Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 02:40
Behavioral task
behavioral1
Sample
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe
Resource
win7-20240221-en
General
-
Target
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe
-
Size
458KB
-
MD5
65121c8732d9066d3cff3f11d787d6ca
-
SHA1
fbb3e172674180908626f42eb0bf6e18658c6927
-
SHA256
f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020
-
SHA512
1aa4f8496eeef242043a625b5a0b5cec97cb69527bb42c4fbef26e4057819bd9879d0c255b87b4d47d4b2141cc7ae24b0138dc7bfaf048b31ec5d6b13352c87b
-
SSDEEP
6144:l+89tuc2/zrVhVa2H6jkEgAnLjCyl5afu/KQw3hwglo8uBqjnv6D3WwhD5RzC91q:lJYH6jkEgAnieafuzQTlhuwv6Dd9C9E
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0007000000022e9f-21.dat aspack_v212_v242 behavioral2/files/0x0007000000022e9f-24.dat aspack_v212_v242 behavioral2/files/0x0007000000022e9f-23.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation gyceo.exe -
Executes dropped EXE 2 IoCs
pid Process 1728 gyceo.exe 2460 niejg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 1728 gyceo.exe 1728 gyceo.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe 2460 niejg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4576 wrote to memory of 1728 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 98 PID 4576 wrote to memory of 1728 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 98 PID 4576 wrote to memory of 1728 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 98 PID 4576 wrote to memory of 2740 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 99 PID 4576 wrote to memory of 2740 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 99 PID 4576 wrote to memory of 2740 4576 f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe 99 PID 1728 wrote to memory of 2460 1728 gyceo.exe 114 PID 1728 wrote to memory of 2460 1728 gyceo.exe 114 PID 1728 wrote to memory of 2460 1728 gyceo.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe"C:\Users\Admin\AppData\Local\Temp\f64c6601c1797e13f7099d31982e0b9f33d3fbe208c6ee50b07eda64c0427020.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\gyceo.exe"C:\Users\Admin\AppData\Local\Temp\gyceo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\niejg.exe"C:\Users\Admin\AppData\Local\Temp\niejg.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56d12b4699b3df740d86485f6c3b6b25f
SHA190e3e4003955350d1fc0b0c6affef3e7ea826bc7
SHA256544a41366f7ce75d214612e3437e198ca3f24f3363c9730f3aaf58a470ec68ed
SHA512e96ebb59f27364d6cf37e83dd328abc0b8b6a990a6717e8264889c55d82c31ecd5b3e9eafa26a53f70938603ea001391d95cef6e69ba4958398eae3c0675773e
-
Filesize
512B
MD58f8b85cbe860eab327d29250d66db0f9
SHA151d4bc0d35a08a270ea29d7df6653e5ed94bcf4d
SHA2561a474158c3709c82b8423b4ccf809ba5f02ad17e59f5a5a0ce8b83f56f22d57d
SHA512d74ad2be9eedaef933cb9a689e02906ef3421ddbb612c63572d0efad7e8f50215286beb57b1999ab944a7e2de98c6af8a5b86b359aa345ec6e1357f29b1cbb3b
-
Filesize
458KB
MD527ba9768ca5e235e35297ad81f1e6af1
SHA11c4706077acb015585a65139477a091da7a75d5f
SHA256ebc2a10eaddc69751e7c4341e075d50bf1f07c725f827c4687a26f5cc7d39614
SHA512d061b460cbc7ed3c8ecb46bb37b06b47d062543f55a725031ce73182d78027e67faa5f47764a6063a1aa47c1834a63ee48961aaeb9f1af3b1532f3e47bd7cee5
-
Filesize
8KB
MD5b09e0ff441da299ae3a793830c7ea478
SHA115b8a411ed330f29abe9db340988234a6378beb4
SHA256fdbf0fefafb12cbdacc2889c042d9e150bb2d5188665ae3030214737ef02e232
SHA51255ac479713a694645c954dd447c7aaeb94638d7ef26e5b84e59a87478212942aab16a7023444588045ad60d3a4609e8e6673f3464c07a040b56898adc5462d0c
-
Filesize
211KB
MD534d005737a26bff1f48976870a1bd82b
SHA1c7832652ce5bb797c1676cb95eb9cd2d3530ec7c
SHA256d7f5bfd5b4f26ea23faa67835eb1894eee5bd01b2648ef22ed1fe79cb3a1a8c4
SHA5129c62fd6eb0a31880347693da75e863cfceb2c67d7302ffa8bc96cf9fce6f93f824b3ddd05ad9bfc47054056ef9ee8e000423bf2d42e4b9ec2f37d6c6d76d4554
-
Filesize
165KB
MD549f5f5fd217b842bfe887690ead40688
SHA1cb8f00c7f33a6eb566c2cdd9a6b6e111538b7a6e
SHA256776066b82b704b41313aef0b549ea6a5aff3f3b2d5711865bb99f74bf3db2f22
SHA512665e2ac7cb2eab330c30ce6248a8ee67efd5939e9b9fb00e6b4852efef92862483711bd32ac494083ad6bbfe146c329620f9b1a7428b4b7b8063de31e0be8a7b