Analysis
-
max time kernel
118s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 05:35
Behavioral task
behavioral1
Sample
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe
Resource
win7-20240903-en
General
-
Target
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe
-
Size
787KB
-
MD5
18a6984e652c1d34b1dd7b55311c3170
-
SHA1
c4b9936a677b053c8fc0002d6940550be73c4429
-
SHA256
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fb
-
SHA512
5064e0346f986c7409caa03c40c8665ffd6428a9342d2d29b5d0f8f47d7e5e293aabb83bc5226599356b33449ddd566b456ef44280d610db761b0ddcde02f32a
-
SSDEEP
12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgM:d7dLBftJLW5YUWLrkJB0PJgM
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exezewup.exeovqegu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation zewup.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ovqegu.exe -
Executes dropped EXE 3 IoCs
Processes:
zewup.exeovqegu.exevexoe.exepid process 700 zewup.exe 3232 ovqegu.exe 4800 vexoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vexoe.execmd.exe1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exezewup.exeovqegu.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vexoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zewup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovqegu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
vexoe.exepid process 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe 4800 vexoe.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exezewup.exeovqegu.exedescription pid process target process PID 5080 wrote to memory of 700 5080 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe zewup.exe PID 5080 wrote to memory of 700 5080 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe zewup.exe PID 5080 wrote to memory of 700 5080 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe zewup.exe PID 5080 wrote to memory of 3604 5080 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 5080 wrote to memory of 3604 5080 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 5080 wrote to memory of 3604 5080 1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe cmd.exe PID 700 wrote to memory of 3232 700 zewup.exe ovqegu.exe PID 700 wrote to memory of 3232 700 zewup.exe ovqegu.exe PID 700 wrote to memory of 3232 700 zewup.exe ovqegu.exe PID 3232 wrote to memory of 4800 3232 ovqegu.exe vexoe.exe PID 3232 wrote to memory of 4800 3232 ovqegu.exe vexoe.exe PID 3232 wrote to memory of 4800 3232 ovqegu.exe vexoe.exe PID 3232 wrote to memory of 2616 3232 ovqegu.exe cmd.exe PID 3232 wrote to memory of 2616 3232 ovqegu.exe cmd.exe PID 3232 wrote to memory of 2616 3232 ovqegu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe"C:\Users\Admin\AppData\Local\Temp\1023ba75c7c566c95b2dec666c915e3c18d7021e221e7a2dac3079250d0864fbN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\zewup.exe"C:\Users\Admin\AppData\Local\Temp\zewup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Users\Admin\AppData\Local\Temp\ovqegu.exe"C:\Users\Admin\AppData\Local\Temp\ovqegu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\vexoe.exe"C:\Users\Admin\AppData\Local\Temp\vexoe.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5ddb2edd44c8d44abfb991002fe5ac5fe
SHA1fbc860bbc9bdddbef3f61a01640fbaa092cf270d
SHA25625c5bc5b3294ba67c4c27ba2d441644703e67263f0f9227e91cefd24e4ed42e0
SHA512b28e88ec6dbdf7a7133f5f80db3ab25df0588e006a91c0794ffa36db32138be667a6e4e7c1274b3f987e1f0c4a13d371877b9c5bfc5ea284b74c8d8d0e3a5151
-
Filesize
224B
MD5e9c5a40e11bf1236a6ea4f5039bfe690
SHA1c3a96906562922c0915f27d0f7e0e169c4f53485
SHA25668cc0fbf95f86b7dd07827f3cad030fd76732b3ec68d14ae832c041238852d4d
SHA512c8c2f2b9ac8c9e9efbd73809f56a6f5c12f8aab13e50ef9784220616623df6b48767704af304fb6a56e0de9b8c880f5eca5beec3ab0dc4da28606996e4ad9185
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5dd05ca74f2a91a37ab5333be43307556
SHA186cbb23ff4e13050eb640c1d5c83f344c1c04a93
SHA256bd9c529232f392fdbbfa328b732c473e1d27456299d55c1d08ccae5971556629
SHA512b37ee8343791145b3c3e3160fda26fba5e35c67454fa3cd92a059e15c2321303adab94b9ec7453921b67552a985754532507d4d1dadcc6e9a0691d1fde2a4ec1
-
Filesize
601KB
MD5e40791d8a688b84d0d4fcaee0526cebf
SHA169348622eda724acd94f1bc07eb8a854adbc4a87
SHA25631dd9a78b360275e435acd53b73d6c8595187e52e595b97f19d0bf6af1be417e
SHA512a7b6d75b008511fefbfbc2fa942daca0e64db51cb4c144131e8dd2c0042671b5874bc5423ff94337295ddc5bb96bd0d3ce435b4b8acd7387052a0f63a0ac3b50
-
Filesize
787KB
MD5d59b6f8b64079407e87c7ed868e1c8b4
SHA1b648bcca9aab2cf0662af9c37a8f0f0b0ba471c6
SHA25693b7c231264a83113db87753f444822e5fdfff4de39eab959ad54c9d6414a9a2
SHA512edc161c2aaf947ac62c97b63b37daded1a930d6f9631dbfc762d7402c8f244f5b0af744217428e54065e34571610af5fdb8c61b1cd9d8176e247520f58a40ec7