Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 15:41
Behavioral task
behavioral1
Sample
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
Resource
win7-20240903-en
General
-
Target
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe
-
Size
410KB
-
MD5
11c25c7af15bae9c20e5b2e3f69da5d0
-
SHA1
aaf9829664a76c423bc4504ed65e4f089069429e
-
SHA256
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
-
SHA512
bdcf77fb242809228b61850ba4e578e1ede24e746634689c325780658eb5a4dd6e4135d4a633202c395e6ff2d1e6542f9b3248f66b58a97b026508b88331d57d
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOtk:eU7M5ijWh0XOW4sEfeOe
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\umukb.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cygeb.exe9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cygeb.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe -
Executes dropped EXE 2 IoCs
Processes:
cygeb.exeumukb.exepid process 3436 cygeb.exe 4584 umukb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.execygeb.execmd.exeumukb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cygeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language umukb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
umukb.exepid process 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe 4584 umukb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.execygeb.exedescription pid process target process PID 4440 wrote to memory of 3436 4440 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cygeb.exe PID 4440 wrote to memory of 3436 4440 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cygeb.exe PID 4440 wrote to memory of 3436 4440 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cygeb.exe PID 4440 wrote to memory of 5068 4440 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 4440 wrote to memory of 5068 4440 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 4440 wrote to memory of 5068 4440 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe cmd.exe PID 3436 wrote to memory of 4584 3436 cygeb.exe umukb.exe PID 3436 wrote to memory of 4584 3436 cygeb.exe umukb.exe PID 3436 wrote to memory of 4584 3436 cygeb.exe umukb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\cygeb.exe"C:\Users\Admin\AppData\Local\Temp\cygeb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\umukb.exe"C:\Users\Admin\AppData\Local\Temp\umukb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:5068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD57b005e68ba608bed0f82bca950281e7f
SHA1d8aa71bb2248e59685668514c773d382d9c711bd
SHA25663c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7
-
Filesize
410KB
MD595729ea0e069ba75c9faa229cf172b52
SHA1cbccaa68e453b642b93abbb0c38b45d923219478
SHA256d3bf41398857f63b794a2924ca19722d40c1d371b539fbc107d09f2530461eee
SHA5126d69083ea98127db139ecc4d4602d089b398fc1c8d9b2ce2f57d09f53a1d0f8de560ff4060b7ac6e5c2c1140b8d9ceca77144763ea8bfa5ff4751c26e84d59b6
-
Filesize
512B
MD5c5ab2e02955a356cdd2a4240daac5f1e
SHA1ce0a97d642c790866e67e6337f1628718c943982
SHA25663ed0e95e0ffa902edc470ce39c13d38bb577aef3570c36bbec99ad0014a3391
SHA512745572098bcac4b50dc9ad2078f6e3e7b387d9d38aca72339a82c7e983f5657c14ad0c9fd4be48a76e4e7b72cdc13ce2a1e329daf1d5237dc505040b71a29e42
-
Filesize
212KB
MD548aaefa00d62dbefa7cea941de6875a6
SHA1126c15b4b946239e1d279b92458df54d138bc464
SHA256ff98b6aeeb2271d98979b9ea0c5b09ee5440a4e6ddabc0dfb706f4989bbcbf5f
SHA512cec380518cb3b559db0f0f7e35aeace83eb4552492757aa023d83f1ce33e3ee4b039ecec3ad353a488266fae1c400e4661fa699ec5f3114a4c08063b1722dd31