Analysis
-
max time kernel
95s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 08:10
Static task
static1
Behavioral task
behavioral1
Sample
e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe
Resource
win10v2004-20231215-en
General
-
Target
e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe
-
Size
303KB
-
MD5
1c44aea625721fa995cce5f3f7f6732e
-
SHA1
bc688b57662cda7c057d932e7c0c61e6dbda1cdb
-
SHA256
e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32
-
SHA512
ea6b0752b0c67c67aa81082e633badd11fbb5ffb06c002e043cfd85872c788f7fd03b7ce56c77db3c3b19769a15d808d3446c7dfd5087e3b5a3427fb81c982b1
-
SSDEEP
6144:msLApG5qTzfDJKtJoUTx5JPccJM+FtkedAqsPBXi54F5zVRno0Mhmhs:mWemSYlTgfB1o02p
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation uUTClw.exe -
Executes dropped EXE 1 IoCs
pid Process 3756 uUTClw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 676 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 796 wrote to memory of 3756 796 e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe 84 PID 796 wrote to memory of 3756 796 e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe 84 PID 796 wrote to memory of 3756 796 e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe 84 PID 3756 wrote to memory of 1716 3756 uUTClw.exe 89 PID 3756 wrote to memory of 1716 3756 uUTClw.exe 89 PID 3756 wrote to memory of 1716 3756 uUTClw.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe"C:\Users\Admin\AppData\Local\Temp\e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\uUTClw.exeC:\uUTClw.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\RlLoBi.exe3⤵PID:1716
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
303KB
MD51c44aea625721fa995cce5f3f7f6732e
SHA1bc688b57662cda7c057d932e7c0c61e6dbda1cdb
SHA256e1da96812fef8207fa560ca169de12483064a042c778c353b3c3ffbcf8ca3d32
SHA512ea6b0752b0c67c67aa81082e633badd11fbb5ffb06c002e043cfd85872c788f7fd03b7ce56c77db3c3b19769a15d808d3446c7dfd5087e3b5a3427fb81c982b1