Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 03:49
Static task
static1
Behavioral task
behavioral1
Sample
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe
Resource
win7-20240903-en
General
-
Target
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe
-
Size
332KB
-
MD5
cfd3c189d1f86049e9a336e49c8d22e3
-
SHA1
f6acb447f1fbc3b86970ad8e8432a02e47ad3308
-
SHA256
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2
-
SHA512
c450555fc0d22442361bd32c513ae9bef047709dd89b07394e82568a907182f8d522bb4c498b7eb1d642c2e823bc3799ccec3b2a3b60ca5f9f38c995ba50094b
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66cif
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exehefuf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation hefuf.exe -
Executes dropped EXE 2 IoCs
Processes:
hefuf.exejynes.exepid process 3064 hefuf.exe 2768 jynes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exehefuf.execmd.exejynes.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hefuf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jynes.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jynes.exepid process 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe 2768 jynes.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exehefuf.exedescription pid process target process PID 680 wrote to memory of 3064 680 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe hefuf.exe PID 680 wrote to memory of 3064 680 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe hefuf.exe PID 680 wrote to memory of 3064 680 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe hefuf.exe PID 680 wrote to memory of 2840 680 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 680 wrote to memory of 2840 680 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 680 wrote to memory of 2840 680 d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe cmd.exe PID 3064 wrote to memory of 2768 3064 hefuf.exe jynes.exe PID 3064 wrote to memory of 2768 3064 hefuf.exe jynes.exe PID 3064 wrote to memory of 2768 3064 hefuf.exe jynes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe"C:\Users\Admin\AppData\Local\Temp\d8007ce7bf001d9a9510c5dba9beca92db71d9890ae6f0598e0ca8303a7069e2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Local\Temp\hefuf.exe"C:\Users\Admin\AppData\Local\Temp\hefuf.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\jynes.exe"C:\Users\Admin\AppData\Local\Temp\jynes.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD513fdc7532858d3efc012dd845602b5c0
SHA1855cd250184f9f3e71c9358f6f1b11ce8aa6aa92
SHA256fbafe6c113a34d13660efd70dd4133f1e53faed86b7dc7b460048b251a9efd14
SHA5121e0e71d1a29e7f678e22933bd965d3eed362c0d91da0a81f91442ab60fd7fc20a4cfa8d781b7d2f3bf8dbee03d43afce9d52b61790dce65995941a435f5962dc
-
Filesize
512B
MD5d496d03aabe330076e1d9929cba54297
SHA12d135c8115e53c8dc5dd2cde6367f39e561a2505
SHA25664ac4844e1d1a5ad9d5a4101e9e6a2a3b79ca9f984e56fe7e2169dbe00c5171f
SHA51223f4ba9d0bc0dd4d2197c8745d863e7eef8bbc31a1d92ad3eebc3657e46d03269eee329bb86f08c69161d1d5ea864e0424c37092fdf75011018b8b72568333e1
-
Filesize
332KB
MD552bfd6709817e0a7b15394ae04f8fe8e
SHA15108272c5094816700441144d14094ab9c9622af
SHA2563ed37a1d6e54d5902d3257fab1c6347ad7da4411f306c55d54f016f718adb7b2
SHA512f45669818a46972b5084aa53ed7f03e90f3d147d699ff8a35399a84d98d52fcc5bfc2797b55c976982e18a33c821a220a767babd8daa0de8339cefb3490aa3c7
-
Filesize
172KB
MD53a20897fc2c9ca14dd93170f9c222312
SHA1764a598cde4b2fdf1ac7ad5a049d6d5d4b1c7d87
SHA2561069a80be2e82e52ebf797d4ac044e6ec37454ac1bb902deeccfe880e1a191ce
SHA5123cf8da0d2c69889e5b2b77714dbd3adccd24e8a585e094658e18c20aee43d6dacc741e864486a1580cfee23770c35a7d4538f0ba6fb1523aaf802e5eca6dd91d