Overview
overview
10Static
static
517-10-2024...QW.exe
windows7-x64
17-10-2024...QW.exe
windows10-2004-x64
17-10-2024...er.exe
windows7-x64
717-10-2024...er.exe
windows10-2004-x64
717-10-2024...ys.exe
windows7-x64
917-10-2024...ys.exe
windows10-2004-x64
917-10-2024...er.exe
windows7-x64
317-10-2024...er.exe
windows10-2004-x64
317-10-2024...er.exe
windows7-x64
317-10-2024...er.exe
windows10-2004-x64
317-10-2024...re.exe
windows7-x64
1017-10-2024...re.exe
windows10-2004-x64
1017-10-2024...ix.exe
windows7-x64
117-10-2024...ix.exe
windows10-2004-x64
317-10-2024...nt.exe
windows7-x64
1017-10-2024...nt.exe
windows10-2004-x64
1017-10-2024...re.exe
windows7-x64
517-10-2024...re.exe
windows10-2004-x64
517-10-2024...NG.dll
windows7-x64
317-10-2024...NG.dll
windows10-2004-x64
317-10-2024...op.exe
windows7-x64
717-10-2024...op.exe
windows10-2004-x64
717-10-2024...er.exe
windows7-x64
717-10-2024...er.exe
windows10-2004-x64
717-10-2024...an.exe
windows7-x64
317-10-2024...an.exe
windows10-2004-x64
317-10-2024...ie.exe
windows7-x64
517-10-2024...ie.exe
windows10-2004-x64
517-10-2024...oe.exe
windows7-x64
717-10-2024...oe.exe
windows10-2004-x64
717-10-2024...ge.exe
windows7-x64
617-10-2024...ge.exe
windows10-2004-x64
6Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2024 22:34
Behavioral task
behavioral1
Sample
17-10-2024 #20/AQW.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
17-10-2024 #20/AQW.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
17-10-2024 #20/Adobe Reader.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
17-10-2024 #20/Adobe Reader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
17-10-2024 #20/Barys.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
17-10-2024 #20/Barys.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
17-10-2024 #20/Butcher Crypter.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
17-10-2024 #20/Butcher Crypter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
17-10-2024 #20/Dynamer.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
17-10-2024 #20/Dynamer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
17-10-2024 #20/Explore.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
17-10-2024 #20/Explore.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
17-10-2024 #20/FloodFix.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
17-10-2024 #20/FloodFix.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
17-10-2024 #20/Flyagent.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
17-10-2024 #20/Flyagent.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
17-10-2024 #20/InstallCore.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
17-10-2024 #20/InstallCore.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
17-10-2024 #20/MSRATING.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
17-10-2024 #20/MSRATING.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
17-10-2024 #20/MulDrop.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
17-10-2024 #20/MulDrop.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
17-10-2024 #20/TSULoader.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
17-10-2024 #20/TSULoader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
17-10-2024 #20/UtilMan.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
17-10-2024 #20/UtilMan.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
17-10-2024 #20/Zombie.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
17-10-2024 #20/Zombie.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
17-10-2024 #20/app stroe.exe
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
17-10-2024 #20/app stroe.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
17-10-2024 #20/assemblychange.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
17-10-2024 #20/assemblychange.exe
Resource
win10v2004-20241007-en
General
-
Target
17-10-2024 #20/app stroe.exe
-
Size
752KB
-
MD5
