memory of 2928 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 1672 wrote to memory of 2928 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 1672 wrote to memory of 2928 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 1672 wrote to memory of 2928 1672 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 1936 wrote to memory of 2560 1936 gexyf.exe kyyrw.exe PID 1936 wrote to memory of 2560 1936 gexyf.exe kyyrw.exe PID 1936 wrote to memory of 2560 1936 gexyf.exe kyyrw.exe PID 1936 wrote to memory of 2560 1936 gexyf.exe kyyrw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\gexyf.exe"C:\Users\Admin\AppData\Local\Temp\gexyf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\kyyrw.exe"C:\Users\Admin\AppData\Local\Temp\kyyrw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54f237e2fc86c1f1f2b92b627c68ffafb
SHA1c0d7607700d7804b07de537051e7fe2ca95d3a3c
SHA256e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2
SHA5124b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7
-
Filesize
512B
MD58ced0a00d161490632ae8cf130fae02a
SHA13c101c6569a1453d31b46101e13e16220022f090
SHA25616e8cec5e64f147b329089fb28e4902c979b2f24bf2d853205be8c2265503afb
SHA512d16ddde4b700b9399161b26acbb5a8f254905ed2308700124832db651fc2a2cfdefc7667b0ab4f66a527135ed3fc05d9480cabe9e08215bdd4a91179586a94f6
-
Filesize
331KB
MD579f89251ec745bab62418bc86edeaab1
SHA19d3fd1a7081a94549a4489a89bfcee66dbffb1c6
SHA2564e242188113a137c65182a557f15921d794d390f62247dc60630f541c5294642
SHA512cc0a13f56d814db47881ac3fd3133fd85a7ef50f43f92608b8882619c207a3190a6cae946c10e7082fbacbca526a046b922579ea94bfd9a04061facdecae185d
-
Filesize
172KB
MD5b6f99e80c0e2f1086d8852e39027f70b
SHA1d8226562a2a065e8a847cf36bf4469aab894fe44
SHA256b5231256720f22bf065497679030016d527d1a6a7376455c6f23c037366c6d92
SHA5127551780e7583bfe55d93f6f32ae89357980c94664d2b55c56f0aac9057d17574ef98c5553e503af9286becb2517b51b383f08c25c882e3ed65b28ca03ba20a83