Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-10-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
Resource
win7-20240903-en
General
-
Target
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
-
Size
334KB
-
MD5
bb5fc5011c9188671ce2e87259ed4060
-
SHA1
5cab1ee050c2ae18e1a0202652ae221a5c0a7865
-
SHA256
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06
-
SHA512
f77c4f71916b43a5b6fb38e129cfd8d7873a9dea0bd602dd3e5a3326deb0d0f2910529dca42fbfcee4ed802d738e650ba6eb50b46aba60251bb3428e06de67b1
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY4:vHW138/iXWlK885rKlGSekcj66cip
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1376 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
xevyq.exesogeo.exepid process 2204 xevyq.exe 1220 sogeo.exe -
Loads dropped DLL 2 IoCs
Processes:
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exexevyq.exepid process 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe 2204 xevyq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exesogeo.exe39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exexevyq.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sogeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xevyq.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
sogeo.exepid process 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe 1220 sogeo.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exexevyq.exedescription pid process target process PID 2696 wrote to memory of 2204 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe xevyq.exe PID 2696 wrote to memory of 2204 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe xevyq.exe PID 2696 wrote to memory of 2204 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe xevyq.exe PID 2696 wrote to memory of 2204 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe xevyq.exe PID 2696 wrote to memory of 1376 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 2696 wrote to memory of 1376 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 2696 wrote to memory of 1376 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 2696 wrote to memory of 1376 2696 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 2204 wrote to memory of 1220 2204 xevyq.exe sogeo.exe PID 2204 wrote to memory of 1220 2204 xevyq.exe sogeo.exe PID 2204 wrote to memory of 1220 2204 xevyq.exe sogeo.exe PID 2204 wrote to memory of 1220 2204 xevyq.exe sogeo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\xevyq.exe"C:\Users\Admin\AppData\Local\Temp\xevyq.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\sogeo.exe"C:\Users\Admin\AppData\Local\Temp\sogeo.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5430e98dab996ed2cb464865e806b08a3
SHA1e00ca96407b820ffd7c622ecd23ee9da27c20a4a
SHA2562fe43b6833cdbee5978204411cb477658513bb1a7db9f043bb19d1e2036ebc40
SHA512537057245f4f43db2089a90bf63f4fd2e4ddf759c8efc6b6c942e55892dcde284904a39abfef55b2353cc22079f1d8791f305cf55a445d55f28e442b20fac5f3
-
Filesize
512B
MD5a32060dcb043346efad76720f5b4ea96
SHA1e9eb83e4721b264800b0e3c63c3f56f9714a8dd4
SHA256d3e9df22b8a23743c302c0f567a429286ae49a910c36dcdcc9ed079f68ec0e8d
SHA51231bf44dc1dd0c460d1afa05a939335bd0b693bcc74e188690c1936cc2ee071153874e15545137f3266c31997e2b9f63de695bdf57e44700b4e6f48673a334b04
-
Filesize
172KB
MD5dc83d80eb20d4f869d44a1c255b391be
SHA1f7655aa69b389e4020be71fc1dc8a0fa39f02686
SHA2562eb3d753eed71aada3dd412946e41f865b2097c51f80c00f27fb564bcdea561e
SHA512f305258e1ea2ae9a36de7f387a6e13fa9c5f6d5245e07b1da4aa4e76171a290f6450146c4a0a234d9da3b98935963370eb0cca617726d2113442f5eecaf158ef
-
Filesize
334KB
MD5e761b50497ccd57444cc309efd34050b
SHA17e95f0cd9f4b8f6e143b967eda84b14a300ec8f0
SHA256842b7961eaa158a83c10f9d905d7aa56f76fa077cfd57a08f1dddfdaa00c7ef7
SHA5129a0361574178a534c38833d7736d03b839d0e40c47fac06883b882a74e900a37f3a49d4fdea7058c4440764a657c3f81a660301e161f220af9c485bb283d5473