Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
Resource
win7-20240729-en
General
-
Target
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe
-
Size
334KB
-
MD5
d06332b00b98add142bc2aac5c94a0f2
-
SHA1
86258a7f35b74d6c62f5e2ae7ec05cacfb105012
-
SHA256
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c
-
SHA512
7a18fa80b1cae818a595adf9be937562e8148ca189b8ee785fef5a24a56f2ecf3641ca5a2096377e88a8ed8248a691c0b4bf7a93fe9cb13c1c997393b8645373
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYp:vHW138/iXWlK885rKlGSekcj66ciE
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exesoixd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation soixd.exe -
Executes dropped EXE 2 IoCs
Processes:
soixd.exenedax.exepid process 856 soixd.exe 4772 nedax.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exesoixd.execmd.exenedax.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soixd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nedax.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
nedax.exepid process 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe 4772 nedax.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exesoixd.exedescription pid process target process PID 1268 wrote to memory of 856 1268 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe soixd.exe PID 1268 wrote to memory of 856 1268 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe soixd.exe PID 1268 wrote to memory of 856 1268 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe soixd.exe PID 1268 wrote to memory of 3708 1268 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 1268 wrote to memory of 3708 1268 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 1268 wrote to memory of 3708 1268 cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe cmd.exe PID 856 wrote to memory of 4772 856 soixd.exe nedax.exe PID 856 wrote to memory of 4772 856 soixd.exe nedax.exe PID 856 wrote to memory of 4772 856 soixd.exe nedax.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"C:\Users\Admin\AppData\Local\Temp\cdc72bfc25a430298f4da6a6d3f3327cf5fe76b809dbe07e17c649d63741733c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\soixd.exe"C:\Users\Admin\AppData\Local\Temp\soixd.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\nedax.exe"C:\Users\Admin\AppData\Local\Temp\nedax.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD515820bc0f472e16c48367712bd45bc8a
SHA168b81be582dfe6da08dd2848db5309b4174e628f
SHA256bb610dce6841a5444a54aaecea848fe5a3df3d83191371a57a844a87acb02fb1
SHA51242643673844047646f4434a910876adf9b44b053ea6875e7df557bbbfcfe3d54900bc55ed37a7b42b3cfc7d0e1e5429fc4ddee766737f8c53417cc5a7b528bb8
-
Filesize
512B
MD5b3d3cb799df41ec9cb6f0fed34c54e0d
SHA11da7e5aaa3a05ec1532a2980bd9b5606b0ed5b8d
SHA256a3fa6d09e7b34c5e74b6c911d267adaa49bd43b41dd4732f7590c56f40e430e8
SHA512c7fd379a05f68cc25af6665693e45c06d3055a3a77c0afd16ec9b8072a34ce8205cd52c9530650679ff8fb3e46ca8902e0973f9956987062d2e77e8ab10dfefd
-
Filesize
172KB
MD557536b88d5e43d32d82e3c881fad5115
SHA116d764569043938497b6b2c976192ede24161dab
SHA25609219396afaa505f6acc7c7e725d922152ac1f3996e4f03624015f90d9054933
SHA51250ed16849db6552c08df802ab0b70aa4148d75516e4426edbb2338899ff87f75f725d6c2adf284805c08ec081b5dd661f9e7174de153a55fb59b2834ae0c8f58
-
Filesize
334KB
MD529ac865f4ca17516bb85d303989e4195
SHA18fcc2219f27c98cb99794ee2f90dc56ef02be395
SHA2561a6a76c098a601c86e485f5a1f3038a0a5544880e2690ddf22a0657bd77a4544
SHA512018e38cc3c7b8bb345bbd61f9776d1209295390916eebe4d6dd00d5eef8659d6fc49f46d1ea3ac1f60edaaf35fae5f81c8c1bf64fd206feb47fe252c9fab21df