Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 22:20
Behavioral task
behavioral1
Sample
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe
Resource
win7-20240221-en
General
-
Target
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe
-
Size
428KB
-
MD5
8dfd25cb85377d10a473147aa08ca6cf
-
SHA1
0c6f6aa8dcb847a14c86eb4b9ff8ab865524918d
-
SHA256
7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8
-
SHA512
2f2324d1107242e897025823aec86071f8d9db9882ff166e06ea75596085e1b48c187bff6da3f720880fedfd86fa4ee941a88d10ce20639f4320711ca7f4b61b
-
SSDEEP
6144:to3wRi+1Py3V0a2WkQ6P9N2Y/Op9eXQ6fU//BFuHt07Vx9Ul8:w6f1PyKa2u6P9N2y3U/mHyU8
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation migyk.exe -
Executes dropped EXE 2 IoCs
pid Process 4920 migyk.exe 2392 uzpou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe 2392 uzpou.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4200 wrote to memory of 4920 4200 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 89 PID 4200 wrote to memory of 4920 4200 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 89 PID 4200 wrote to memory of 4920 4200 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 89 PID 4200 wrote to memory of 1648 4200 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 90 PID 4200 wrote to memory of 1648 4200 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 90 PID 4200 wrote to memory of 1648 4200 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe 90 PID 4920 wrote to memory of 2392 4920 migyk.exe 110 PID 4920 wrote to memory of 2392 4920 migyk.exe 110 PID 4920 wrote to memory of 2392 4920 migyk.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\migyk.exe"C:\Users\Admin\AppData\Local\Temp\migyk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\uzpou.exe"C:\Users\Admin\AppData\Local\Temp\uzpou.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5ac3bd8d778a3d9b13118e5436129ec4e
SHA1f3f56fc870cfc346232a18e9002bb39195a8d205
SHA25686e389c79054b75bd858cd6af1d29986b4f1c16ddad6115530e661c25ba75ec2
SHA512145e3d20fd17e56f7e079339df760d76b163c2da5978c5b6967536cd998fa4fde5e53149462c4802125b7d0001532dc8f510ee552c4896d89f301a8f1a15567b
-
Filesize
512B
MD59acf2ce558deb780030ee92771bd4524
SHA1b2072cc6d80944fe84318ab6158f46b8dc9cfdfc
SHA256e5fff7cd0376001ddfc83d5591af57e9ed93f044a146c2265d3bbf46d2156005
SHA512327e0c61d2d5aef2c2f35adecffdb575c7a87f7f695a3d017ad09d1600e93500874a9fac67e376e56f848514624075e992aeb4b572bcc962730e30adafbf7f19
-
Filesize
428KB
MD5c5c46065eec6bd7cad585a2c4022b7e7
SHA13b994d212946c400aa03744ae1fef58e3d121a40
SHA256bb2ee2febe6cbd3c037e01bfab4b191f61653d42d45dcb5ca57a281cd9bc7b47
SHA5123a6485d87b5c1985d390789951854e4fc7de4813aed0f1eda393219e86b5a926edc2b6a10184ec2df1f5f640cded49aa1d8ac762a04da8b2ef0765e4ccf4a191
-
Filesize
208KB
MD5849ea3fd5a01bae37e2350b8187fe89a
SHA1efb90a15b393b770acf2428a71d4a77e51b81934
SHA25607cbb54aab2d9af99d9da07b8073ce513eb4165219736ba07b2c0b36233de309
SHA512a226721d345eafe0d0446a8753c7e1958662ae67e749fd3306d84958f40d8720843e0869c5715ec722909d7708d80a73ff9906c5c0d375095c8a3b59ce71dfbc