Analysis
-
max time kernel
117s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 18:36
Behavioral task
behavioral1
Sample
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe
Resource
win7-20240903-en
General
-
Target
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe
-
Size
787KB
-
MD5
e74fc6d312969c7dc5f7d9222e0761c0
-
SHA1
d1dd1a184396325514430242fa0a39ed1fcc614c
-
SHA256
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3
-
SHA512
6880a3b2ba7ceaad02deb216ebae5b4e62df636c4cf35e1d5b03b2d409220f453af9f8d57f64e2ec20ae8fa97d8e56ce0087d9fc01dc5067dd19e62918113697
-
SSDEEP
12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgl:d7dLBftJLW5YUWLrkJB0PJgl
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exedoefi.exexixole.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation doefi.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation xixole.exe -
Executes dropped EXE 3 IoCs
Processes:
doefi.exexixole.exeybzob.exepid process 4640 doefi.exe 1060 xixole.exe 2148 ybzob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exedoefi.execmd.exexixole.exeybzob.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language doefi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xixole.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ybzob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
ybzob.exepid process 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe 2148 ybzob.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exedoefi.exexixole.exedescription pid process target process PID 3280 wrote to memory of 4640 3280 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe doefi.exe PID 3280 wrote to memory of 4640 3280 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe doefi.exe PID 3280 wrote to memory of 4640 3280 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe doefi.exe PID 3280 wrote to memory of 1980 3280 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 3280 wrote to memory of 1980 3280 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 3280 wrote to memory of 1980 3280 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe cmd.exe PID 4640 wrote to memory of 1060 4640 doefi.exe xixole.exe PID 4640 wrote to memory of 1060 4640 doefi.exe xixole.exe PID 4640 wrote to memory of 1060 4640 doefi.exe xixole.exe PID 1060 wrote to memory of 2148 1060 xixole.exe ybzob.exe PID 1060 wrote to memory of 2148 1060 xixole.exe ybzob.exe PID 1060 wrote to memory of 2148 1060 xixole.exe ybzob.exe PID 1060 wrote to memory of 2172 1060 xixole.exe cmd.exe PID 1060 wrote to memory of 2172 1060 xixole.exe cmd.exe PID 1060 wrote to memory of 2172 1060 xixole.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\doefi.exe"C:\Users\Admin\AppData\Local\Temp\doefi.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\xixole.exe"C:\Users\Admin\AppData\Local\Temp\xixole.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\ybzob.exe"C:\Users\Admin\AppData\Local\Temp\ybzob.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2172
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5b6d1c3fa47828a7fedf267f2febbb887
SHA13a2f8e8afae9baee72e71efbb1bd45fdbd3f858d
SHA2563466a0c189f515c14f0ede59be0c53dd23e7e37429dd99b4941f374e1a675589
SHA512fd8bd8410b802849ec0fdd71150b0555f45e37c099cb5a2ddac340757fc722e8e3f761ff49042dd4cdf7cc7b3af4877aa69b8263256d046da3692367e0c91976
-
Filesize
342B
MD514a0f7101e3ae9c32c1a731b1ecf75a4
SHA1e190c00057aa743d0ef848cee5f7a9884437b40b
SHA25672b591dede10dc06d398145163bbb9a8fbe5cbe99e8e3e17b6c5cb02e4224c20
SHA512f818dae6733c89359f38d8b8f843d3562534cfd604dd2a82ed29da178709fe1b707be418c4a74e29ef7c294030e0854d0e38fb901247d881481e3f0be936ed70
-
Filesize
787KB
MD5ee2b9d98c25eaad7a432a09b8442b629
SHA1ecb4b5153d91b98639ed970f5c2063fd8d7289c1
SHA25675e1b718f3a77bdd9fcafd689f8d6861de98f115519304838be8d23eae4c2ed5
SHA51227091bbaf636f95ff9b420ee7de74e38cd1ac9cfc5b8c88733656ed2e82b9200c89172986b61e1d6e3798d6886eb3c422134c7b9aee2f5d5bc8dbee221f1c832
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5ee1a963c736c6de8bc622ff38e8a8476
SHA1c590d9023b188881c438a91defea048472a0eb55
SHA256711b83af3ce57268eda9d12b361730306ee880855c881ee4d0b93f2046736ade
SHA512867beb41a3746ab4c7e2eafd3f9cd198654dd9ed6c2a25a20ad98191d4726a1b8cd0ec182db4416cce991f821a33d2f41c14eb1515363fa367e55c0308baef5f
-
Filesize
601KB
MD5c405e1b0ec8b6d9a99a992153fae45e7
SHA1f6fb9e2b1605b95cdb97424337f4cd66d7b2ca8d
SHA2565e6c2649024afaaf3bceaf1de7798a6b19d8ae7c41e1b957b71a4290d264e080
SHA5127f5c6fcfe24b6b4d81dc30d3b1512e612cb9c1781e80cf38ad631bc30f8dce7bd9ef23a6c644112447ddbd51ca9a83742e550397e3b3b8f99836f2e7f62c0d06