Analysis
-
max time kernel
150s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 19:27
Behavioral task
behavioral1
Sample
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe
Resource
win7-20241010-en
General
-
Target
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe
-
Size
557KB
-
MD5
875bb7d87500b1099b3d5f021fa7dc15
-
SHA1
951fabd861860a304581316bb5df79dbb4994351
-
SHA256
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1
-
SHA512
160df7ee8214c9f270b0f5a93bf6ba92f2ef5be55068c30e86c6af3f96981e22a34d25ca48ea8fa25ca12555168a2f58c6ef920610cbd8ea5c3770ffe842edfd
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2856 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
qourn.exerebou.exepid process 2164 qourn.exe 2708 rebou.exe -
Loads dropped DLL 2 IoCs
Processes:
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exeqourn.exepid process 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe 2164 qourn.exe -
Processes:
resource yara_rule behavioral1/memory/2396-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\qourn.exe upx behavioral1/memory/2164-9-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2396-17-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2164-20-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2164-28-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/2164-26-0x0000000003450000-0x00000000034E4000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exeqourn.execmd.exerebou.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qourn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rebou.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
rebou.exepid process 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe 2708 rebou.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exeqourn.exedescription pid process target process PID 2396 wrote to memory of 2164 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qourn.exe PID 2396 wrote to memory of 2164 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qourn.exe PID 2396 wrote to memory of 2164 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qourn.exe PID 2396 wrote to memory of 2164 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qourn.exe PID 2396 wrote to memory of 2856 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 2396 wrote to memory of 2856 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 2396 wrote to memory of 2856 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 2396 wrote to memory of 2856 2396 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 2164 wrote to memory of 2708 2164 qourn.exe rebou.exe PID 2164 wrote to memory of 2708 2164 qourn.exe rebou.exe PID 2164 wrote to memory of 2708 2164 qourn.exe rebou.exe PID 2164 wrote to memory of 2708 2164 qourn.exe rebou.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe"C:\Users\Admin\AppData\Local\Temp\1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\qourn.exe"C:\Users\Admin\AppData\Local\Temp\qourn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\rebou.exe"C:\Users\Admin\AppData\Local\Temp\rebou.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53fcf392798338eab201b4d578dd2a25a
SHA1072c6577e302a2d1ced526ab3516a7d8bd8958e0
SHA2562f54ef30c389dd956a8b6bdd0599b570ad2ef9e8fbe50f7a6a1074a5aaab9ee3
SHA512df6e7684e7f61739568d5863c1423b4a44f2ea8f74f055cdde46538cc04c701010419b76cbcfb6bbc0ff16c8816204861b7ad32051c35ccabd1c2975015b4992
-
Filesize
512B
MD58d72c3d8e013466888f3ee9f18be05f5
SHA1af5e8dce314146d508fdcf82653d65ed4f0d5793
SHA2569f779d4040e6afbaeb5f96d1ddb0fe61db86b8b7fea028727ae1d6f782aff906
SHA51269e198de6aa0528ff42047f65b0f342166cb15818c2b92cd77f334a3aecf55662c70e79b03e9add65d5e0dcbe30b093a82ce1bfbdaba2183a07e516d293c5b0c
-
Filesize
557KB
MD5a6177728943bd993459281a0c6b47369
SHA156667b63c5b1c4e17fa52e0b40312fb0185049dd
SHA256b2e7a0d24427016eac02a116f7ffaa2c5ea0ef4c48df2782dfb99ee2429cd329
SHA5128b3a2baec3cdcd16072c5c8bb48cb69c689a49d995c69b45c57bede98854a2826bd486ef849b75693abaf2e6afe947423b03129176abb7263dd032ed306dfc63
-
Filesize
194KB
MD528f06ee1e8c8d22d21ec460b5882e255
SHA123dba0f9b8e53bfdd0ba08674f12ff19ec30f156
SHA2562ff5621ff819e440203b5c02ff0fc4f558f5e7ddd00f1f91aebbada443477db0
SHA51230aa45893623979eafb25e1f4508c5dcaeba6a3d3e0fcf3e40cfa404faa7692ae3e56daf89d62762cff832c38db1f6ba913fa457fa744d7bdce2bd70503b364f