Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 18:58
Behavioral task
behavioral1
Sample
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
Resource
win7-20240903-en
General
-
Target
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
-
Size
343KB
-
MD5
5cf93f15082a5e5b4ac032d42179d36a
-
SHA1
ff796054fc055bad3f24e65cdf41a637691110ff
-
SHA256
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1
-
SHA512
8a26411a95ce1a17119ea3d99132e6017f95798eb8f82982366021ae9cadcfef8f2f938b11e73e4529c38872d9bc300b20f03c5b8c145b6c910547403ddd38c3
-
SSDEEP
6144:Nd7rpL43btmQ58Z27zw39gY2FeZhrL8Awb:X7dL4AZ0U9gY2FhAy
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\lorua.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3064 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
xigoe.exeofqoyq.exelorua.exepid process 2840 xigoe.exe 2780 ofqoyq.exe 1924 lorua.exe -
Loads dropped DLL 5 IoCs
Processes:
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exexigoe.exeofqoyq.exepid process 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe 2840 xigoe.exe 2840 xigoe.exe 2780 ofqoyq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exexigoe.execmd.exeofqoyq.exelorua.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xigoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ofqoyq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lorua.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
lorua.exepid process 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe 1924 lorua.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exexigoe.exeofqoyq.exedescription pid process target process PID 2280 wrote to memory of 2840 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe xigoe.exe PID 2280 wrote to memory of 2840 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe xigoe.exe PID 2280 wrote to memory of 2840 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe xigoe.exe PID 2280 wrote to memory of 2840 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe xigoe.exe PID 2280 wrote to memory of 3064 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 2280 wrote to memory of 3064 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 2280 wrote to memory of 3064 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 2280 wrote to memory of 3064 2280 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 2840 wrote to memory of 2780 2840 xigoe.exe ofqoyq.exe PID 2840 wrote to memory of 2780 2840 xigoe.exe ofqoyq.exe PID 2840 wrote to memory of 2780 2840 xigoe.exe ofqoyq.exe PID 2840 wrote to memory of 2780 2840 xigoe.exe ofqoyq.exe PID 2780 wrote to memory of 1924 2780 ofqoyq.exe lorua.exe PID 2780 wrote to memory of 1924 2780 ofqoyq.exe lorua.exe PID 2780 wrote to memory of 1924 2780 ofqoyq.exe lorua.exe PID 2780 wrote to memory of 1924 2780 ofqoyq.exe lorua.exe PID 2780 wrote to memory of 1568 2780 ofqoyq.exe cmd.exe PID 2780 wrote to memory of 1568 2780 ofqoyq.exe cmd.exe PID 2780 wrote to memory of 1568 2780 ofqoyq.exe cmd.exe PID 2780 wrote to memory of 1568 2780 ofqoyq.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\xigoe.exe"C:\Users\Admin\AppData\Local\Temp\xigoe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe"C:\Users\Admin\AppData\Local\Temp\ofqoyq.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\lorua.exe"C:\Users\Admin\AppData\Local\Temp\lorua.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1924
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1568
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5770cdab69a28fa9a1cf16240d51f758a
SHA1164154361f4ccaca43687c1a1f0d9999383ebe4a
SHA256fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310
SHA512225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7
-
Filesize
224B
MD5cfe886bc155270c247620b2da2b00020
SHA16dbee9bd94b8470fd19b1cce102597511b0256a0
SHA2566d63c895ded6aa6939f4a9e1511c43c5117f7256ac12a61296a7be342101bcaf
SHA5123f77ce65f4f582c9741b5f8292daf149615817fcaab6e61f5144dbcc33bd2de945f90114c80f8bc514acc278d7f30385a6a5540265cf8726820ef1a227a49db6
-
Filesize
512B
MD5c6aab2b0ddc6c37775297be3b1e51c45
SHA10166a1d9aa16a11af6c8389064288686af62d843
SHA256e0ba9a98144815c6969cb0c26b1bf089cda1b792adf217eab50b7e77bcc41fa6
SHA512e3021a9722fae7cbdc9278e71e21d545dca5726b28e7255ffe5ba90169101bc2bcdd9df95caf4604af6d09b810eaa7949572483302720f9dddaddff9c5b1706a
-
Filesize
136KB
MD51789b8fa0ee06dbc7da2fd7d292c0002
SHA15439be5ee772db7263093d39c8cea36836c2aee6
SHA2565f4691a07dc51e0232ad55b59a225f502348c4df223180aba233518993833429
SHA5125228f7a95adfb0252d2cc3118068dd1e504b8de78525c804af394a2b6e8e9aa1e841aec9a03c5084144f0f731f11d46afc19e080c9dc29d01aa496c170602f02
-
Filesize
343KB
MD5486b148b753069d1894474f4f75e01c4
SHA10e19b78416184de4efe6644c014ba38fe8b25a03
SHA256993bc8569b4821720a61e3a0cd96e02be3b1b6e9b46f37b4fc106eadfe1e1568
SHA512b45dbacd60a11725bc94ad8fc489425d05479c3ed9adb4613f262864b5640be69c639b705916c6832fc56f253f5401384913d247c14d2c3a23f8c46c400e61f5