Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-10-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe
Resource
win7-20240903-en
General
-
Target
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe
-
Size
334KB
-
MD5
e2e1277f8f672de04550a7dbe64cb060
-
SHA1
862a99da7e02844d4a0cf7f9bbbd9370bd2af6f1
-
SHA256
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6
-
SHA512
cf6c81ab49b92b0918ed07873897412be0f64f74667d0c0385077f94edb748232b5ffb2a1a71f88d4ab36a663f9c2fdd98224c60b6622678e9679580cfb32ec0
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY0:vHW138/iXWlK885rKlGSekcj66ciV
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2216 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
fuiba.exeavnur.exepid process 2464 fuiba.exe 484 avnur.exe -
Loads dropped DLL 2 IoCs
Processes:
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exefuiba.exepid process 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe 2464 fuiba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.execmd.exefuiba.exeavnur.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuiba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avnur.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
avnur.exepid process 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe 484 avnur.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exefuiba.exedescription pid process target process PID 1736 wrote to memory of 2464 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe fuiba.exe PID 1736 wrote to memory of 2464 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe fuiba.exe PID 1736 wrote to memory of 2464 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe fuiba.exe PID 1736 wrote to memory of 2464 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe fuiba.exe PID 1736 wrote to memory of 2216 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 1736 wrote to memory of 2216 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 1736 wrote to memory of 2216 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 1736 wrote to memory of 2216 1736 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 2464 wrote to memory of 484 2464 fuiba.exe avnur.exe PID 2464 wrote to memory of 484 2464 fuiba.exe avnur.exe PID 2464 wrote to memory of 484 2464 fuiba.exe avnur.exe PID 2464 wrote to memory of 484 2464 fuiba.exe avnur.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe"C:\Users\Admin\AppData\Local\Temp\0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\fuiba.exe"C:\Users\Admin\AppData\Local\Temp\fuiba.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\avnur.exe"C:\Users\Admin\AppData\Local\Temp\avnur.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:484
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD553cd30d073131f0efcedbde93c7be2ac
SHA1c0eceae61c088e22ad9f800efb03c88ec7258268
SHA25694c12646403dc4928a6bfb36c8c77c8da93d01ff8b9a1073724100ed4e86eb1d
SHA512bcca120fc54b2cc483e45464ffe27adb3e8ed06c0b1fb4216517b2428fee9148b2fdff90efba43c97e7e4e80cf303a83669fead258cf4e066841081d551d6016
-
Filesize
512B
MD5bbe7b4c922c9c3b02ac7db5bb0c95003
SHA1c84cd7204cb70a338839efd90de5b66e95119733
SHA25602a0f0a51fdc6295327f3797ed61e1e6260c2a27d2d214be8275ec66947b4136
SHA5127ac22b86bb650aa1cf7eecaaaa040271fe1f935d968bb79de7bbedd365c480690b8d7dbd515c50e51c7bfa51969526f5e4bec769be12909304473289a20e3def
-
Filesize
172KB
MD58468707ae632cd485b8a881ab4d5aba3
SHA14da5127fe955a8e2b215a4893a3de2acfc56f4ae
SHA2565e9adbf46ff5688af6b584831800ace9d44aeaa5aecde66475dbd6a50846baaf
SHA512e2885db75cefed90c856c4117e4d799eefcf4848778f614fe6bea1c76b923ed6bd5924f95f786cf6196bc2332c994c7c6099eadddec3349dfb5336a968dcc5c5
-
Filesize
334KB
MD5d42313d1019ac085488b3b955282a39c
SHA14bd5572a524e10e7b5c66787d458ac5c961c653a
SHA2564dc6a5894807c74826f3b526c259db01da4f6f709e9ec7a54519b2d047bc4ad1
SHA5129c0491e9b58b4d6767293d67ceba31d31a1885061d4683a8b7d06f32877bbeb60b026108107fb93a0572de33f20b4856fcdbc0cce3edc3bf9fb782315b889887