Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 21:56
Behavioral task
behavioral1
Sample
6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe
Resource
win7-20231129-en
General
-
Target
6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe
-
Size
487KB
-
MD5
5992f18b0da0a0c2622f890a14a278be
-
SHA1
cfcb2c1ad64418c209aa71f3be827d79582f3cd7
-
SHA256
6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee
-
SHA512
b7f711a0fb80e20b0b5a696c399afae5ab790e3c4cbcaf272e45d35965d269641189310b7856df557b8896ce8954423eb4246ed55c9ba85f849063f3f34f29e6
-
SSDEEP
12288:Vpbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbeP:VpbXi5xzFUBaazsiofx8K
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation obtoy.exe -
Executes dropped EXE 2 IoCs
pid Process 1952 obtoy.exe 784 duhyp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe 784 duhyp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4660 wrote to memory of 1952 4660 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 93 PID 4660 wrote to memory of 1952 4660 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 93 PID 4660 wrote to memory of 1952 4660 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 93 PID 4660 wrote to memory of 4708 4660 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 94 PID 4660 wrote to memory of 4708 4660 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 94 PID 4660 wrote to memory of 4708 4660 6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe 94 PID 1952 wrote to memory of 784 1952 obtoy.exe 105 PID 1952 wrote to memory of 784 1952 obtoy.exe 105 PID 1952 wrote to memory of 784 1952 obtoy.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe"C:\Users\Admin\AppData\Local\Temp\6b5ceef5225f59130c5175bba37e0d89c7bc223e82a29243c1b2dfc8c07f87ee.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\obtoy.exe"C:\Users\Admin\AppData\Local\Temp\obtoy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\duhyp.exe"C:\Users\Admin\AppData\Local\Temp\duhyp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5fbb9e6fa9d9aba36212379a340f155a0
SHA117c9a13635ed2e164f34eb277b2956e25e1b3104
SHA256d0f4d264decea9079ac02fa1e07785d1045be65ee8fb063666b020853bf85eff
SHA512f375ca7e85339e85139e3a940b38c0af14c1ae19e694481dade54055f2361b01b2bfe4badc9b5d0ffa834b29dc882d3dc690e28bd9031ba1d48bfd03a24d6bac
-
Filesize
217KB
MD58c190d0faa01ae57d34a1ecfd925f5f7
SHA1a002de0c81caf205c16ed7d0c037f5d39c15d7ad
SHA256042b0d2ea855aaa7431fdc2700c92ebcf0b07bfd083126fbe9e02d4c3859a175
SHA512dd6ca18161dc820a875f652f662c695659c618cfd1bbe1c0e2fd0eb760298b1369216d9de99f81e5ade714f08d16d04bbf3374fcb89d983c300a16b5c40fb824
-
Filesize
512B
MD51b4da99f97587cd63f190b8cdc5f2104
SHA1a2c5857a6b6e27dc2dfa0da2a7e0089a05c30a4d
SHA2564e818b47e890590c58b1ea6404b35f48c35699036ec0e46f490e320c50a9f163
SHA5129e2e779f1ecb01a1913345d712e1ecfebf82296e6ee1d9b358a4ad142694731b5f75b59d884093864d5551d765af17b8e39b16a9acfe50701724494d57038a26
-
Filesize
487KB
MD5760bec4fe4aff4bf2cbb32da856b1f6d
SHA16cb3e5af41476c8b98378867f260bb0f0df7b737
SHA256f5b2f86899918fca35c38d7226246b6fa0dddc15788054b20a10b1b1aa553877
SHA5129def0d0d00b8b4b081e09c0c8b383c7a6d94cf9bd5deef4513ed9a989a35cb33304cccda5d1fc389c84df743a65065dcd5ca62816359359d6f36f318704fa444