Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 21:21
Static task
static1
Behavioral task
behavioral1
Sample
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe
Resource
win7-20240903-en
General
-
Target
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe
-
Size
332KB
-
MD5
7c8e99d94bffc734270dd6f1e0dc81b3
-
SHA1
9df80907ffbb9c337b2730ba5c4cd403e71becd2
-
SHA256
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e
-
SHA512
64b04f18aa9839e512f6db38d31ebcf5ca99303fd0d292bc65932f653236d4318708d7b3b4ae0cfa8b587e3e044055885024125327a3d5fc0db69f8137dad9ec
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYC:vHW138/iXWlK885rKlGSekcj66ciX
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exetowub.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation towub.exe -
Executes dropped EXE 2 IoCs
Processes:
towub.exeziozc.exepid process 3108 towub.exe 2744 ziozc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeziozc.exe447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exetowub.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziozc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language towub.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ziozc.exepid process 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe 2744 ziozc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exetowub.exedescription pid process target process PID 4416 wrote to memory of 3108 4416 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe towub.exe PID 4416 wrote to memory of 3108 4416 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe towub.exe PID 4416 wrote to memory of 3108 4416 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe towub.exe PID 4416 wrote to memory of 1096 4416 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 4416 wrote to memory of 1096 4416 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 4416 wrote to memory of 1096 4416 447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe cmd.exe PID 3108 wrote to memory of 2744 3108 towub.exe ziozc.exe PID 3108 wrote to memory of 2744 3108 towub.exe ziozc.exe PID 3108 wrote to memory of 2744 3108 towub.exe ziozc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe"C:\Users\Admin\AppData\Local\Temp\447f155e5f7b53c5caf0a9f85cc8183fe0bf53ae1f31ae820d55dd54b841085e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\towub.exe"C:\Users\Admin\AppData\Local\Temp\towub.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\ziozc.exe"C:\Users\Admin\AppData\Local\Temp\ziozc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5e65a9376fe333282727b25a76cd66ec5
SHA1fe21dae1507df833f84a43b79cf569db749e12cd
SHA256199654939974e220efd54a0df3211958e37625122ac8d38e855d1f0d7fef5fe6
SHA5121ce057075d2ebd36010d9586ac857790c86a62e683b1cda193a8f6f1c670c71c0ff25388b923c472343a0cd1e80bf248227c36e5d9f12acb332e462734cedf6d
-
Filesize
512B
MD569e4ab713c4ae2a8b629b7903f4d980a
SHA133aa22878130f63919b840ed0aceec22f2e31036
SHA256d97e336d64f2f6218712691baec8138eae7cfee199278fe55d9fe20fd825213a
SHA512ef6dd537a67bbfbb9d5b8e410c8693258c95a76513048d64260893944678c63557bfe5a92bb988ad7a27b44bd9a73d111fcfb683a1f0aa21c788c65913baaa0c
-
Filesize
332KB
MD5d76193a4dc820c925355a04069e71e54
SHA14343a43b4d19b134b41c6d0c341c6e556fe0f505
SHA2565606d20d2c8ab4611f5b27593dddc9311ad37d3aae63afa9a45b9b0884ebd135
SHA5125fea2111af98fa4fd1c266535e3743739b46f9901d0a447b54671fd19d07f2364d6a05b02830c5f5b5392e81d0f2a3e5243e6ba4e7f7d0d536f28fdc85352b8d
-
Filesize
172KB
MD5317ca313cb353a11fe97987e2869cfe2
SHA1deefce944bf3cc4c169d9a46cff3e2191693204b
SHA256d76e4b5a22b7260af2e09321b20c9f02e4744e5eb75c52079e247a99edeabf10
SHA512adc64b330082c3abf76386473a89e2643fe7361ddc0c297b881421b23de4e451946836665597949c94fae4e757dbb1938f4c8733381ac60759dfed5a5e13d610