Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe
Resource
win7-20240903-en
General
-
Target
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe
-
Size
333KB
-
MD5
ea82ce3469ef3de8551168d21890befa
-
SHA1
70ebc82509ed3ce57dc9a9b12c0928e077c941c7
-
SHA256
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc
-
SHA512
dd3b31ea1506a50f684cd2d178811bb0b3c86f8e53911828c21f61785e3a772b14d7b9c975ba852c7c44d86f8420fe86b5abaa0206184db80d35b69bbeaa77b6
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66cil
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exetepij.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation tepij.exe -
Executes dropped EXE 2 IoCs
Processes:
tepij.exeapkig.exepid process 2648 tepij.exe 3140 apkig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exetepij.execmd.exeapkig.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tepij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apkig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
apkig.exepid process 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe 3140 apkig.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exetepij.exedescription pid process target process PID 5020 wrote to memory of 2648 5020 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe tepij.exe PID 5020 wrote to memory of 2648 5020 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe tepij.exe PID 5020 wrote to memory of 2648 5020 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe tepij.exe PID 5020 wrote to memory of 384 5020 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 5020 wrote to memory of 384 5020 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 5020 wrote to memory of 384 5020 74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe cmd.exe PID 2648 wrote to memory of 3140 2648 tepij.exe apkig.exe PID 2648 wrote to memory of 3140 2648 tepij.exe apkig.exe PID 2648 wrote to memory of 3140 2648 tepij.exe apkig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe"C:\Users\Admin\AppData\Local\Temp\74371a348805697131a071ba0993ae57fbbb2e397a35d817ef9f904d61e666dc.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\tepij.exe"C:\Users\Admin\AppData\Local\Temp\tepij.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\apkig.exe"C:\Users\Admin\AppData\Local\Temp\apkig.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD58390ca40cfaeae8d2a95426f9259689d
SHA1cf91725781c4ae7dbcc0a445e7031f2a15d8ee74
SHA2563a70f7f2a0cd7aecd1b3a0848c781619189eb152bd014e0146777b28f4692478
SHA512041bf25674b43df57e8c66410020622b2b8ff5cfe15005e43f0df66fb9e77a1ad0e39d8a59a38b8178cd3251fc471b2bcc0146742fab3d838ee951f299b07a22
-
Filesize
172KB
MD5ce0b8bda6ce405537381069c3109f808
SHA10cc978488667cee7280031b8cef986f3e8d1b56c
SHA256bb8667475a1d5512f00a5fc2fc71e44af49d5d9997df02aa4f6488b260e51b93
SHA512e0676e80e49f884c261d5aeb040cc56c5389993af20d8741b7791ef9b79674765199f2d8d7dfdb292173b143ece982bc31e0a0b34018ea0ddf7957c8cf5e58d5
-
Filesize
512B
MD5f02b734d4f9fd7ac00717cbb5ce2e7e3
SHA131d7b5fb096ac00c1a8a788d6f02054c047135bc
SHA256a185f1c35c7b678c36cc9d79b56a0417c861b095603ed3b44328f515c8100fd7
SHA5121e5a445384d49d9e25892d27bf255a584b22ee563d8a5f836e551e18e2ecdc6f1c74487bf335c9862ffa59492d586055bad0559c5ca0b4f6428e33f4b9c65e7b
-
Filesize
333KB
MD555c25404dff7dac00f6e172a893a5242
SHA1bdbecd316627bba2ed4b513bb1f109d616e65486
SHA2567ba899a1740d06ffacb8a328568172f691d23e90dbe850298a9a081cb42fb5ab
SHA5122688c5cb0d1c48ab65083d33e5d62e8327c596ddd973ee5da7a711167b5ec3a30d5c32a466bd5518f529af5a1cf13e207995bc83ba8d56a5fea4c321db2779cd