Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
Resource
win7-20240903-en
General
-
Target
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe
-
Size
333KB
-
MD5
e672c23daa4d422f768e309c193e0770
-
SHA1
e1b7ee3969e6c438e9d6480740f0c0375219c105
-
SHA256
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeeba
-
SHA512
bb7bd98a81cc6624471afedc578e3e4690c03e01376a9eadb4fad86a9e3a494cd35b686a5750db96e876956fb84a35be33e6334d89f565e9505227c851af689c
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYr:vHW138/iXWlK885rKlGSekcj66ciK
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exexavyp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation xavyp.exe -
Executes dropped EXE 2 IoCs
Processes:
xavyp.exemupyj.exepid process 3052 xavyp.exe 5008 mupyj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exexavyp.execmd.exemupyj.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xavyp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mupyj.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
mupyj.exepid process 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe 5008 mupyj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exexavyp.exedescription pid process target process PID 1284 wrote to memory of 3052 1284 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe xavyp.exe PID 1284 wrote to memory of 3052 1284 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe xavyp.exe PID 1284 wrote to memory of 3052 1284 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe xavyp.exe PID 1284 wrote to memory of 2568 1284 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 1284 wrote to memory of 2568 1284 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 1284 wrote to memory of 2568 1284 d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe cmd.exe PID 3052 wrote to memory of 5008 3052 xavyp.exe mupyj.exe PID 3052 wrote to memory of 5008 3052 xavyp.exe mupyj.exe PID 3052 wrote to memory of 5008 3052 xavyp.exe mupyj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"C:\Users\Admin\AppData\Local\Temp\d8015c6f33043e92624c227350a35518ea208267dcfc50935f46974d70efeebaN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\xavyp.exe"C:\Users\Admin\AppData\Local\Temp\xavyp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\mupyj.exe"C:\Users\Admin\AppData\Local\Temp\mupyj.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5da67e38d5dde136007137b726aea20fb
SHA1d4df79c1e92552e1fb2244efd1acba9731b402eb
SHA2565ce46a0acdf39622c6c874b2580ccdf85aed56aa5498ec2dba7238f015be6a17
SHA512618703f129df422bdce0a30089884973ffbff5d192dca50e476629b4749feb50e8e843b9a4a3b2219a6c53d8d29fcfa2ff78be8ede1194544a9fe1b690d7c036
-
Filesize
512B
MD5c72d799b536feb60481c828c776285e8
SHA1e22ab4ef3a83548d7fca6231a0eb1c35276afb15
SHA25609216808139e926a13ca7736fcf38660be341b874e7813983c8e6ef4065e6d49
SHA5128ca393ae45eb4775bc7c09ebe53f2f1b174e3ed36b29893693e9e2b1267c8cfd9bb7d2f6ee419f7cfafb319f44599384d2d7da711dd45455c51983157b0786c5
-
Filesize
172KB
MD5bb294fb1dc008f41c789e020928efcfc
SHA1b940bdb6a9fff67f1ac31ad712a53378e3bf79dc
SHA256bcc60988b1533a885dcf9c54d14bc39b5b9ec1edc0b721149fd30ad733ec9498
SHA51241ef6586f3c5cf535cb1ed00546138b3c4d8892313ef4a7f6ef11855c5590df66a1c3957f1c8dc65d101cbb499ae8d8f3e35a2a35f6d0ee7b1b948423b4c36a6
-
Filesize
333KB
MD59f570a371a01cf5ade01a5318db2f11c
SHA11aa15d4809fa44fb80f3fb6d3a1d770cc1759b48
SHA256c43a06ab673be40b5825733ffc3528566a29dee4cc0ba4015fced2720e72d269
SHA51200737eb0eafe66ca355cb27df6a16fc82a023e9d1c75a70d22b18a448e38d21139deceaece3dab2c4af48e21aa1055d3b40c34bddf6fabeb420a0bd56cc3ec46