Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 18:36
Behavioral task
behavioral1
Sample
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe
Resource
win7-20240903-en
General
-
Target
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe
-
Size
787KB
-
MD5
e74fc6d312969c7dc5f7d9222e0761c0
-
SHA1
d1dd1a184396325514430242fa0a39ed1fcc614c
-
SHA256
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3
-
SHA512
6880a3b2ba7ceaad02deb216ebae5b4e62df636c4cf35e1d5b03b2d409220f453af9f8d57f64e2ec20ae8fa97d8e56ce0087d9fc01dc5067dd19e62918113697
-
SSDEEP
12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgl:d7dLBftJLW5YUWLrkJB0PJgl
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2892 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
hudim.exeyfcoqu.exeiffop.exepid process 1076 hudim.exe 2832 yfcoqu.exe 2856 iffop.exe -
Loads dropped DLL 6 IoCs
Processes:
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exehudim.exeyfcoqu.exepid process 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe 1076 hudim.exe 1076 hudim.exe 2832 yfcoqu.exe 2832 yfcoqu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exehudim.exeyfcoqu.execmd.exeiffop.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hudim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yfcoqu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iffop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
iffop.exepid process 2856 iffop.exe 2856 iffop.exe 2856 iffop.exe 2856 iffop.exe 2856 iffop.exe 2856 iffop.exe 2856 iffop.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exehudim.exeyfcoqu.exedescription pid process target process PID 2576 wrote to memory of 1076 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe hudim.exe PID 2576 wrote to memory of 1076 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe hudim.exe PID 2576 wrote to memory of 1076 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe hudim.exe PID 2576 wrote to memory of 1076 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe hudim.exe PID 2576 wrote to memory of 2892 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 2576 wrote to memory of 2892 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 2576 wrote to memory of 2892 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 2576 wrote to memory of 2892 2576 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 1076 wrote to memory of 2832 1076 hudim.exe yfcoqu.exe PID 1076 wrote to memory of 2832 1076 hudim.exe yfcoqu.exe PID 1076 wrote to memory of 2832 1076 hudim.exe yfcoqu.exe PID 1076 wrote to memory of 2832 1076 hudim.exe yfcoqu.exe PID 2832 wrote to memory of 2856 2832 yfcoqu.exe iffop.exe PID 2832 wrote to memory of 2856 2832 yfcoqu.exe iffop.exe PID 2832 wrote to memory of 2856 2832 yfcoqu.exe iffop.exe PID 2832 wrote to memory of 2856 2832 yfcoqu.exe iffop.exe PID 2832 wrote to memory of 796 2832 yfcoqu.exe cmd.exe PID 2832 wrote to memory of 796 2832 yfcoqu.exe cmd.exe PID 2832 wrote to memory of 796 2832 yfcoqu.exe cmd.exe PID 2832 wrote to memory of 796 2832 yfcoqu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\hudim.exe"C:\Users\Admin\AppData\Local\Temp\hudim.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe"C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\iffop.exe"C:\Users\Admin\AppData\Local\Temp\iffop.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:796
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD514a0f7101e3ae9c32c1a731b1ecf75a4
SHA1e190c00057aa743d0ef848cee5f7a9884437b40b
SHA25672b591dede10dc06d398145163bbb9a8fbe5cbe99e8e3e17b6c5cb02e4224c20
SHA512f818dae6733c89359f38d8b8f843d3562534cfd604dd2a82ed29da178709fe1b707be418c4a74e29ef7c294030e0854d0e38fb901247d881481e3f0be936ed70
-
Filesize
224B
MD520cac879fc2de119a2729a9777e7aef9
SHA1617311ffe53164445b83fee5f2bdb3b7e58d84f0
SHA2564f68a103e6747c40119b8e1a9f775a5b4573da7b52a330c86054a829314540b2
SHA512a82c7e655ac874d515f68b2bb03d6472dba5f589b894842e38ea33e8ceec4a4df912acf5c3aa342bb85f157709b755bcece4bee8c98def02813a4b30034cc29a
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD58ec417611ffff405ad120efcc1bf7218
SHA122ae0bc1858edde9793b1c73e585f5b1ec3bf2ed
SHA2564fcb48e19e345e1e27f58607663e7e2783f8688689390f495d4866e300623b8c
SHA512105b287ff8a259f25861d2e27ac98db9a554545207437323303c30debeea8aad8e1a40bfd91f8b77fbd476673d1a12416eb4137792393398a0b853f8ff2a5575
-
Filesize
787KB
MD5e769569db4dff88f1c83d85e57055677
SHA14e91a23ffca7493e5f929510858f8e80cbf049d4
SHA256395efd4dffbd978dd28fa813b8f374eda1ff0b990750875ecc202844a70aa8be
SHA512680c959aff8dc3ac16dc20a38d14a492b1ae4618c2c0979731b4e0f102621f9089fd30990b96a9a9f29111fd33fc3725a21e73f749f7512acddc6de7e0365740
-
Filesize
601KB
MD52c8e2a49ca0a8521549dddce944a4e52
SHA19a20ccdfaa15afc406893401b76df72b44e1e27d
SHA256617593f75157ca65aab5b704567fbc2527859c4964c0c7a2ccc1bad60f722682
SHA512b85a2ca1582dc5c4cc20fecfe9f591f62a0f51247f22da402fa4949adac579b75c1c6213deb1fa0113193bb9a54cad395e895fce3c5530e8f53269b06a2b791e