Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe
Resource
win7-20240903-en
General
-
Target
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe
-
Size
332KB
-
MD5
cfd3c189d1f86049e9a336e49c8d22e3
-
SHA1
f6acb447f1fbc3b86970ad8e8432a02e47ad3308
-
SHA256
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2
-
SHA512
c450555fc0d22442361bd32c513ae9bef047709dd89b07394e82568a907182f8d522bb4c498b7eb1d642c2e823bc3799ccec3b2a3b60ca5f9f38c995ba50094b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66cif
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1944 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
qiwea.exesuqow.exepid process 2040 qiwea.exe 2780 suqow.exe -
Loads dropped DLL 2 IoCs
Processes:
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exeqiwea.exepid process 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe 2040 qiwea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
suqow.exed8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exeqiwea.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language suqow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qiwea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
suqow.exepid process 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe 2780 suqow.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exeqiwea.exedescription pid process target process PID 548 wrote to memory of 2040 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe qiwea.exe PID 548 wrote to memory of 2040 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe qiwea.exe PID 548 wrote to memory of 2040 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe qiwea.exe PID 548 wrote to memory of 2040 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe qiwea.exe PID 548 wrote to memory of 1944 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 548 wrote to memory of 1944 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 548 wrote to memory of 1944 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 548 wrote to memory of 1944 548 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 2040 wrote to memory of 2780 2040 qiwea.exe suqow.exe PID 2040 wrote to memory of 2780 2040 qiwea.exe suqow.exe PID 2040 wrote to memory of 2780 2040 qiwea.exe suqow.exe PID 2040 wrote to memory of 2780 2040 qiwea.exe suqow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe"C:\Users\Admin\AppData\Local\Temp\d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\qiwea.exe"C:\Users\Admin\AppData\Local\Temp\qiwea.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\suqow.exe"C:\Users\Admin\AppData\Local\Temp\suqow.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD513fdc7532858d3efc012dd845602b5c0
SHA1855cd250184f9f3e71c9358f6f1b11ce8aa6aa92
SHA256fbafe6c113a34d13660efd70dd4133f1e53faed86b7dc7b460048b251a9efd14
SHA5121e0e71d1a29e7f678e22933bd965d3eed362c0d91da0a81f91442ab60fd7fc20a4cfa8d781b7d2f3bf8dbee03d43afce9d52b61790dce65995941a435f5962dc
-
Filesize
512B
MD5998721e81563622eb4490cef7e30dd61
SHA1bc0588d7aa630d87dee0660376008b91d7af7397
SHA2567049cb8a8fd0c9997b74e572888e8e3745d51f5cb0f3f832ebec515a364e22f5
SHA512e18e187442a80990dc113467afd62fe1a6debe11e9659e1b173591bd9787ccdfee9d3ec2d93d3cfbb0deeb59b4ca90cc6f2fb8bbf6e73ca3da6308a92da1f2d2
-
Filesize
172KB
MD549dcaf947c914f6f517a068940e06407
SHA1ba92efe517f178edb7d016be88165049062c6b4c
SHA256b7cccf5e5e045b8a7a92c2880fb153ca8d5c934666691a065357ff661282f878
SHA5122fb44e59ce1ae6b2a32e6a3be1c00d192ed0ecce6f6a29d7751d8fe6dbb52afa8c60077e1d106e015e1d069eed5193bfea69c5f1c7f8bfb3a796f2c7bf6ca163
-
Filesize
332KB
MD50d78972dfe804ef333988f318834aa01
SHA14c24045a99fa3e8e1c25241b54c2bdf1b46de8ba
SHA2567ba4580afeb30d9b611a304f07f85143325b0e4f39364e62b44863c7c8e95659
SHA512b5055425d44cc70a095444d000dc37ea9064094060c2175288deb9d6d8b8e7192202cd94842108ffc4f6da2c460d69f40bd75fcb0d5357c3b793409ffea882d2