Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-10-2024 05:35
Behavioral task
behavioral1
Sample
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe
Resource
win7-20240903-en
General
-
Target
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe
-
Size
787KB
-
MD5
18a6984e652c1d34b1dd7b55311c3170
-
SHA1
c4b9936a677b053c8fc0002d6940550be73c4429
-
SHA256
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fb
-
SHA512
5064e0346f986c7409caa03c40c8665ffd6428a9342d2d29b5d0f8f47d7e5e293aabb83bc5226599356b33449ddd566b456ef44280d610db761b0ddcde02f32a
-
SSDEEP
12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgM:d7dLBftJLW5YUWLrkJB0PJgM
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2796 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
ulivd.exeejybsy.exexibyn.exepid process 2704 ulivd.exe 2588 ejybsy.exe 2868 xibyn.exe -
Loads dropped DLL 6 IoCs
Processes:
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exeulivd.exeejybsy.exepid process 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe 2704 ulivd.exe 2704 ulivd.exe 2588 ejybsy.exe 2588 ejybsy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exeulivd.exeejybsy.execmd.exexibyn.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ulivd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ejybsy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xibyn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
xibyn.exepid process 2868 xibyn.exe 2868 xibyn.exe 2868 xibyn.exe 2868 xibyn.exe 2868 xibyn.exe 2868 xibyn.exe 2868 xibyn.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exeulivd.exeejybsy.exedescription pid process target process PID 2424 wrote to memory of 2704 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe ulivd.exe PID 2424 wrote to memory of 2704 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe ulivd.exe PID 2424 wrote to memory of 2704 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe ulivd.exe PID 2424 wrote to memory of 2704 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe ulivd.exe PID 2424 wrote to memory of 2796 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 2424 wrote to memory of 2796 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 2424 wrote to memory of 2796 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 2424 wrote to memory of 2796 2424 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 2704 wrote to memory of 2588 2704 ulivd.exe ejybsy.exe PID 2704 wrote to memory of 2588 2704 ulivd.exe ejybsy.exe PID 2704 wrote to memory of 2588 2704 ulivd.exe ejybsy.exe PID 2704 wrote to memory of 2588 2704 ulivd.exe ejybsy.exe PID 2588 wrote to memory of 2868 2588 ejybsy.exe xibyn.exe PID 2588 wrote to memory of 2868 2588 ejybsy.exe xibyn.exe PID 2588 wrote to memory of 2868 2588 ejybsy.exe xibyn.exe PID 2588 wrote to memory of 2868 2588 ejybsy.exe xibyn.exe PID 2588 wrote to memory of 1484 2588 ejybsy.exe cmd.exe PID 2588 wrote to memory of 1484 2588 ejybsy.exe cmd.exe PID 2588 wrote to memory of 1484 2588 ejybsy.exe cmd.exe PID 2588 wrote to memory of 1484 2588 ejybsy.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe"C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\ulivd.exe"C:\Users\Admin\AppData\Local\Temp\ulivd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\ejybsy.exe"C:\Users\Admin\AppData\Local\Temp\ejybsy.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\xibyn.exe"C:\Users\Admin\AppData\Local\Temp\xibyn.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ddb2edd44c8d44abfb991002fe5ac5fe
SHA1fbc860bbc9bdddbef3f61a01640fbaa092cf270d
SHA25625c5bc5b3294ba67c4c27ba2d441644703e67263f0f9227e91cefd24e4ed42e0
SHA512b28e88ec6dbdf7a7133f5f80db3ab25df0588e006a91c0794ffa36db32138be667a6e4e7c1274b3f987e1f0c4a13d371877b9c5bfc5ea284b74c8d8d0e3a5151
-
Filesize
224B
MD5acf4781aea83478d31fadedae742c8a5
SHA1aafb140829c092829e21dae165b1938f0cae6929
SHA25655321fbe33216c1687ae756983afbdae782d01109ab2a2c553ea52adb544dea2
SHA5126ec2920ae45deb28d9f5ae2fd70d1b3f0088f3398302e441df2e2ef2fd9889eba79617e627548ccc45080728ecb4385d1fc40c18d16eb9a88050e2ca5936e937
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD54f7e485eb3a526a5fc929dc4c2daba40
SHA13389a96f9cdabf278502d868460db9c98a465612
SHA25612a59fc22caec1578f2d07e64f5bb70e66a37b86bab832c44ffa90058bf5ae65
SHA512557a0fed9a86ba2f8f0706da0bc839dafa1f7a59a2ed6a653dcd434fc9c76f0a1287802365172758125c22962cc866ebfbeca4c05b527c38cbdae2cb07b4da39
-
Filesize
787KB
MD50e5ebdecce3fcf71c5e2b661e1840d5f
SHA1ba08fb754255461d7be72633df4b6d5e9d3baf11
SHA2562e6e18618b09643ba4e55c40d64787075191c4414a0c25eae9418e13f8f1d7af
SHA51231b37f4eac98fb8c3134ddb9adff2219e8476035b8be53a3ee90a75886b481be6cbb56b93c5f510b70b58f73e64e25a01d7dfdd1a4dd2e152c0b7c33a7c814a8
-
Filesize
601KB
MD57b5fb7bf7f4432bda4ac14bcfa589154
SHA1640523aeaff36b9181301193524e5dc3815d74a9
SHA256a3513722861ef2a811cb22b78e4122331011765ba76862b56511b0d673b6b41d
SHA512d695ab1f4832542a1b3ba7ed66044fd75b3fa0c8f66463750ff3da925a01f36f656052cf7e9218699e8643fe3255ef21891764b6b4664b9e9198db585b7c2d25