Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 15:41
Behavioral task
behavioral1
Sample
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
Resource
win7-20240903-en
General
-
Target
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
-
Size
410KB
-
MD5
11c25c7af15bae9c20e5b2e3f69da5d0
-
SHA1
aaf9829664a76c423bc4504ed65e4f089069429e
-
SHA256
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
-
SHA512
bdcf77fb242809228b61850ba4e578e1ede24e746634689c325780658eb5a4dd6e4135d4a633202c395e6ff2d1e6542f9b3248f66b58a97b026508b88331d57d
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOtk:eU7M5ijWh0XOW4sEfeOe
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\foecn.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2732 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
ufjug.exefoecn.exepid process 2920 ufjug.exe 352 foecn.exe -
Loads dropped DLL 3 IoCs
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exeufjug.exepid process 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe 2920 ufjug.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ufjug.execmd.exefoecn.exe9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ufjug.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
foecn.exepid process 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe 352 foecn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exeufjug.exedescription pid process target process PID 2788 wrote to memory of 2920 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe ufjug.exe PID 2788 wrote to memory of 2920 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe ufjug.exe PID 2788 wrote to memory of 2920 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe ufjug.exe PID 2788 wrote to memory of 2920 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe ufjug.exe PID 2788 wrote to memory of 2732 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 2788 wrote to memory of 2732 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 2788 wrote to memory of 2732 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 2788 wrote to memory of 2732 2788 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 2920 wrote to memory of 352 2920 ufjug.exe foecn.exe PID 2920 wrote to memory of 352 2920 ufjug.exe foecn.exe PID 2920 wrote to memory of 352 2920 ufjug.exe foecn.exe PID 2920 wrote to memory of 352 2920 ufjug.exe foecn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\ufjug.exe"C:\Users\Admin\AppData\Local\Temp\ufjug.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\foecn.exe"C:\Users\Admin\AppData\Local\Temp\foecn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:352
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57b005e68ba608bed0f82bca950281e7f
SHA1d8aa71bb2248e59685668514c773d382d9c711bd
SHA25663c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7
-
Filesize
512B
MD5fd67fb78384428eec4d236b880c0f3a8
SHA15a74d0b7a168b3eedab411794575ace60f5b3543
SHA256e5c7f3db8b50eb03e97c1cd7a66028a2a15c5b4c7f6a4dd0c1d0c35236ff3492
SHA512d9bd4c7c693f9caa57771e99c9df568ab15cfb3b5234ba16ae6af8920782444395646e02c027b8aae2bec26b0259acb4c766d35c8ebb4fa90840f3a85730f3f9
-
Filesize
410KB
MD5108f93fa49f84a905537fdef7feda391
SHA1514fb2959041a4e6b5fa1126cb15c95d1baebf18
SHA2561c041ee300fa38a82b2d0d5f56edb59fdb5030962d9278aab694bb57022a8568
SHA5122c477a5ba6a17b2da4489c486929788577e45eaefe654b5d86bf5a6abf2fffd3471b12300ad804ca745cb82237343e9eaaa2b6743b4280cf37b8f0de484fab57
-
Filesize
212KB
MD51b2b6a08c356ffd1f95141cf00349f89
SHA1ff22193e53493dba47169cf7530312a4d4ff89ed
SHA256281ab5ccd101d8b9053e0cbb3f794e78a37fd863996f31d1bb2254502b8e2a5c
SHA512fa4b78ec993131fd67e5ee41b1c34daf400c1761712f0497fcc1cf09c62723b9301bc3bb9937304164cf64ff7b5603f065bb321256848bfbb90410663b880553