Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 05:15
Behavioral task
behavioral1
Sample
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe
Resource
win7-20240903-en
General
-
Target
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe
-
Size
507KB
-
MD5
d7a09fa1022c2158e05302d1b8baae90
-
SHA1
21cf03e4a631efec5eb307b884d8de22858b0d22
-
SHA256
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49
-
SHA512
617b478d5a63272d272754a78b85089339e47603813299875e8872558232c0caf954347fc72564d9e27a95d333d7c1721d28ced1b8cdbef01b6366e51ebf1f5a
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo4:3MUv2LAv9AQ1p4dKx
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2928 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
toecc.exepoajt.exepid process 2704 toecc.exe 764 poajt.exe -
Loads dropped DLL 2 IoCs
Processes:
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exetoecc.exepid process 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe 2704 toecc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
toecc.execmd.exepoajt.exe42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language toecc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poajt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
poajt.exepid process 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe 764 poajt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exetoecc.exedescription pid process target process PID 1204 wrote to memory of 2704 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe toecc.exe PID 1204 wrote to memory of 2704 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe toecc.exe PID 1204 wrote to memory of 2704 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe toecc.exe PID 1204 wrote to memory of 2704 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe toecc.exe PID 1204 wrote to memory of 2928 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 1204 wrote to memory of 2928 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 1204 wrote to memory of 2928 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 1204 wrote to memory of 2928 1204 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 2704 wrote to memory of 764 2704 toecc.exe poajt.exe PID 2704 wrote to memory of 764 2704 toecc.exe poajt.exe PID 2704 wrote to memory of 764 2704 toecc.exe poajt.exe PID 2704 wrote to memory of 764 2704 toecc.exe poajt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\toecc.exe"C:\Users\Admin\AppData\Local\Temp\toecc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\poajt.exe"C:\Users\Admin\AppData\Local\Temp\poajt.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5130d92eaa9d32bcef99a054df40b4433
SHA14dafd76248f909e1529854f17d8949454502f2a7
SHA25637d3dd052dc0165b2bbf944179407d4288d6116990ed20201816ddabb7daa579
SHA51215fbf2cface17eaf09d2b7b35d9308bf974296bd761aa1008623174222e5caf2c86bae3495a9b968d26c6c9a364acb60b3df5153a46fd4ba648d3d7c4f06b9fa
-
Filesize
512B
MD5635e7fbeffbda923036f5e3117f42dde
SHA182949ddad4a3e19141d6689c11307f3f9fca2c4e
SHA256b284e1c4a708d3fa26a2539fd9bdf407ef868d7dbc3391018b7d8fa75a25e3b7
SHA5124c33d21543ba792ec56b3010f4e492d53501df094e0987934f24b191ba6c00b620e42a2a633dfdc12c5fea6dfcdb3f3191354d1f3a095ad0b40f3c9d4bc54e60
-
Filesize
172KB
MD5ce078a712d38c78b54e349c3261ced4b
SHA14d615a6dcc7025535d0e9f0720de9f993b644f39
SHA2560112d97a93db770f735e459e60e2d1f0a091a81adaec8c2d00098e1d72ee4b3f
SHA5128ba8c01f4a4ba2af336f6c5b25619ca62b368d0d8421f49b08f908fb69f6fba3c0f4e6fbb32b58d93c0bd39f832c0428daa2e66ea3ad6399bfe7ad60bb49b8ed
-
Filesize
507KB
MD50ea1b6d3c820a18e714c1e04ff5e3665
SHA12a1a81a7f5f2c4565a401b1b7a7a19fc30f8176b
SHA25621946eb3050e7557b6eff371759d1c8027e339ca1364a2b72d95f3945d03d1bb
SHA51288f302348fa618ad49b33ea1922ec7fc9130957daf5de4853d47fd00b5d1f3e15f5d8e04f3224f68a062a9ef8904316d27f0be8ce0a0b5be7e028bde40106d9f