Analysis
-
max time kernel
119s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe
Resource
win7-20240729-en
General
-
Target
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe
-
Size
324KB
-
MD5
d7351b94fe1f60fb97cc795b8c57a880
-
SHA1
b7642e1a18fb0f3c269572b41ad88d1941a5e8c9
-
SHA256
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1cc
-
SHA512
e149afdf073f4ed54c3aaa731323955c0d44a3c06d240e3a3975b2e6841ae7a133ad6aa441cd7108d32dd35627e3c7a97930a3517423b81a70c4d0a3413a990a
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66ci8
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exegohuc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation gohuc.exe -
Executes dropped EXE 2 IoCs
Processes:
gohuc.exesopok.exepid process 1832 gohuc.exe 2136 sopok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gohuc.execmd.exesopok.exefa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gohuc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sopok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
sopok.exepid process 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe 2136 sopok.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exegohuc.exedescription pid process target process PID 4244 wrote to memory of 1832 4244 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe gohuc.exe PID 4244 wrote to memory of 1832 4244 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe gohuc.exe PID 4244 wrote to memory of 1832 4244 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe gohuc.exe PID 4244 wrote to memory of 2388 4244 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 4244 wrote to memory of 2388 4244 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 4244 wrote to memory of 2388 4244 fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe cmd.exe PID 1832 wrote to memory of 2136 1832 gohuc.exe sopok.exe PID 1832 wrote to memory of 2136 1832 gohuc.exe sopok.exe PID 1832 wrote to memory of 2136 1832 gohuc.exe sopok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"C:\Users\Admin\AppData\Local\Temp\fa2d4c529d555b45b31a1ec0b65d60875aa506bd4c98b3001513069493b4e1ccN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\gohuc.exe"C:\Users\Admin\AppData\Local\Temp\gohuc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\sopok.exe"C:\Users\Admin\AppData\Local\Temp\sopok.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD546f754e37aed4155b704844ac14dde1b
SHA139ba3199c5734d7d2c9d9b7475526e8c06146ffe
SHA256e137a91ddc3844d3f273edf27fa13093274d6ea601263be48f42585844712a4c
SHA512bd5bbfacd8e5d254deff9f1735e652946ed1aba345ff4ec83ca0e1d5f25bafcf34a24d8eaf90b673ea43b4aa3872696afa93992517ea727d9652e716eb9d4e20
-
Filesize
324KB
MD5b3fe83129e5e09a5f64fa12afdaf8a41
SHA135fb58cbc11838e1740e0ea0516c9d46cb0298e7
SHA25643d5750fe26407e0b622f5068f5caa4951dc96f2c4b116512247c296470be9e3
SHA512cd1693d992c0401bdc76b04b319d1901da162884c2cfdfadd80861fb1094905d9d60c24ea13ab9f936c41a3a13c6ec062699e22f0f01e8f1b71a71e3943e7b05
-
Filesize
512B
MD547269b675bccf3b135256f651d8841d9
SHA199e6619106a13a811151c58ca69da78437cb9ffc
SHA256d5d47d78a44814bba4c9e8f34a5d001929c44bff2f6c0db60ffb9eccf0923e35
SHA512288b2743a02898fbfec1cfd6dd3c14b5b497681d5370f193f956a43a346643be37cf811fe67e670cc0fcaaf2271f6be3207c29ba6d7a3f584a53513f003b4ceb
-
Filesize
172KB
MD50b908004debbda24e0a6707b2f27844b
SHA18dd70fd7e665b75eeb223658cbfa16749037b370
SHA25684cdf43d3be720a60b1af2d52d4db76e36625cd661b98907f8fab3c979eb2e19
SHA5126594d49cb0b3dee7d4cb5c251651e1b9493fa70e2810ba5c3dfec4cbb2a5ab4416d933ef63b785e36605bb9d2612d42413ed398b8c5b12856f8f3ddb2d524c67