Analysis
-
max time kernel
149s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 06:55
Behavioral task
behavioral1
Sample
Backdoor.Win32.Plite.exe
Resource
win7-20240221-en
General
-
Target
Backdoor.Win32.Plite.exe
-
Size
433KB
-
MD5
95e4c82cdab9f3f29e5db343148855a6
-
SHA1
4ccfbc92609a4311f52d04c87e3fc9f2c0b85513
-
SHA256
045b4bb4a2914bf91607a617516731dd3317c74a701a38749a1fc0930d225680
-
SHA512
2ab7072e50bd1d79e167220387327799c79f4816092caac4a56d4da7e043567b0c0972521d60f03ad11a0342e2f6aa1402925a484550d7b0eae954fdc3585939
-
SSDEEP
6144:DKbwhNxUjDVMytD2NkWuRk/oBmodd+sAaTmQo2fk5U:OANxU3VH1t19MsAlpXy
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x000e000000023147-21.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Backdoor.Win32.Plite.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation tioza.exe -
Executes dropped EXE 2 IoCs
pid Process 3648 tioza.exe 4392 iqfei.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe 4392 iqfei.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1376 wrote to memory of 3648 1376 Backdoor.Win32.Plite.exe 91 PID 1376 wrote to memory of 3648 1376 Backdoor.Win32.Plite.exe 91 PID 1376 wrote to memory of 3648 1376 Backdoor.Win32.Plite.exe 91 PID 1376 wrote to memory of 4136 1376 Backdoor.Win32.Plite.exe 92 PID 1376 wrote to memory of 4136 1376 Backdoor.Win32.Plite.exe 92 PID 1376 wrote to memory of 4136 1376 Backdoor.Win32.Plite.exe 92 PID 3648 wrote to memory of 4392 3648 tioza.exe 99 PID 3648 wrote to memory of 4392 3648 tioza.exe 99 PID 3648 wrote to memory of 4392 3648 tioza.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\tioza.exe"C:\Users\Admin\AppData\Local\Temp\tioza.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\iqfei.exe"C:\Users\Admin\AppData\Local\Temp\iqfei.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252B
MD597fc87a02a4d6b9e3c84b60d8c043bfe
SHA1766c62bed33c6c7aabf6e27099702bcd584dcccb
SHA256a3196284add063a8e6090efbb24a11a92af85d7257bc6b583299ff5df53806cc
SHA5124462f2d9275882358de182cf3984fdde74e8430ea85212efa2c579c618c6cab10c867e7a2d6fd3dfd0400b7918a9d03de37eb5c5296abefa53846a8e126e6938
-
Filesize
512B
MD570b1a3f1f922eefc842d9946ca899efa
SHA160adca9af7c6da22afdf35f0035d55eb6870008c
SHA256112c3c8439270fb627e95b20c97e32a82d31cd0dc3770acd8cfc2764d059d493
SHA512656c1e638b479ff75f459d19c3be45f3ca0d2b80e8862cfba7af80ec2791efe6a8d18022e6e7b50d859b065c5907baf481e8a114a01e05a2dad31bdb50789071
-
Filesize
216KB
MD58ac43cbedd2aeab7cbd4ee10a1f3bd1f
SHA1ba16efb70b5cbdb2473d17dd4e1db1d5fcb2f7a0
SHA2564c19bea1f25db9273d5d9efb408ac446447660c09e5598920d60408f0f6f7aa8
SHA5126ae61b95e8323afaa80519b0632be1a9122f57d8e38957f4fd5e23ce0654b2df1f2091fe979ad02b9b66152dea81cdc00a5148fd72ba012ed39a6d28264f8174
-
Filesize
433KB
MD557d5033e75bda61bde83d77ca5be1dfe
SHA1fa32361d615e96147070ef7556c0a0bfcd3eeeb6
SHA25649ebadcb54900f790df1b9c22220ab2c8c83a9e6a021cf8701300c63d5b6bb5d
SHA512a956d9f0fc20558455e47691c06c33b765495cb571e87aacb7bf11af4c4f2499b85f9ec115d94c8bee0a47103c5f453c09cfe58f9883fcb25c9c7a34f83f1be2
-
Filesize
320KB
MD5d1bc512e4f3f1f3c469a3229b45b9fd9
SHA1ce1e4eb3b19bf3211b3dc4b99f9bf85b78867040
SHA25627da9f0368a14a0fbf18457241d37142a50d53e482e1ec29a3503a1e41c757f4
SHA51269cd554387b3d91f9b41086b1efaa9328cef93e30d3dc13f851a5e057a9365f1643571d268773947e44908fcb98d32d95cbc03050b0b69bf854ce4fa69289d30