Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 15:36
Behavioral task
behavioral1
Sample
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
Resource
win7-20240729-en
General
-
Target
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
-
Size
410KB
-
MD5
11c25c7af15bae9c20e5b2e3f69da5d0
-
SHA1
aaf9829664a76c423bc4504ed65e4f089069429e
-
SHA256
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
-
SHA512
bdcf77fb242809228b61850ba4e578e1ede24e746634689c325780658eb5a4dd6e4135d4a633202c395e6ff2d1e6542f9b3248f66b58a97b026508b88331d57d
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOtk:eU7M5ijWh0XOW4sEfeOe
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\loupi.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
foibm.exe9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation foibm.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe -
Executes dropped EXE 2 IoCs
Processes:
foibm.exeloupi.exepid process 1960 foibm.exe 4036 loupi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeloupi.exe9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exefoibm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language loupi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foibm.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
loupi.exepid process 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe 4036 loupi.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exefoibm.exedescription pid process target process PID 1540 wrote to memory of 1960 1540 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe foibm.exe PID 1540 wrote to memory of 1960 1540 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe foibm.exe PID 1540 wrote to memory of 1960 1540 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe foibm.exe PID 1540 wrote to memory of 1748 1540 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 1540 wrote to memory of 1748 1540 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 1540 wrote to memory of 1748 1540 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 1960 wrote to memory of 4036 1960 foibm.exe loupi.exe PID 1960 wrote to memory of 4036 1960 foibm.exe loupi.exe PID 1960 wrote to memory of 4036 1960 foibm.exe loupi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\foibm.exe"C:\Users\Admin\AppData\Local\Temp\foibm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\loupi.exe"C:\Users\Admin\AppData\Local\Temp\loupi.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57b005e68ba608bed0f82bca950281e7f
SHA1d8aa71bb2248e59685668514c773d382d9c711bd
SHA25663c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7
-
Filesize
410KB
MD5c49b5a7941e0bf83ae27639f59ca9e23
SHA16794615e0c92e9e64aa13597eba6d23bf45c8075
SHA2567a02f6d44d607fb5e33f8e69070cad4435ca98e421bf99ef6dd7c6ce303afa30
SHA512a65c03386a3cef9b15dd445153f5ab2068ff1f2a95235e97643aaac12db224851ff058ef65dd67bb2692df6a405fff3b2b90c2d056c1c58e3ae86f558547b88f
-
Filesize
512B
MD5f91b982d6f50ea89b4e170ab5c39854b
SHA11b28a7ca5d52be9883b4cb067a9ebb69988406ea
SHA256361e7527c45278fc944c3bd41ef8a8ef8847a7b03ad3b8ccb3a25788e05979df
SHA51207368b730618a8e36730dd66743be3496d2e58f1d9057b2fabe5ad4e60da4a4ebe25be831e746731c241de07e83678029fc924a5088767e63dbd8706ec95960b
-
Filesize
212KB
MD576f224a80b09e3ca6c00422b31cffc8a
SHA17bf2e32a2aec28ade0edd245526b326f1ffa4191
SHA2569ff0e43f349b8e780fb1bccdbc3cd511c8fe353d5405c7f3fdabcbb591bdb437
SHA5123e20c65b10e2f0a2ca4dcf52d9eb96215e5db94cbee6b829e4cbce877e4f1cdd93c8a16901a4ab64fb015e42104b0dd762d624639f0551187913c61c899e4709