Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe
Resource
win7-20240903-en
General
-
Target
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe
-
Size
333KB
-
MD5
ea82ce3469ef3de8551168d21890befa
-
SHA1
70ebc82509ed3ce57dc9a9b12c0928e077c941c7
-
SHA256
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc
-
SHA512
dd3b31ea1506a50f684cd2d178811bb0b3c86f8e53911828c21f61785e3a772b14d7b9c975ba852c7c44d86f8420fe86b5abaa0206184db80d35b69bbeaa77b6
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66cil
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3024 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
yvpyg.exepozov.exepid process 1504 yvpyg.exe 2380 pozov.exe -
Loads dropped DLL 2 IoCs
Processes:
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exeyvpyg.exepid process 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe 1504 yvpyg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exeyvpyg.execmd.exepozov.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yvpyg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pozov.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
pozov.exepid process 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe 2380 pozov.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exeyvpyg.exedescription pid process target process PID 2956 wrote to memory of 1504 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe yvpyg.exe PID 2956 wrote to memory of 1504 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe yvpyg.exe PID 2956 wrote to memory of 1504 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe yvpyg.exe PID 2956 wrote to memory of 1504 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe yvpyg.exe PID 2956 wrote to memory of 3024 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 2956 wrote to memory of 3024 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 2956 wrote to memory of 3024 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 2956 wrote to memory of 3024 2956 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 1504 wrote to memory of 2380 1504 yvpyg.exe pozov.exe PID 1504 wrote to memory of 2380 1504 yvpyg.exe pozov.exe PID 1504 wrote to memory of 2380 1504 yvpyg.exe pozov.exe PID 1504 wrote to memory of 2380 1504 yvpyg.exe pozov.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe"C:\Users\Admin\AppData\Local\Temp\74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\yvpyg.exe"C:\Users\Admin\AppData\Local\Temp\yvpyg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\pozov.exe"C:\Users\Admin\AppData\Local\Temp\pozov.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58390ca40cfaeae8d2a95426f9259689d
SHA1cf91725781c4ae7dbcc0a445e7031f2a15d8ee74
SHA2563a70f7f2a0cd7aecd1b3a0848c781619189eb152bd014e0146777b28f4692478
SHA512041bf25674b43df57e8c66410020622b2b8ff5cfe15005e43f0df66fb9e77a1ad0e39d8a59a38b8178cd3251fc471b2bcc0146742fab3d838ee951f299b07a22
-
Filesize
512B
MD5a4b61269fe0f68933420396bde8e2eef
SHA1d3a9b18a4987c37049fa1511dd1b806e12882c97
SHA256dbc6abc5a6a41b787f39ad0bb4132954b196409a326d16adcd36e77bbf575dae
SHA512143c98458af9b84cca6a66a99e11957320fa7e958c32eaee50a130e429b4eb1ef7ebf3c99d1211ffa1983b702491c9ec649054adc9540baeea190cda527235e2
-
Filesize
172KB
MD5aed7548129f76700a2bfc71c2ebc2108
SHA14d03b40acfb0eaf7acdc7de9117323637b4c9ae5
SHA2566d3622386e3f86770d84bda22f8dc57babeeb5facc3317d3133ff0ed150a1b85
SHA512404ff2d59127e7069726a2641caf3605d5419b6f9d569c2f25dd7a302bdd0ed3a51b962852b85fd4be6f5b73b9fb650ed2e58fb0596acb6f7a3d8176c4d2fa77
-
Filesize
333KB
MD5db43095f93736141b095a63c5af7a7f4
SHA19fb977b02aceeb61ac5afb382c1cb11688267e13
SHA256de11427be139d68e34d378197b365723fea7929a3118eab8d9a873c6d394180b
SHA512e3e411e769dc31f4d9cf34f13fe933b222dc0549bdd6555c80f0b28bc8a8bb83d5e51ca6edbcfebf80267b0b61c6fa102ae59c20193430720f3efa9978f6014b