Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 21:33
Behavioral task
behavioral1
Sample
5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe
Resource
win7-20240221-en
General
-
Target
5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe
-
Size
466KB
-
MD5
78fc62e55e06943e83f4f22eede88966
-
SHA1
0004be510b718d9f8e1d59cccde7b92696380775
-
SHA256
5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd
-
SHA512
e910115a511162739a8dfef794371aef551486c63dced8310a293c5d653bfaf2a84156a4a2fe46c1b2785975b7990dcb7852ad7aa488e946bd66a6b16d270ca0
-
SSDEEP
6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmi:LMpASIcWYx2U6hAJVs
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation izcej.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation vukunu.exe -
Executes dropped EXE 3 IoCs
pid Process 3988 izcej.exe 4616 vukunu.exe 4732 fipys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 396 4732 WerFault.exe 114 -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3012 wrote to memory of 3988 3012 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 90 PID 3012 wrote to memory of 3988 3012 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 90 PID 3012 wrote to memory of 3988 3012 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 90 PID 3012 wrote to memory of 1620 3012 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 91 PID 3012 wrote to memory of 1620 3012 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 91 PID 3012 wrote to memory of 1620 3012 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe 91 PID 3988 wrote to memory of 4616 3988 izcej.exe 93 PID 3988 wrote to memory of 4616 3988 izcej.exe 93 PID 3988 wrote to memory of 4616 3988 izcej.exe 93 PID 4616 wrote to memory of 4732 4616 vukunu.exe 114 PID 4616 wrote to memory of 4732 4616 vukunu.exe 114 PID 4616 wrote to memory of 4732 4616 vukunu.exe 114 PID 4616 wrote to memory of 1628 4616 vukunu.exe 115 PID 4616 wrote to memory of 1628 4616 vukunu.exe 115 PID 4616 wrote to memory of 1628 4616 vukunu.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\izcej.exe"C:\Users\Admin\AppData\Local\Temp\izcej.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\vukunu.exe"C:\Users\Admin\AppData\Local\Temp\vukunu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\fipys.exe"C:\Users\Admin\AppData\Local\Temp\fipys.exe"4⤵
- Executes dropped EXE
PID:4732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 2165⤵
- Program crash
PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1628
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:1620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4732 -ip 47321⤵PID:4844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5859e8ddea4d18da5ec5e50cc770b8ddd
SHA14ca1a12961c54ab94119940e141f0b48ad4e65b8
SHA256138493c37190810d388269dcde50ff3ef51c9e33739a0b82e2491e11c6ca03b7
SHA512e061b81062c49280f11af67813047de655027d19fe22c14e8522e5cd22b83b41b5fd77aa77baecef6d66cd207b1fc4ec1b25ad1649b78fcbbfd3c0c22a967e01
-
Filesize
224B
MD5ad7d70ef6ffccc27bbf845dadb98fba8
SHA1b8397a8c53c61bb23092138bd31ff1129631668e
SHA25673f895d1ab1cc11930937334696151a43efe8b751bfff3a8ee83241b7ed4cf92
SHA5122b1b1539e80ab5d16159607927eca7cd5d55502033ba0c98c9d063d2db3c12b4a5d25d3fbaf2351880d181abfcd468cf02e868c66b603bbe168a8fcaeb45a1de
-
Filesize
223KB
MD584454cb6049881ec1b3642c92ef0b687
SHA1056c6d2535f8fa2281fd3a20a3650316aad65795
SHA256a1a2d68e477c7d014a92ab064efe3dcbb7539c7d39e1dc099a1690b79a54c8c8
SHA512869afe3e24b8c12c4fc3789526d4d7dc7d415946c9dfefc2fdaebaa3144b350a7fdb6fc4fee92bd7e756c1c125c15268c49b0a91e5c47ef57acaa0c18cd74579
-
Filesize
512B
MD5be51935ebf85123e37a43984b64e4900
SHA1b9e7d121c5e750afc9bf4cced626e28f2a2026f3
SHA2564b03cf80ef3e3f1a36b987597ce315464eade4115e4f400d48c7033ac1657dac
SHA512df8bfe853087b1f6006f1ccda61f21f28193d00ed013684d62c8617e823573ab0eb767bebda3fe00dd7f752f7c6ab45dec3f28da001dc5d2ceba68205fc5dafd
-
Filesize
466KB
MD5f4aa09c9b2b8b01b5680ccf3a98b0be5
SHA15a5e1f6681a07b5695e70e789c29d89417342438
SHA256d3cd8a8794b191a00fb1cc3016ad1d610135fc09d88b02299127d46f5525013d
SHA512dcd7f51651cadc5a1a63ff461d745a135207197d548da4a75a8ba38581b65cd52e9894dc55106a2fecec63cb69c972704526fe2594f4411b1ca66434229c0d8b
-
Filesize
466KB
MD52bd90ee40c6a3aa648ecb03d22776698
SHA12791522e25619b7417ac750b1239fb7847615879
SHA2569892a440e7a9f3f3520663682d9f40e541cea149271d070b21dd8b65f3c3c3d3
SHA5126f05dfa3569257cee1675a876d7f04746db73c42711f0cda200e7675a0e9b9905b1d168b8750804d6f31f1180584be0db3926a6da6e828865371b9020457181e