Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-10-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe
Resource
win7-20240903-en
General
-
Target
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe
-
Size
332KB
-
MD5
fdf640909e60daee1293b1321f8f3b80
-
SHA1
4aaffdacf5e5e882abdc8f73e391696d2340369e
-
SHA256
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7d
-
SHA512
0818753d6a93131720f733917a24fc011b095c9d7f27b58f58a9aa3d2b6ace02c4f928952de04c4a153fc1873466179c30def021bcbb8c84f2f6396a7dbda464
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYk:vHW138/iXWlK885rKlGSekcj66ci1
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2400 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
guliz.exeuzbar.exepid process 2340 guliz.exe 1800 uzbar.exe -
Loads dropped DLL 2 IoCs
Processes:
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exeguliz.exepid process 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe 2340 guliz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exeguliz.execmd.exeuzbar.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guliz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uzbar.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
uzbar.exepid process 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe 1800 uzbar.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exeguliz.exedescription pid process target process PID 2528 wrote to memory of 2340 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe guliz.exe PID 2528 wrote to memory of 2340 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe guliz.exe PID 2528 wrote to memory of 2340 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe guliz.exe PID 2528 wrote to memory of 2340 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe guliz.exe PID 2528 wrote to memory of 2400 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe cmd.exe PID 2528 wrote to memory of 2400 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe cmd.exe PID 2528 wrote to memory of 2400 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe cmd.exe PID 2528 wrote to memory of 2400 2528 f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe cmd.exe PID 2340 wrote to memory of 1800 2340 guliz.exe uzbar.exe PID 2340 wrote to memory of 1800 2340 guliz.exe uzbar.exe PID 2340 wrote to memory of 1800 2340 guliz.exe uzbar.exe PID 2340 wrote to memory of 1800 2340 guliz.exe uzbar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"C:\Users\Admin\AppData\Local\Temp\f0fbabf8fe3b0b68fe47abf4aafc01b3f9b9a015e44a2c6c791bd2e29af16b7dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\guliz.exe"C:\Users\Admin\AppData\Local\Temp\guliz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\uzbar.exe"C:\Users\Admin\AppData\Local\Temp\uzbar.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD59aa697a51fdea1d66b8c6ae525f43c07
SHA128b8563321bae665b0b7cc1b67bb64a2f00949ad
SHA2568c1227dd84ae0ba73ba27efe08233beb3617c909e014ef6a08e0180664bb3247
SHA512fd3e84e4bd4ca2e5e5c5a47034f96c4ebe0e10e0f1e6ac1e2f2551e3d6e6e47f491e8b6f4728ec48cd468c41fa64b89ab33890c22a9f2ab401437ca0ff4c135c
-
Filesize
512B
MD537f1696fd13182061762d9a8f348dbab
SHA185605938db8267c976df45ad56a40a294579a899
SHA256d9287ac9ea7a2e08cec3aa01f0a38db863fa0f5a47c5e1a4b521e899f5f5ea3a
SHA512ecd96245d941b9ec74acc10ad394be9105bbedceebc16b0ed36c627f1babf32c4023fa4cb0b5e120225e944805062236a98d7d7665b781efc1de388353a2c3b1
-
Filesize
172KB
MD5824c4a9d2a75e00b0fe5c61dea47ba0e
SHA1f7d164c60dd9b8b4ee9b321a719d668cec24fedf
SHA256eaea9f65a8050edbb975688fc6df16d9bd8b30cff181146b5c656a6bb855df22
SHA5129e740b480dfd3626b6c9b618e3a3d9042eb8e69482f185ac6601eb253dcfb8a915e21c5d1bf94a70187f6790192129d036ece4920dcf8c311fbbd0ee0d3ce5ea
-
Filesize
332KB
MD5be687615ed51c250dd4e4228a6ac7bd4
SHA100e955fb2454d26e1115f3eb4c1fddd8e8a31aed
SHA2560996a11dda52c7be96d1575339ed3612adb5d3279638bd278c2fe231e21c8141
SHA5121c9eaca13e139f7b486f20cbee66d9368a54308360b931dceb04cb034f781272c16b85b977bf69b00f00ac53b136b09f7c6160989469f30b8d24803cb6480488