Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 18:58
Behavioral task
behavioral1
Sample
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
Resource
win7-20240903-en
General
-
Target
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe
-
Size
343KB
-
MD5
5cf93f15082a5e5b4ac032d42179d36a
-
SHA1
ff796054fc055bad3f24e65cdf41a637691110ff
-
SHA256
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1
-
SHA512
8a26411a95ce1a17119ea3d99132e6017f95798eb8f82982366021ae9cadcfef8f2f938b11e73e4529c38872d9bc300b20f03c5b8c145b6c910547403ddd38c3
-
SSDEEP
6144:Nd7rpL43btmQ58Z27zw39gY2FeZhrL8Awb:X7dL4AZ0U9gY2FhAy
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\qohuy.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exebowuw.exeveovce.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation bowuw.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation veovce.exe -
Executes dropped EXE 3 IoCs
Processes:
bowuw.exeveovce.exeqohuy.exepid process 4572 bowuw.exe 2872 veovce.exe 2524 qohuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
veovce.exeqohuy.execmd.exe12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exebowuw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language veovce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qohuy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bowuw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qohuy.exepid process 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe 2524 qohuy.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exebowuw.exeveovce.exedescription pid process target process PID 2792 wrote to memory of 4572 2792 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe bowuw.exe PID 2792 wrote to memory of 4572 2792 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe bowuw.exe PID 2792 wrote to memory of 4572 2792 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe bowuw.exe PID 2792 wrote to memory of 1848 2792 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 2792 wrote to memory of 1848 2792 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 2792 wrote to memory of 1848 2792 12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe cmd.exe PID 4572 wrote to memory of 2872 4572 bowuw.exe veovce.exe PID 4572 wrote to memory of 2872 4572 bowuw.exe veovce.exe PID 4572 wrote to memory of 2872 4572 bowuw.exe veovce.exe PID 2872 wrote to memory of 2524 2872 veovce.exe qohuy.exe PID 2872 wrote to memory of 2524 2872 veovce.exe qohuy.exe PID 2872 wrote to memory of 2524 2872 veovce.exe qohuy.exe PID 2872 wrote to memory of 616 2872 veovce.exe cmd.exe PID 2872 wrote to memory of 616 2872 veovce.exe cmd.exe PID 2872 wrote to memory of 616 2872 veovce.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"C:\Users\Admin\AppData\Local\Temp\12095b78a06513f0949ac4942682d3c1a0c04abedf68b19c03985f042da609b1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\bowuw.exe"C:\Users\Admin\AppData\Local\Temp\bowuw.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\veovce.exe"C:\Users\Admin\AppData\Local\Temp\veovce.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\qohuy.exe"C:\Users\Admin\AppData\Local\Temp\qohuy.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:616
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5770cdab69a28fa9a1cf16240d51f758a
SHA1164154361f4ccaca43687c1a1f0d9999383ebe4a
SHA256fbadee865fe00289a978424feccd4db1c1126fbee1b806cf1acfaa8fcb049310
SHA512225a067a51a6ff2eb827c13c0a6195efd2ec9d76cbb931b2743bb7d3ce4813853c4fc5afb3423b8f28a41bb080fe901cf5d768010bad87254a44dad3166549a7
-
Filesize
224B
MD557bbf78f17b41f19b8de2b566d15b842
SHA1eba9fcae6d5ddd15d394a3eb9669569f7cd9fb89
SHA256606faa26d741fb44c7bfecf733c3bd5eee9430cae2bb37cb223a32c3da1cb9f3
SHA5120cd6e7c29acdd73afe4d3ba223f9d329d16a19d01774a5ebbf41ee38ec4f29c0a5314f04d1d7120ab0621a2d144292a108868e77b498c2ffcc026ae57b211c99
-
Filesize
343KB
MD596f89f8e32e859d09815daf6994ec155
SHA142f51d1b677f2e17df7f6c2f7c123ba40d5355d8
SHA2560f6c49502a84a75ad7885b0ed4bc776695905a2dab4e7d6e3cbc3cf76c9e0e48
SHA5126cfdd9844ac5061aa10cf8b301a02ce8c1e2e38c4e83e3d013be848e23f414ba341444ac34c68adbf101349561788ac7fc2a14a1683784e25ce789c78456bd92
-
Filesize
512B
MD528f1b8a0befd4bfda4e57ea27f84272c
SHA1d1fb9e812c4f9ddbe00433898d5cbb4a2b4e01e6
SHA2568560b939c1f554f4c1e099143f1c7c4cdbac8a6cdbd714d743610ac2543da282
SHA5123108f40caed36ecd1fb37fa8289856a50247ea9af4511ec109aefc7b28ef2f67d2971286c51b925ea6b18c6ad4b945e30f183d1541e32c8fdf614fad86690827
-
Filesize
136KB
MD5b0a8a1829adc67838d2524944c93f722
SHA1c47d1212d9973a83d707dc43e96b96f65420dd02
SHA256a84e17a1e7dd81f657581f6b844ed83162e828d39ca7a9e12702b1a35d7d76b6
SHA5129743ba4e68940eac91e6b31a61c11f5b3f1cb96dc8aa63825d94a9e434ccad4e076d1c7c9115ffb76fc2769bb2f7e335aff8ae2588858d73f0a34553630c0627