Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 02:21
Behavioral task
behavioral1
Sample
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
Resource
win7-20240221-en
General
-
Target
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe
-
Size
417KB
-
MD5
5323d5a77f6ce194a9023df2dccd6d19
-
SHA1
0a611ca0a52faedeca469c32d4e6d07365dcf373
-
SHA256
ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb
-
SHA512
523bfafe538e7bd8499cfed1a97963878e726e582b75180124cb18fb8678504fa1417ab746621ca83971c3f8860212ba294021a08bc2bb40de6ee4832dc23544
-
SSDEEP
6144:kzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInOYqD:eU7M5ijWh0XOW4sEfeObD
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x000900000001e80c-21.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ibhop.exe -
Executes dropped EXE 2 IoCs
pid Process 1688 ibhop.exe 4232 cypuh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe 4232 cypuh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4016 wrote to memory of 1688 4016 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 91 PID 4016 wrote to memory of 1688 4016 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 91 PID 4016 wrote to memory of 1688 4016 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 91 PID 4016 wrote to memory of 1556 4016 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 92 PID 4016 wrote to memory of 1556 4016 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 92 PID 4016 wrote to memory of 1556 4016 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe 92 PID 1688 wrote to memory of 4232 1688 ibhop.exe 105 PID 1688 wrote to memory of 4232 1688 ibhop.exe 105 PID 1688 wrote to memory of 4232 1688 ibhop.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\ibhop.exe"C:\Users\Admin\AppData\Local\Temp\ibhop.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\cypuh.exe"C:\Users\Admin\AppData\Local\Temp\cypuh.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:1556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5f0d4c528db1a5a3deab717cc3f4844a9
SHA13b46c4d928e3dce0afff3ea5ed8425af472b4995
SHA2567a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389
SHA51268e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05
-
Filesize
212KB
MD54fa79894f90b494e3ad3b79ef9970b08
SHA1ab37328cd01c5c6f725ea392ca4f3d6903359e6c
SHA2563ab8c0b7acbc610ce09077ce4a571d33aca5416c6133f43b5640ffad3020d6e9
SHA512b6e94e90e364cf9a4c53379990b0da2b173ed7af7c515784d2e934191ef6f94120721b7dc161a2a7a9943c90a59f394cdd251d287ff88e307e03a934a639d57e
-
Filesize
512B
MD54a5a906094a1838e0448c5be6d4c376b
SHA1228d9464f2bc418b66fc397cda340fe6316375f6
SHA256cf5298f94621fd6c03864fd022eacfd50bf6e79ad3a4a152cc82b0d20e8c0ff9
SHA512497e0d838f474764efdf2f94a15f46d586d3d1274595f20f5dba944502cedb2bf739ff16953c2c674e39ce07d3431cdce1706f099f2379d69385fd713fc08bb5
-
Filesize
417KB
MD5f4535a61af99f166e08f80cd9323aecd
SHA1bec15e9d468f804c6085b2d69fe9c9fbf7c0f8a1
SHA256244c4020b858272d8e141240306923518afe85aaa672342b14b5c32148635a3a
SHA512c0d8f2d935e1542ac7fa9aad76cf1587022dd23aadebee82c746c5f0b5e0dc1946957e56bb97fddeb9e9dcb8260e79fc615fbcc813f06778b5bb0fd6760becc6