Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 11:43
Static task
static1
Behavioral task
behavioral1
Sample
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
Resource
win7-20240903-en
General
-
Target
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe
-
Size
331KB
-
MD5
37fe6876c0864c4b1603f415713a8a30
-
SHA1
4daf69b800cf5d258c9fcf511d61e4478f0242f9
-
SHA256
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
-
SHA512
c0285bec719e1ae821fa88d50eb4447d315a36adf13dc48e288381a6f26c0603fb23005c15c7bad0a30c62ae7ced9f82ef0040ccb1f931a4e86347e33f543d4b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV7:vHW138/iXWlK885rKlGSekcj66ciE7
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exemiqii.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation miqii.exe -
Executes dropped EXE 2 IoCs
Processes:
miqii.exeewibb.exepid process 1560 miqii.exe 676 ewibb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exemiqii.execmd.exeewibb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language miqii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ewibb.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
ewibb.exepid process 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe 676 ewibb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exemiqii.exedescription pid process target process PID 3840 wrote to memory of 1560 3840 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe miqii.exe PID 3840 wrote to memory of 1560 3840 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe miqii.exe PID 3840 wrote to memory of 1560 3840 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe miqii.exe PID 3840 wrote to memory of 1964 3840 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 3840 wrote to memory of 1964 3840 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 3840 wrote to memory of 1964 3840 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe cmd.exe PID 1560 wrote to memory of 676 1560 miqii.exe ewibb.exe PID 1560 wrote to memory of 676 1560 miqii.exe ewibb.exe PID 1560 wrote to memory of 676 1560 miqii.exe ewibb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\miqii.exe"C:\Users\Admin\AppData\Local\Temp\miqii.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\ewibb.exe"C:\Users\Admin\AppData\Local\Temp\ewibb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD54f237e2fc86c1f1f2b92b627c68ffafb
SHA1c0d7607700d7804b07de537051e7fe2ca95d3a3c
SHA256e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2
SHA5124b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7
-
Filesize
172KB
MD50ce30a64deaada51a8bcb3194c452f4b
SHA1b722d4a4456af763432d00aab93e58f84b2a7ded
SHA2568d79a8e1a8b41ff881b1fda67117f5a413b6c8ab788a24382fd80d21d5371396
SHA512a0d61f34359e98ea180bef7b3e023753797d587ba57b8bd4d44158f4a205729c52578a7792ab7f38c92d9ddf92b26c1294cff46d181f83fa94913b6eee123b8a
-
Filesize
512B
MD5cac73a1cd89444e0f194e80e585c2ca6
SHA1b2c3d8e1c6e59e26894cecb7617cbede0b2dc33e
SHA256a7e643841aad90cec99196ab073d3a9647ef19f76ec8f374c23154ee44be9955
SHA512d763a4ff2e0b51e415e842b363dd0ef7f0faa2b7dbd0584d1fdb25151615bd750015d0b0abfa7588600f6f3126ed8bdf36ec4f8de7dc0e1c73f6de12a46454ae
-
Filesize
331KB
MD5148f955838033c67950c35572b9ebd7c
SHA1e2456e9e12202615e09f2f0cddc44b742c5b7b8d
SHA2569cf9548a9e05b5e5c0f8cad676c0a8a2a4110d59bd1259713dd777d9178a5dd0
SHA512510b0593b2c5ca1286597b92eb2b0a26b7ddd80e5e2d1f31a11103bffa715c2ac3f89fd94bf2fd542ed0ecf223cc3b4be87f8a5e869ab31bfcc298ab093da27c