Analysis
-
max time kernel
120s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 15:36
Behavioral task
behavioral1
Sample
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
Resource
win7-20240729-en
General
-
Target
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
-
Size
410KB
-
MD5
11c25c7af15bae9c20e5b2e3f69da5d0
-
SHA1
aaf9829664a76c423bc4504ed65e4f089069429e
-
SHA256
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
-
SHA512
bdcf77fb242809228b61850ba4e578e1ede24e746634689c325780658eb5a4dd6e4135d4a633202c395e6ff2d1e6542f9b3248f66b58a97b026508b88331d57d
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOtk:eU7M5ijWh0XOW4sEfeOe
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\tobeo.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2748 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
fulaq.exetobeo.exepid process 1192 fulaq.exe 2144 tobeo.exe -
Loads dropped DLL 3 IoCs
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exefulaq.exepid process 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe 1192 fulaq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fulaq.execmd.exetobeo.exe9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fulaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tobeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
tobeo.exepid process 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe 2144 tobeo.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exefulaq.exedescription pid process target process PID 588 wrote to memory of 1192 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe fulaq.exe PID 588 wrote to memory of 1192 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe fulaq.exe PID 588 wrote to memory of 1192 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe fulaq.exe PID 588 wrote to memory of 1192 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe fulaq.exe PID 588 wrote to memory of 2748 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 588 wrote to memory of 2748 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 588 wrote to memory of 2748 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 588 wrote to memory of 2748 588 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 1192 wrote to memory of 2144 1192 fulaq.exe tobeo.exe PID 1192 wrote to memory of 2144 1192 fulaq.exe tobeo.exe PID 1192 wrote to memory of 2144 1192 fulaq.exe tobeo.exe PID 1192 wrote to memory of 2144 1192 fulaq.exe tobeo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\fulaq.exe"C:\Users\Admin\AppData\Local\Temp\fulaq.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\tobeo.exe"C:\Users\Admin\AppData\Local\Temp\tobeo.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57b005e68ba608bed0f82bca950281e7f
SHA1d8aa71bb2248e59685668514c773d382d9c711bd
SHA25663c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7
-
Filesize
512B
MD5456598d98a5e0e49002099a2ea4d88d2
SHA1be400359ae3cf48df86d24cc798a6716a8422fb9
SHA256687a63cc1b85b104faebfa540b34ae5d961efec099c1f4d915d813cd27c20bfe
SHA512682a186572a8d7188a8a2996fca0132cfd391f89447da19f3a047794fc729169e595f7c1a26ccf309d9e1dbac5bde38fd29b49729eafdb5794d6d8fc8d1caf10
-
Filesize
410KB
MD508adffe2aabfef6fce9d1f68e2d03f0e
SHA137810e61a918c5bda4b2cc8e1304d5d28b9e5258
SHA2569fdd5c77d66e3640295496ed4e6919662462267a47056a75dfa44c00152ebb77
SHA51264e8101110be6b5f36134590de16e9d3963320843596fe3fcc8b818f427beed518e9e6946e61c20f864f434fab4923946077db713f35d5e00c34c57d11b1514f
-
Filesize
212KB
MD5dce35959000225209be8645511d6add2
SHA131324e1b76c71fdcc9880f09aff5a8fb60878a1f
SHA25604a7d017da8d38c02d748461d175df169955a005d8959ee006fa6965c8892a77
SHA512bc446377c6395ef38bedeea8ce1728584bee985910ee7e3a62f06595acdd62501a3dfd2169a35fe7c120ffa8cd1fcaf83d9aa2358d2e5c28af0703abe34b7a87