Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 15:52
Behavioral task
behavioral1
Sample
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
Resource
win7-20241010-en
General
-
Target
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe
-
Size
507KB
-
MD5
536324c02bf4d7cdde41fb4340308a00
-
SHA1
2dfc4ed8b2e164716c7e10e91f49ac93b3787f50
-
SHA256
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633f
-
SHA512
88fc0cef9ecd31d544df5d8ed11ce20001659edba3c8232600a5d6dbfda0c198e8d0ffcd6efcd8267ed67646cc0a4b719c7005c3ce6fa49faec41cd9f9205e47
-
SSDEEP
12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo9:3MUv2LAv9AQ1p4dK0
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exeipjov.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation ipjov.exe -
Executes dropped EXE 2 IoCs
Processes:
ipjov.exeziuwh.exepid process 2012 ipjov.exe 2092 ziuwh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exeipjov.execmd.exeziuwh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipjov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziuwh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ziuwh.exepid process 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe 2092 ziuwh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exeipjov.exedescription pid process target process PID 2412 wrote to memory of 2012 2412 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe ipjov.exe PID 2412 wrote to memory of 2012 2412 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe ipjov.exe PID 2412 wrote to memory of 2012 2412 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe ipjov.exe PID 2412 wrote to memory of 1900 2412 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2412 wrote to memory of 1900 2412 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2412 wrote to memory of 1900 2412 890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe cmd.exe PID 2012 wrote to memory of 2092 2012 ipjov.exe ziuwh.exe PID 2012 wrote to memory of 2092 2012 ipjov.exe ziuwh.exe PID 2012 wrote to memory of 2092 2012 ipjov.exe ziuwh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"C:\Users\Admin\AppData\Local\Temp\890a13c401b03bf011a263efe01994ea75864e01128f87fe0073d1e024f7633fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\ipjov.exe"C:\Users\Admin\AppData\Local\Temp\ipjov.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\ziuwh.exe"C:\Users\Admin\AppData\Local\Temp\ziuwh.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d940b8bc54d0ba3abac442d2f7d1fcdb
SHA147e0d5e4566da280d4b36363b8a4b51c0a8a83e4
SHA256df9f78b31a8c9eef7ce3d9c65855649386885b783073431425b13b39f6f84555
SHA5124bc26b9765e24a16ae61d0cdfd4231c156202d40f8b774ab8d6aefd8e01136655e1c8547c3de082ec3f1457f0596ecca2aef9ef79fb097ad5c4b50cf1f946335
-
Filesize
512B
MD5fe7ce443befc2eaa86d618664da5253b
SHA1c6d82a8dff0f42b249ff48a63fe47d4b4fd8cd0b
SHA256f57ac5055a41ce6e13bd7acde8465447f66519d524b412105583348e82543a7e
SHA512286bb206f8b6f60101d51ccbc79f0ccf2604ff0ae1f839fe11ac7a065919f72b3c1d8f884ba89fc34e66d951f98db0888dfdbc1d05f53c84ac32f0d9b73c0c2e
-
Filesize
507KB
MD5aa995e5eefbbac4450133d14e9aa11fd
SHA162fe8d25a5e2c531480a1d7ff71fd63d26ea92a8
SHA2567db5e0a778644590ea4488cdd9f91651f131dd737622151d2b4eeb6380962d4d
SHA512a7a230b208731873cdfe8cd61707eafd5c24655963ee4fcce48cfb0899cf6b7a0d104d0fc26599b9aa23056278b26ca37eab6566c21e4fa1f9089c1f4215d8b8
-
Filesize
172KB
MD506040250b0854d5050cb7c9e13a7d280
SHA1ffbbc16fe5af41bb0258490f8d554dc12ad5d167
SHA2564fdc6b12411605d84b6a0cf55f6b8baca63bae6670b22db7d6b280418874e1fe
SHA51220069e30ce95e5f76fec24042d4b497572be45549f365b2dc12f40866010ea911bf45b8bd73f5915c6e6db092234a60378c93ab1a9fa80b5288756f49e2d623a