Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
Resource
win7-20240729-en
General
-
Target
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
-
Size
334KB
-
MD5
d06332b00b98add142bc2aac5c94a0f2
-
SHA1
86258a7f35b74d6c62f5e2ae7ec05cacfb105012
-
SHA256
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c
-
SHA512
7a18fa80b1cae818a595adf9be937562e8148ca189b8ee785fef5a24a56f2ecf3641ca5a2096377e88a8ed8248a691c0b4bf7a93fe9cb13c1c997393b8645373
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYp:vHW138/iXWlK885rKlGSekcj66ciE
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2692 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
tolih.exefirar.exepid process 2740 tolih.exe 2824 firar.exe -
Loads dropped DLL 2 IoCs
Processes:
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exetolih.exepid process 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe 2740 tolih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.execmd.exetolih.exefirar.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tolih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firar.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
firar.exepid process 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe 2824 firar.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exetolih.exedescription pid process target process PID 2352 wrote to memory of 2740 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe tolih.exe PID 2352 wrote to memory of 2740 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe tolih.exe PID 2352 wrote to memory of 2740 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe tolih.exe PID 2352 wrote to memory of 2740 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe tolih.exe PID 2352 wrote to memory of 2692 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 2352 wrote to memory of 2692 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 2352 wrote to memory of 2692 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 2352 wrote to memory of 2692 2352 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 2740 wrote to memory of 2824 2740 tolih.exe firar.exe PID 2740 wrote to memory of 2824 2740 tolih.exe firar.exe PID 2740 wrote to memory of 2824 2740 tolih.exe firar.exe PID 2740 wrote to memory of 2824 2740 tolih.exe firar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\tolih.exe"C:\Users\Admin\AppData\Local\Temp\tolih.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\firar.exe"C:\Users\Admin\AppData\Local\Temp\firar.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD515820bc0f472e16c48367712bd45bc8a
SHA168b81be582dfe6da08dd2848db5309b4174e628f
SHA256bb610dce6841a5444a54aaecea848fe5a3df3d83191371a57a844a87acb02fb1
SHA51242643673844047646f4434a910876adf9b44b053ea6875e7df557bbbfcfe3d54900bc55ed37a7b42b3cfc7d0e1e5429fc4ddee766737f8c53417cc5a7b528bb8
-
Filesize
512B
MD549a6ef578fe2729a92948fc1b6bbd88e
SHA1129a4ac092f678d97d88562eac647a6c00134310
SHA256423985f2cb55d014e661f84eb4351928942963c9c4f3f21866e68ebdd4de6131
SHA512c50ceed940ae6ccc5b8fad2c8632ba91b7764e0e807279aa6dc99079656eeeb8d84a6efb095cb309c5c9018935593099c3e3e5c586955d0a1487c9a5c177fb33
-
Filesize
334KB
MD57226dea686dfda66c2c6d2b585639ae7
SHA16462493e2fb0a91b9bda829d55139e9f279fa0cf
SHA2560ac5d0c784e46757406be1e6ba0a8f5e5c75df0d0bde1102ab2642dbed10e4b4
SHA512ad2a2d7aa54c3a368e9f2c49f7ce8f8e051399ddb2a4f1d8ac889a89e5f61f9304ed2890aeec81182b58e0cda6ea57b8a9ea83f80f3601f81189e37753057a8a
-
Filesize
172KB
MD58be8b739958d97304b608c26a1c2cc15
SHA17c74a382ba8ca2e17c1284cda7c79cb7ef87a968
SHA25650e1b277509851cef34eb3421b369ca29bc5fceda364d4b1f244d0c7e519de42
SHA512c647295513c7509de660340c42d678a70a4cba13a94bbd4f721fad0319e65dcc486d4410eeecc3e68cee92c5c5516564d2b35c718bb77fe9fb68b6f67e3e0e05