Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 05:15
Behavioral task
behavioral1
Sample
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe
Resource
win7-20240903-en
General
-
Target
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe
-
Size
507KB
-
MD5
d7a09fa1022c2158e05302d1b8baae90
-
SHA1
21cf03e4a631efec5eb307b884d8de22858b0d22
-
SHA256
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49
-
SHA512
617b478d5a63272d272754a78b85089339e47603813299875e8872558232c0caf954347fc72564d9e27a95d333d7c1721d28ced1b8cdbef01b6366e51ebf1f5a
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo4:3MUv2LAv9AQ1p4dKx
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exesacya.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation sacya.exe -
Executes dropped EXE 2 IoCs
Processes:
sacya.exetokur.exepid process 4008 sacya.exe 1040 tokur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exesacya.execmd.exetokur.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sacya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tokur.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
tokur.exepid process 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe 1040 tokur.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exesacya.exedescription pid process target process PID 2800 wrote to memory of 4008 2800 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe sacya.exe PID 2800 wrote to memory of 4008 2800 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe sacya.exe PID 2800 wrote to memory of 4008 2800 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe sacya.exe PID 2800 wrote to memory of 1684 2800 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 2800 wrote to memory of 1684 2800 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 2800 wrote to memory of 1684 2800 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe cmd.exe PID 4008 wrote to memory of 1040 4008 sacya.exe tokur.exe PID 4008 wrote to memory of 1040 4008 sacya.exe tokur.exe PID 4008 wrote to memory of 1040 4008 sacya.exe tokur.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\sacya.exe"C:\Users\Admin\AppData\Local\Temp\sacya.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\tokur.exe"C:\Users\Admin\AppData\Local\Temp\tokur.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5130d92eaa9d32bcef99a054df40b4433
SHA14dafd76248f909e1529854f17d8949454502f2a7
SHA25637d3dd052dc0165b2bbf944179407d4288d6116990ed20201816ddabb7daa579
SHA51215fbf2cface17eaf09d2b7b35d9308bf974296bd761aa1008623174222e5caf2c86bae3495a9b968d26c6c9a364acb60b3df5153a46fd4ba648d3d7c4f06b9fa
-
Filesize
512B
MD525467732c72f33e143df206864ac2161
SHA1a2464b36df9ba8f5ce3a7c8e9c7212a0d023267a
SHA256666279b0bcdada79551effcbf5266a7bec4d7f674defcf24d68b10a250f320df
SHA5124337d776138e05d35eac45b42e0e89f3afaf107a4ec554cdd0a2f8cc46c7747167e8d150c8a18a8ce368148816bdac21b3365e1184815033aa811ac30197e498
-
Filesize
507KB
MD5d17fe14b083357ca12e750f799e0b329
SHA1f3de432d9ec2ef5043c3603d588c1e4f9f60d350
SHA25649b02d9946698c8dde1d17201227669e3af2adaee350f761e971922fc65c1449
SHA512348c4bc67f58afdaee0fba0d5a87b69855931082c0c015284dfae17b68fed5d840566da2f804ec2683ba24dbce55b9c753b7297cc0ece09ca73830fc6093c7c6
-
Filesize
172KB
MD5377d84de4be1f811d454271b6c81afb0
SHA18f07a26c12d8fbc1714d119a3a8b647433b86d40
SHA2560e86b712170338e3fca626e186e3f78602ec38c2f0785cbe8a631ccc8fa6312f
SHA51259e3f7b2badd4706424cfb8159b20bd2f82c73112894cbf562da6a9b9c92a2b08fe3503cb3f48dc07d5d86a8c48168faa9cec6377c3717fa01157be6e242ab88