50b1390fe325207d2a96fc991b065030
-
SHA1
ee5f6c76400f1eafec18a674774e31faad150009
-
SHA256
eb2714d855c5896df7f2bb2c09e1db57c38e7e154c07cb96c5c9e4ec7f9422f2
-
SHA512
c77b1ceb70553f8250ec09e89a76c9e89c4df6bad444887559adda45effbdb6d80bf1de000d7468f2bdfd16f3015e84cfbd3070d359ed444284ca0e3d369660a
-
SSDEEP
12288:zhDMjlZ8RZ7QwkMSiakDdUlftrIzoJ3fVR1hj8bgn8mYvTbV9rwvjlDtghOcv:5PRZAiakEfdSQhCgn85vTJ9iwOcv
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation app stroe.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ~DFA277.tmp -
Executes dropped EXE 3 IoCs
pid Process 1756 quxevyk.exe 2092 ~DFA277.tmp 1636 yzymdak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language app stroe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language quxevyk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~DFA277.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzymdak.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe 1636 yzymdak.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2092 ~DFA277.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1756 2132 app stroe.exe 85 PID 2132 wrote to memory of 1756 2132 app stroe.exe 85 PID 2132 wrote to memory of 1756 2132 app stroe.exe 85 PID 1756 wrote to memory of 2092 1756 quxevyk.exe 87 PID 1756 wrote to memory of 2092 1756 quxevyk.exe 87 PID 1756 wrote to memory of 2092 1756 quxevyk.exe 87 PID 2132 wrote to memory of 1860 2132 app stroe.exe 88 PID 2132 wrote to memory of 1860 2132 app stroe.exe 88 PID 2132 wrote to memory of 1860 2132 app stroe.exe 88 PID 2092 wrote to memory of 1636 2092 ~DFA277.tmp 106 PID 2092 wrote to memory of 1636 2092 ~DFA277.tmp 106 PID 2092 wrote to memory of 1636 2092 ~DFA277.tmp 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"C:\Users\Admin\AppData\Local\Temp\17-10-2024 #20\app stroe.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\quxevyk.exeC:\Users\Admin\AppData\Local\Temp\quxevyk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\~DFA277.tmpC:\Users\Admin\AppData\Local\Temp\~DFA277.tmp OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\yzymdak.exe"C:\Users\Admin\AppData\Local\Temp\yzymdak.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5fa241bb53d778e95e5d451463e580d58
SHA19f6a150272a3d231fd8f22befca20ce8ce285075
SHA2561970ccc2659cbe5a7b9b3693ae82b69ead9014a14bfe9c566c09bda1ddb053f7
SHA512c21b676da6372a06d30bb821dec597bc323edcc580ca6c34d1ca982d2b4a067a606301226a5bf7274267f49657084168a75b167502bb76e44206147bdf3adb95
-
Filesize
104B
MD586bb2dbeaef655893262f3c041f6afe2
SHA11b26ff1241c1353bd506c18bd0c11878076ba65d
SHA2564a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2
SHA51258294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31
-
Filesize
480B
MD5d68790deef9c319c28ab55f382d0f58a
SHA12eae1310049b800ef7122b972c70fc15bcff6753
SHA256d1ff4ceae2ae163622fb73a2e73335983acc4552bc8ba9f6555d08411df0cacf
SHA5124a0efb23467bc643b6a8452dd4e3aba32f6e2f438315288379df61b4283cf207dd35996c794ebc24e10711cb0f71fda2e272ff9ca7a0d2db24c71ae054abcca0
-
Filesize
753KB
MD5cb399a631f49e6deaf5c823969bbde6c
SHA1a6c84328f7ba2f9f67cc8aa267a1dbd5ef29287a
SHA25661796bfb0195fcec587e823538afec4e9a91ef1d4f6e75d357b315ae8584319c
SHA5125e9099907c55b09d2be8cc014d41ecda4fd6206478f5f0271e6cd50ca746219b8646b0a759d5c7c7aed05034ce76b0fde1cbdb63ac3cf5c68477caac713935f2
-
Filesize
404KB
MD525a878f3522cf3819bfe4c0561fce967
SHA1a0e29f02406f9bca6aaf3faf37698d1e310675b8
SHA2560ad6a9b72cbd668dbdf08dcbb7d7c94faa34177fdf6141b079f12c5038f5230f
SHA512c79620b1696a052ad2b0900c81c4abebd3363ae0509dfd7f041e6aba1ecc9775d4515fdd3dfa2cfbabb714d1d48a7a199a25e4b4679c7c5ca41eff903be39f5d
-
Filesize
754KB
MD5f37a871176367bebaf2b096546a7041c
SHA1641a6b7e5b54f3e60fe29b396257f842b1bab337
SHA256ee7eca8422de3efade075befb9b5c5522bade8d2a849a70725030225cd53640f
SHA5126cb5a347479c5632eb351eac34670c38422672ab39d96b44bb9b001db3f984fd451fc2984f5a68bd5799da70280f0141ea41da5f5f5381c0db694fa663cd8bd1