Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 19:27
Behavioral task
behavioral1
Sample
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe
Resource
win7-20241010-en
General
-
Target
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe
-
Size
557KB
-
MD5
875bb7d87500b1099b3d5f021fa7dc15
-
SHA1
951fabd861860a304581316bb5df79dbb4994351
-
SHA256
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1
-
SHA512
160df7ee8214c9f270b0f5a93bf6ba92f2ef5be55068c30e86c6af3f96981e22a34d25ca48ea8fa25ca12555168a2f58c6ef920610cbd8ea5c3770ffe842edfd
-
SSDEEP
12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy4:znPfQp9L3olqF4
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exeqokuu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation qokuu.exe -
Executes dropped EXE 2 IoCs
Processes:
qokuu.execuubv.exepid process 3460 qokuu.exe 3528 cuubv.exe -
Processes:
resource yara_rule behavioral2/memory/1508-0-0x0000000000400000-0x00000000004B6000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\qokuu.exe upx behavioral2/memory/3460-12-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/1508-14-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3460-17-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/3460-28-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cuubv.exe1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exeqokuu.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cuubv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qokuu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cuubv.exepid process 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe 3528 cuubv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exeqokuu.exedescription pid process target process PID 1508 wrote to memory of 3460 1508 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qokuu.exe PID 1508 wrote to memory of 3460 1508 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qokuu.exe PID 1508 wrote to memory of 3460 1508 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe qokuu.exe PID 1508 wrote to memory of 3304 1508 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 1508 wrote to memory of 3304 1508 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 1508 wrote to memory of 3304 1508 1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe cmd.exe PID 3460 wrote to memory of 3528 3460 qokuu.exe cuubv.exe PID 3460 wrote to memory of 3528 3460 qokuu.exe cuubv.exe PID 3460 wrote to memory of 3528 3460 qokuu.exe cuubv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe"C:\Users\Admin\AppData\Local\Temp\1dc16907c189ac765c7d95fcd2695bae92ceb2690a1e35712bce3b302fa4cbe1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\qokuu.exe"C:\Users\Admin\AppData\Local\Temp\qokuu.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\cuubv.exe"C:\Users\Admin\AppData\Local\Temp\cuubv.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD53fcf392798338eab201b4d578dd2a25a
SHA1072c6577e302a2d1ced526ab3516a7d8bd8958e0
SHA2562f54ef30c389dd956a8b6bdd0599b570ad2ef9e8fbe50f7a6a1074a5aaab9ee3
SHA512df6e7684e7f61739568d5863c1423b4a44f2ea8f74f055cdde46538cc04c701010419b76cbcfb6bbc0ff16c8816204861b7ad32051c35ccabd1c2975015b4992
-
Filesize
194KB
MD55e75eb789cc8e2482e77fd77258535ac
SHA191fdaa7b36e130acc623b805bcdd0a07c079c51b
SHA256f5de674ff792930f8a09945c805d1fcbf3f196cf2a7c39ef2bb72c8b0969e714
SHA51239ccb8b0b5fd8364c8c2634a43198630c8043b2d72564660a5494176b2ab7b6e627d51677baaeac79aad0fe1089b88ccc9646bd775813d749e64142d79c384ed
-
Filesize
512B
MD5ba655ae17147c0abf71a1bea14c8ce95
SHA141cad7e07dd3c3c4864ef3b53316a67826c9db7c
SHA2561c089a13b32dac6cb58d82b44b26548f6186eceb8936e1697558dc2600969178
SHA512e73eb5667cdc3c526df5baddcbe5b542e6128205eb8a8552e4dbdca42375d7809cf09033923e3137ab7525ce8697a14adcee9d5402a08973dd32a42f9afa13cc
-
Filesize
557KB
MD5d02ef02f68cabe47cb36c175ef646f0d
SHA1e8ddfa28e4ceb01583845612c789ebf49b7065cf
SHA25616147b1875bee72705b9487a0077016b801ee7b4c95e184d3cec93824b5db317
SHA512c3357a6812fedff3a34844b096a4c6eccb4b8a47c762a5c51716ba5dec53b692f08cd27cb3f1366360c73e86c866689c674efd15931d638bda91dd8c677795e5