Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe
Resource
win7-20240903-en
General
-
Target
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe
-
Size
334KB
-
MD5
e2e1277f8f672de04550a7dbe64cb060
-
SHA1
862a99da7e02844d4a0cf7f9bbbd9370bd2af6f1
-
SHA256
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6
-
SHA512
cf6c81ab49b92b0918ed07873897412be0f64f74667d0c0385077f94edb748232b5ffb2a1a71f88d4ab36a663f9c2fdd98224c60b6622678e9679580cfb32ec0
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY0:vHW138/iXWlK885rKlGSekcj66ciV
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exeyrnut.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation yrnut.exe -
Executes dropped EXE 2 IoCs
Processes:
yrnut.exejapuz.exepid process 3132 yrnut.exe 4788 japuz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exeyrnut.execmd.exejapuz.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrnut.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language japuz.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
japuz.exepid process 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe 4788 japuz.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exeyrnut.exedescription pid process target process PID 4784 wrote to memory of 3132 4784 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe yrnut.exe PID 4784 wrote to memory of 3132 4784 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe yrnut.exe PID 4784 wrote to memory of 3132 4784 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe yrnut.exe PID 4784 wrote to memory of 4912 4784 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 4784 wrote to memory of 4912 4784 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 4784 wrote to memory of 4912 4784 0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe cmd.exe PID 3132 wrote to memory of 4788 3132 yrnut.exe japuz.exe PID 3132 wrote to memory of 4788 3132 yrnut.exe japuz.exe PID 3132 wrote to memory of 4788 3132 yrnut.exe japuz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe"C:\Users\Admin\AppData\Local\Temp\0741c87d55b6c503486006d19bedccbbabc9c6162ed763f46ddeb310a30431b6N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\yrnut.exe"C:\Users\Admin\AppData\Local\Temp\yrnut.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\japuz.exe"C:\Users\Admin\AppData\Local\Temp\japuz.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD553cd30d073131f0efcedbde93c7be2ac
SHA1c0eceae61c088e22ad9f800efb03c88ec7258268
SHA25694c12646403dc4928a6bfb36c8c77c8da93d01ff8b9a1073724100ed4e86eb1d
SHA512bcca120fc54b2cc483e45464ffe27adb3e8ed06c0b1fb4216517b2428fee9148b2fdff90efba43c97e7e4e80cf303a83669fead258cf4e066841081d551d6016
-
Filesize
512B
MD51c87837223c7937ccd2bf9c1dc344e5e
SHA19258f77da2247118df7be4949b223b69b7c1ccba
SHA256903326784c09367e0a565c5cb3eaa81695d3db6d4ebd5bc552689b789c3281c2
SHA51237c9de6e4465f084c60e46ed116924e4092e411164da709963a7752b7c0de2bbfb0011dad3bc90777f8c6aabc94a2d9130f78c7ba60363c605ac60b2f1255a23
-
Filesize
172KB
MD550acb6504e6dfc26c853b8dfa4630911
SHA10144a63e33d0debba5a060ad57e5d4c9a0b1faac
SHA256fc70bf4c167b384b025720f8502c1c81daae3b1befce038ef94322e52544b6e8
SHA512f2b0117e0d4943b97c52548ad511f9415148d6fb81c30c197830fe1eaf5679114de4c7c0348b8f43789fdd50c13278644718a2a11bf82a8a88339ac850664212
-
Filesize
334KB
MD5cda8b06e0de869f6ffa8fea79b311bca
SHA19f788a52a1b87c736fe8465873c837b90de2a154
SHA256555273b3b63a4bbc4a22ded7c8bb1072b2127a9857d2b0fddbabf39862ca5fd1
SHA51296c9508d879f4d465bd60c50fff6ddb143f3e526f3e3591d8daace16dbbbf6269cf88969b7a8079b69d19b8a94937fc10b75305550c24f0f267525cf009d38e4