Analysis
-
max time kernel
119s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-10-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
Resource
win7-20240903-en
General
-
Target
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
-
Size
333KB
-
MD5
e672c23daa4d422f768e309c193e0770
-
SHA1
e1b7ee3969e6c438e9d6480740f0c0375219c105
-
SHA256
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeeba
-
SHA512
bb7bd98a81cc6624471afedc578e3e4690c03e01376a9eadb4fad86a9e3a494cd35b686a5750db96e876956fb84a35be33e6334d89f565e9505227c851af689c
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr:vHW138/iXWlK885rKlGSekcj66ciK
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2712 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
zuwon.exezygaz.exepid process 2736 zuwon.exe 2708 zygaz.exe -
Loads dropped DLL 2 IoCs
Processes:
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exezuwon.exepid process 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe 2736 zuwon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exezuwon.execmd.exezygaz.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zuwon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zygaz.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
zygaz.exepid process 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe 2708 zygaz.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exezuwon.exedescription pid process target process PID 1964 wrote to memory of 2736 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe zuwon.exe PID 1964 wrote to memory of 2736 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe zuwon.exe PID 1964 wrote to memory of 2736 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe zuwon.exe PID 1964 wrote to memory of 2736 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe zuwon.exe PID 1964 wrote to memory of 2712 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 1964 wrote to memory of 2712 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 1964 wrote to memory of 2712 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 1964 wrote to memory of 2712 1964 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 2736 wrote to memory of 2708 2736 zuwon.exe zygaz.exe PID 2736 wrote to memory of 2708 2736 zuwon.exe zygaz.exe PID 2736 wrote to memory of 2708 2736 zuwon.exe zygaz.exe PID 2736 wrote to memory of 2708 2736 zuwon.exe zygaz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\zuwon.exe"C:\Users\Admin\AppData\Local\Temp\zuwon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\zygaz.exe"C:\Users\Admin\AppData\Local\Temp\zygaz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5da67e38d5dde136007137b726aea20fb
SHA1d4df79c1e92552e1fb2244efd1acba9731b402eb
SHA2565ce46a0acdf39622c6c874b2580ccdf85aed56aa5498ec2dba7238f015be6a17
SHA512618703f129df422bdce0a30089884973ffbff5d192dca50e476629b4749feb50e8e843b9a4a3b2219a6c53d8d29fcfa2ff78be8ede1194544a9fe1b690d7c036
-
Filesize
512B
MD581a181f86df76b2707c359ff0dc28df4
SHA13385c0dd7b8d429a8b5530c354c91fcb01a290a1
SHA2564bab111ecac852b15f7ffc0349b158347265a47b611ffad464c30d43e965b8b4
SHA512b17c43170f12f9437dbf5a43d5cabb3ef6e141a3b141c3930b5390e984e00ecdab43b530cd705ab306ddc2bca84b7393874ab72bd6241f9197ed5f9801f58b89
-
Filesize
333KB
MD510b434fb7baa1cf69519cec71c26e910
SHA100ffd9a8554d227e1d4fab7901b59f8a1171faaa
SHA256c03c6446e65436ff1f9e51defd35ebbbf9374016a1366b0c85b63e00c8a73ffb
SHA512e95b8d9fd93151afcba927e227a0e41186f70c6be0acdbd2f97ec8fea95f08df5927a9426affbc25e0db15a9c221d1a6e9fc36ce8b41046853385d9a6b57b0c6
-
Filesize
172KB
MD55c77cb8b05a5444b2757c5a190a9fb4a
SHA13b3ad302a55aa74c69b08846a367aa51f63c5ccc
SHA256962e90cb9fa730bd4d9d615ef4cd8e6e91b85bd89e5fe348c333183b2aeeccb4
SHA512d2acc2a958661c70695919fb9e7ce230a0e82c8fe12d16e98ca4161cc13dedf92ad880af1360d2b356b8a1822aca50a75395a518e4a29f4fca0f062daa44153f