Analysis
-
max time kernel
149s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 00:48
Behavioral task
behavioral1
Sample
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
Resource
win7-20240903-en
General
-
Target
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe
-
Size
348KB
-
MD5
99f923fe659ab29eab7d0b6ce916a4ad
-
SHA1
5f5335c397aba69ad7eeb3c7acf96d3a85379697
-
SHA256
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1
-
SHA512
976f934ed6c6946049d6b6e1a4e1a0f6750336538fc3257567ef6618ff2aa7a9c2638ac1eb723d6e682c115bd2fe74f904355f54eaf0b408374b9d848d78e76e
-
SSDEEP
6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZe:A0G5obGGraOpUWlpZ
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lexuym.exe972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exeovofl.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation lexuym.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ovofl.exe -
Executes dropped EXE 3 IoCs
Processes:
ovofl.exelexuym.exeveguj.exepid process 1728 ovofl.exe 4712 lexuym.exe 816 veguj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
veguj.execmd.exe972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exeovofl.execmd.exelexuym.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language veguj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovofl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lexuym.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
veguj.exepid process 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe 816 veguj.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exeovofl.exelexuym.exedescription pid process target process PID 2764 wrote to memory of 1728 2764 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe ovofl.exe PID 2764 wrote to memory of 1728 2764 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe ovofl.exe PID 2764 wrote to memory of 1728 2764 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe ovofl.exe PID 2764 wrote to memory of 3052 2764 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 2764 wrote to memory of 3052 2764 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 2764 wrote to memory of 3052 2764 972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe cmd.exe PID 1728 wrote to memory of 4712 1728 ovofl.exe lexuym.exe PID 1728 wrote to memory of 4712 1728 ovofl.exe lexuym.exe PID 1728 wrote to memory of 4712 1728 ovofl.exe lexuym.exe PID 4712 wrote to memory of 816 4712 lexuym.exe veguj.exe PID 4712 wrote to memory of 816 4712 lexuym.exe veguj.exe PID 4712 wrote to memory of 816 4712 lexuym.exe veguj.exe PID 4712 wrote to memory of 2796 4712 lexuym.exe cmd.exe PID 4712 wrote to memory of 2796 4712 lexuym.exe cmd.exe PID 4712 wrote to memory of 2796 4712 lexuym.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"C:\Users\Admin\AppData\Local\Temp\972675b4d17b944c0d9867f305391ce49df458f60fc21e9e37d2b6b481edcce1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\ovofl.exe"C:\Users\Admin\AppData\Local\Temp\ovofl.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\lexuym.exe"C:\Users\Admin\AppData\Local\Temp\lexuym.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\veguj.exe"C:\Users\Admin\AppData\Local\Temp\veguj.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD540c0cecdb6095e9022f9b96cd55f10a3
SHA1b5be5385481f9373aa7bcc2fed4e21d5c0cf79da
SHA256a0cdb22e6cbadeaf877aba273d6fa7b5c5162fa0a8671207364ac7607ddf5d24
SHA512759cba8c297f7a1e2b0f9e4467fe9f27236eb41ecb99cf37d90828e03d2462949f7280a8a2c36b2067af3a803a8b6986bedf9144602e7cfbbbaef4e5f5b41e73
-
Filesize
224B
MD58ebc735d89a847088117dc9afe7520f6
SHA1e8a915304c7e92f71070666025adee72efb06977
SHA256ad194d0f56b74f783d169a08bb75861ef5aabc190efc3b9e8ce13219da393eeb
SHA512f3d504776495ced3f0e67b2a1efe2c4d104016f73aaa6b24ec67136206357b2e46381051a8875a8384b23ceeae8d2b0e4ac4b5c69186908b5d4eac158ef89c30
-
Filesize
512B
MD5a5254c72e0444330ef741c3be17c6a86
SHA14bf91b592b1e4877d3e1c15f07a4b20b239eadae
SHA256f960bbc15defa3c448f96588f708de3d4b970bb0c3fc5ca9ddea18a763835c7c
SHA512ab6ac3f705a2189fb9e5c976a6b43336e36d788c74a9fe5801f986abfcfcdd9cb4205d1cca3e74d520ac0c7de33bde52f8dcbab7469363ed43265f93a7b89fb1
-
Filesize
348KB
MD5ac835dc370e67bfe6d7896b7d1772b53
SHA18ed7bb949143be3b36482916cf8cfaeee32572b5
SHA256f2063a8870521aef3eb2c13a5cd13615292ac64532e44179f333d15daaec4a2b
SHA51266871d8362015dc56bc9628b5d5d66acc393e2f0f6a166289a055a795bbc948c090dde57bac5535503154a888ca104584f2a967e8131eb7d80c50b2ae4cf9f45
-
Filesize
115KB
MD59d27b50a0db2a28a8ee253e15d4f3765
SHA18779848bd5850c22585a1dcf6625d450e621ff3e
SHA25635b11e97f06e8d95070d28c85e7a5709e26c62add5a9699bdd9558de4a2b80ed
SHA512993ac62e6bcefd8afa4b4927f1501a8f326c2bcc1062def8c11ec9ffef14d0924add8f228549133968936932613d54add81dcfd490d1839d3b20cf5eca343857