Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 00:48
Behavioral task
behavioral1
Sample
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
Resource
win7-20240903-en
General
-
Target
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
-
Size
348KB
-
MD5
99f923fe659ab29eab7d0b6ce916a4ad
-
SHA1
5f5335c397aba69ad7eeb3c7acf96d3a85379697
-
SHA256
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1
-
SHA512
976f934ed6c6946049d6b6e1a4e1a0f6750336538fc3257567ef6618ff2aa7a9c2638ac1eb723d6e682c115bd2fe74f904355f54eaf0b408374b9d848d78e76e
-
SSDEEP
6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZe:A0G5obGGraOpUWlpZ
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2312 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
juizf.exeozkeby.exeulhux.exepid process 2804 juizf.exe 3040 ozkeby.exe 1752 ulhux.exe -
Loads dropped DLL 6 IoCs
Processes:
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exejuizf.exeozkeby.exepid process 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe 2804 juizf.exe 2804 juizf.exe 3040 ozkeby.exe 3040 ozkeby.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ozkeby.exeulhux.execmd.exe972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exejuizf.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ozkeby.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ulhux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juizf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
ulhux.exepid process 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe 1752 ulhux.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exejuizf.exeozkeby.exedescription pid process target process PID 2708 wrote to memory of 2804 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe juizf.exe PID 2708 wrote to memory of 2804 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe juizf.exe PID 2708 wrote to memory of 2804 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe juizf.exe PID 2708 wrote to memory of 2804 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe juizf.exe PID 2708 wrote to memory of 2312 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 2708 wrote to memory of 2312 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 2708 wrote to memory of 2312 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 2708 wrote to memory of 2312 2708 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 2804 wrote to memory of 3040 2804 juizf.exe ozkeby.exe PID 2804 wrote to memory of 3040 2804 juizf.exe ozkeby.exe PID 2804 wrote to memory of 3040 2804 juizf.exe ozkeby.exe PID 2804 wrote to memory of 3040 2804 juizf.exe ozkeby.exe PID 3040 wrote to memory of 1752 3040 ozkeby.exe ulhux.exe PID 3040 wrote to memory of 1752 3040 ozkeby.exe ulhux.exe PID 3040 wrote to memory of 1752 3040 ozkeby.exe ulhux.exe PID 3040 wrote to memory of 1752 3040 ozkeby.exe ulhux.exe PID 3040 wrote to memory of 2896 3040 ozkeby.exe cmd.exe PID 3040 wrote to memory of 2896 3040 ozkeby.exe cmd.exe PID 3040 wrote to memory of 2896 3040 ozkeby.exe cmd.exe PID 3040 wrote to memory of 2896 3040 ozkeby.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\juizf.exe"C:\Users\Admin\AppData\Local\Temp\juizf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\ozkeby.exe"C:\Users\Admin\AppData\Local\Temp\ozkeby.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\ulhux.exe"C:\Users\Admin\AppData\Local\Temp\ulhux.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1752
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD540c0cecdb6095e9022f9b96cd55f10a3
SHA1b5be5385481f9373aa7bcc2fed4e21d5c0cf79da
SHA256a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24
SHA512759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73
-
Filesize
224B
MD537bba20cb649bd8ad7f6a39610fe9e57
SHA1a1d019f4e2b5044fa7b45f2463fd4d9ca2e96b76
SHA256415e8629e0827c7a5c5a9d2c738a35722525f239dea3893fb1a73f8a7bd9b056
SHA512fb9d4e36cd2e6e46d9bb97b88bddb6f19394291b5b3e0652d792110a3779bfaf187808450cf3fc889342ffd72920c5a77bd7a5592c89b287527b18dfd7025dc1
-
Filesize
512B
MD5eb88c82179968983af11c18f0b4eda60
SHA100123a5a438fe3a0945b112f4e5ddbd5451421f0
SHA25620d3b3d70781db72ffa70dcb3c75ec7d48b09092ea203f19738c9fe11894e7b7
SHA512b8fb7919c4207fb9279c9ba5f4f5d6bc8327eae21992ad61a242f24ebf763cb2aecbac14bf635405b8904e7decc0449563a354865f44fdb0042d0b46254903a9
-
Filesize
348KB
MD5d52b544e2e688291a7122e835e9bc700
SHA19fd04f03c31f443f96ad2bb30e8ebf70f1cf168f
SHA256064cb57860b4e10de57e3e443f023bf5eda64d7078eb51cf4eeffbc79d737cb8
SHA5120dbb2823a90d5c17377189e1043c43b7f46984a19c9bd110aed20e81eeb63ad9380d52fa7d4bdcc2cc328b4d1df8ee3592157d80f2803a8d18859f6e6df30a39
-
Filesize
115KB
MD5c47b79ccba0bcd28795d8f5c4bf797fe
SHA1965a69ac90fb806c45bc673500e8be2ccb472288
SHA2564a66b16bba7e0b8d4dea5bb649df355758133b5d00d8aab2f8ed6d142bf33121
SHA51264812c0027111ef235ac55bc9a39086daa6d08a01650252a9d886777edc7da03c2665a795588101928e1f4d5de9c68217949814a97b65a20db8a0b43f6c9cb46