Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 21:21
Static task
static1
Behavioral task
behavioral1
Sample
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe
Resource
win7-20240903-en
General
-
Target
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe
-
Size
332KB
-
MD5
7c8e99d94bffc734270dd6f1e0dc81b3
-
SHA1
9df80907ffbb9c337b2730ba5c4cd403e71becd2
-
SHA256
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e
-
SHA512
64b04f18aa9839e512f6db38d31ebcf5ca99303fd0d292bc65932f653236d4318708d7b3b4ae0cfa8b587e3e044055885024125327a3d5fc0db69f8137dad9ec
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66ciX
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2840 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
ojsiy.exesulog.exepid process 2688 ojsiy.exe 1444 sulog.exe -
Loads dropped DLL 2 IoCs
Processes:
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exeojsiy.exepid process 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe 2688 ojsiy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exeojsiy.execmd.exesulog.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsiy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sulog.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
sulog.exepid process 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe 1444 sulog.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exeojsiy.exedescription pid process target process PID 2692 wrote to memory of 2688 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe ojsiy.exe PID 2692 wrote to memory of 2688 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe ojsiy.exe PID 2692 wrote to memory of 2688 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe ojsiy.exe PID 2692 wrote to memory of 2688 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe ojsiy.exe PID 2692 wrote to memory of 2840 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 2692 wrote to memory of 2840 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 2692 wrote to memory of 2840 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 2692 wrote to memory of 2840 2692 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 2688 wrote to memory of 1444 2688 ojsiy.exe sulog.exe PID 2688 wrote to memory of 1444 2688 ojsiy.exe sulog.exe PID 2688 wrote to memory of 1444 2688 ojsiy.exe sulog.exe PID 2688 wrote to memory of 1444 2688 ojsiy.exe sulog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe"C:\Users\Admin\AppData\Local\Temp\447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\ojsiy.exe"C:\Users\Admin\AppData\Local\Temp\ojsiy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\sulog.exe"C:\Users\Admin\AppData\Local\Temp\sulog.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5e65a9376fe333282727b25a76cd66ec5
SHA1fe21dae1507df833f84a43b79cf569db749e12cd
SHA256199654939974e220efd54a0df3211958e37625122ac8d38e855d1f0d7fef5fe6
SHA5121ce057075d2ebd36010d9586ac857790c86a62e683b1cda193a8f6f1c670c71c0ff25388b923c472343a0cd1e80bf248227c36e5d9f12acb332e462734cedf6d
-
Filesize
512B
MD54b84b6dce856dfa0adf08a7030bce0cc
SHA15502a31c3099bc9f44c410e286bcf1456741ebc2
SHA2562ad33d5bafdc4b01d194cdceb98284674187e2ef15d1c40aef1142f6d541ffa0
SHA5121a6fb17326d3c025251236009451e0dd9c9e1ed92722456657f11399678e0dcea01cf82cf1eca3a0b98a4fb6063f7a15230b0e0cc4b3e35d9d42b8e420888876
-
Filesize
332KB
MD5fa4ebc7e5ea689b017c954e4cab9d273
SHA1a0cf2b51561841e20ceb7dfefc4cc3c7daa8cdb7
SHA256e0db9edc799cbd2bd97557cbe97bacb9507eba25b47198d147596d0722fb6fa4
SHA5120423e75ee3fc8c082b2a168ab7afee993fcbd807ef16ebb534df8464cafc1d25db12fc0ecf08f09f31fe434d68829973d9dbc0ae2b28efbaeb2ae0577ec83544
-
Filesize
172KB
MD5b10e880bd302375a24ca9f70ef11ade8
SHA1e392241246f1c8550879b943c9a176503398be0c
SHA256cab6ebb84fc1074c3749ad3bb8feaf648677d2dce37dda8c90005541ad32f1d6
SHA5121d1d8aeffae2b1848e530a918e39f7cb0581b9c44cb089c10bd1bfd30456fd441b7f2f9adf744274168544a05f226c8586a147500122ca12148196f20ce3c18a