Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe
Resource
win7-20240729-en
General
-
Target
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe
-
Size
324KB
-
MD5
d7351b94fe1f60fb97cc795b8c57a880
-
SHA1
b7642e1a18fb0f3c269572b41ad88d1941a5e8c9
-
SHA256
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1cc
-
SHA512
e149afdf073f4ed54c3aaa731323955c0d44a3c06d240e3a3975b2e6841ae7a133ad6aa441cd7108d32dd35627e3c7a97930a3517423b81a70c4d0a3413a990a
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ci8
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2716 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
dowaj.exebuavn.exepid process 2944 dowaj.exe 2876 buavn.exe -
Loads dropped DLL 2 IoCs
Processes:
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exedowaj.exepid process 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe 2944 dowaj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exedowaj.execmd.exebuavn.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dowaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language buavn.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
buavn.exepid process 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe 2876 buavn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exedowaj.exedescription pid process target process PID 2532 wrote to memory of 2944 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe dowaj.exe PID 2532 wrote to memory of 2944 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe dowaj.exe PID 2532 wrote to memory of 2944 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe dowaj.exe PID 2532 wrote to memory of 2944 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe dowaj.exe PID 2532 wrote to memory of 2716 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 2532 wrote to memory of 2716 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 2532 wrote to memory of 2716 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 2532 wrote to memory of 2716 2532 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 2944 wrote to memory of 2876 2944 dowaj.exe buavn.exe PID 2944 wrote to memory of 2876 2944 dowaj.exe buavn.exe PID 2944 wrote to memory of 2876 2944 dowaj.exe buavn.exe PID 2944 wrote to memory of 2876 2944 dowaj.exe buavn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\dowaj.exe"C:\Users\Admin\AppData\Local\Temp\dowaj.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\buavn.exe"C:\Users\Admin\AppData\Local\Temp\buavn.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD546f754e37aed4155b704844ac14dde1b
SHA139ba3199c5734d7d2c9d9b7475526e8c06146ffe
SHA256e137a91ddc3844d3f273edf27fa13093274d6ea601263be48f42585844712a4c
SHA512bd5bbfacd8e5d254deff9f1735e652946ed1aba345ff4ec83ca0e1d5f25bafcf34a24d8eaf90b673ea43b4aa3872696afa93992517ea727d9652e716eb9d4e20
-
Filesize
512B
MD516ab143ed7dd398a20dc775e3091f8e9
SHA18ad1becf8c6221d2ca7ee7746afecc5f881ed852
SHA2566e0d46da33c958c91d4d381a04b29e89ec5b2a4353e774c3fbe5e03632b3e046
SHA512affcaa5d3c4070ec9bce17daba3060ae8ab6d1da595cf9c650681274530d0135e8ff66283031f4b00d9e4e22b514b74dff1d180aa7aad11297aa23b8522169ee
-
Filesize
172KB
MD51203e18f7af9de1d2ebb7b09e32a36c5
SHA1a7a94447bd0b9cc055b3406f94343ada2cd221da
SHA2569b77026b87f1a10132df14cd55547a3546447d7640fcf88b486c0d0ed5d5c04f
SHA51218c62a418a23641dc2db80dc5e848ce672a0de02202ede9799143ac3bf396064e79c5515b12097abdb37b220f13ef87e9be668052b811f1d22eda29b327d3034
-
Filesize
324KB
MD530bd55c13cb99c809549d8f348fcde10
SHA18e6301976adc559c45b1a7d33b3dd794cfb8c120
SHA256e5172814f8f5ee0477cf7637b929ba8285781c5cf0b7a7fb371ce8daa425c2f8
SHA512f45ebd4b6f6dd94b1e39fd6aa3645617a60815dddee8c58e0f555a63afc6ab81c1a4e6a6bbb3fd82865cd2179f3b19119a4103ad121d7fdf28b9f7e6c30164aa