Analysis
-
max time kernel
119s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 15:47
Behavioral task
behavioral1
Sample
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
Resource
win7-20240903-en
General
-
Target
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
-
Size
507KB
-
MD5
536324c02bf4d7cdde41fb4340308a00
-
SHA1
2dfc4ed8b2e164716c7e10e91f49ac93b3787f50
-
SHA256
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633f
-
SHA512
88fc0cef9ecd31d544df5d8ed11ce20001659edba3c8232600a5d6dbfda0c198e8d0ffcd6efcd8267ed67646cc0a4b719c7005c3ce6fa49faec41cd9f9205e47
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo9:3MUv2LAv9AQ1p4dK0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exekonoc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation konoc.exe -
Executes dropped EXE 2 IoCs
Processes:
konoc.exeyzvog.exepid process 4408 konoc.exe 2248 yzvog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exekonoc.execmd.exeyzvog.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language konoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzvog.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
yzvog.exepid process 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe 2248 yzvog.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exekonoc.exedescription pid process target process PID 4164 wrote to memory of 4408 4164 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe konoc.exe PID 4164 wrote to memory of 4408 4164 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe konoc.exe PID 4164 wrote to memory of 4408 4164 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe konoc.exe PID 4164 wrote to memory of 1684 4164 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 4164 wrote to memory of 1684 4164 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 4164 wrote to memory of 1684 4164 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 4408 wrote to memory of 2248 4408 konoc.exe yzvog.exe PID 4408 wrote to memory of 2248 4408 konoc.exe yzvog.exe PID 4408 wrote to memory of 2248 4408 konoc.exe yzvog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\konoc.exe"C:\Users\Admin\AppData\Local\Temp\konoc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\yzvog.exe"C:\Users\Admin\AppData\Local\Temp\yzvog.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d940b8bc54d0ba3abac442d2f7d1fcdb
SHA147e0d5e4566da280d4b36363b8a4b51c0a8a83e4
SHA256df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555
SHA5124bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335
-
Filesize
512B
MD5731f9ac9560aa1c8a847ac43ff9bb2b8
SHA16acc745e22a1573668a18f5d580624a394c987af
SHA2566760a141febb47fa49d216effff8f549c26334d126cda500200b4beec2bd695e
SHA51295af312f698e0462a975f32d05c458644a9b7ab49ab79832fda36774815fcf5da41897ac5ee41c92e0baa534905132c098aee1cc0ce5b69821d42a38d96ed1c2
-
Filesize
507KB
MD537c44701517a3b6d26b1ed1ead8b5b00
SHA1ced7449308cffd2140676ccf80ea82dd772bb843
SHA256b0752f6eb53164325a85d32374acaf4e946a83c6cd96ae5f90956e2fb9602ac7
SHA51235231c881f49fabc5d8f8470c0e01df71c56cc179c362c07c519b1e67347d746fa3672849a457441e0e0a3fa7d5159bb0bc47650ee85295f6afeacc4e632b0fe
-
Filesize
172KB
MD5c6cbe1c597da1c5def2e6738f8da608d
SHA1ad5198d65022ab08f0260c107c0696d8187c16a3
SHA256b8b87c9e2d9321a98f830abf52a479528b8cd07c3139be7495b8f6ad3f399694
SHA51264e0e2fb1b26932bcd373f9e94b35f87a425b40f15541dab51e69bb04d19d391a4c239a4855b69ca73bb46bd82a402baeb4ba8f6daac72ea2d8b2941bfce85a2