Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 22:01
Behavioral task
behavioral1
Sample
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
Resource
win10v2004-20240226-en
General
-
Target
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe
-
Size
368KB
-
MD5
7155ede202bea542dd5674130785011e
-
SHA1
b9d0c3e42de4894deefcd28518e6797739fe66c4
-
SHA256
6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11
-
SHA512
7218603790fc4cf9e8ecde2be320d623e1cde26ba1b7bc2fc293647662b42c03616848e4cbfa7ecc7ae291bfa33948cb54bae0df83f6b81c37b48ecad5f6dcdf
-
SSDEEP
6144:CcKp6l030ly3Li2pmzGqGsl5lvyRn3uXdu0ua8RiVpJ7T:CrAM0ly3O2A9GApq3uJ0i5T
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation leach.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe -
Executes dropped EXE 2 IoCs
pid Process 64 leach.exe 3976 foalh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe 3976 foalh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3008 wrote to memory of 64 3008 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 92 PID 3008 wrote to memory of 64 3008 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 92 PID 3008 wrote to memory of 64 3008 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 92 PID 3008 wrote to memory of 4296 3008 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 93 PID 3008 wrote to memory of 4296 3008 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 93 PID 3008 wrote to memory of 4296 3008 6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe 93 PID 64 wrote to memory of 3976 64 leach.exe 106 PID 64 wrote to memory of 3976 64 leach.exe 106 PID 64 wrote to memory of 3976 64 leach.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe"C:\Users\Admin\AppData\Local\Temp\6df63a5287bb49a911344a3434bbe7e738b32aeba37aa54b187f7f279875ef11.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\leach.exe"C:\Users\Admin\AppData\Local\Temp\leach.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\foalh.exe"C:\Users\Admin\AppData\Local\Temp\foalh.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5c36cc7a66bee5343f965f727b38c9c21
SHA1f2dcc3f6eeabb7fa708a0b1c20e445f281aa6205
SHA2560cc44b6266b52cb1d945f0d24d6ad2b77654381859a9791c7bc2c449295da5c8
SHA5125c3cfa31e36a8e83314d5d6f9c009cbb1ecc54bafa78eb1e196558502a36476db16fe69c742473c4fcf8d4fa2a0edc7d723929cbb9e742f31cc50717f219b780
-
Filesize
193KB
MD5e0ea2b439d3c2ff0a785510c81293409
SHA11c27892ea0090c61a6ad83e5a7dc10f9c814af86
SHA256edc1742b64bd4f141e76bc49b032d7da36b60be4c400d7045d3889a20b5643c4
SHA51291822d55c7bec913f8c62fa09b6cbb7b91761d8cd146bd0b57bbe5d5fd2601ee36dd0de7ec90275eca941b8cb0cf37719dd0d4c854200e99556471172cf7d144
-
Filesize
512B
MD5e992a3b7bcd068cb98086705d38b76d4
SHA1e4cf5c21094b65125b944ce4975ed8000922e744
SHA25635501f1d801a21aecfb4f7e7590a232b8f82bd23ec6e82ee1fe4bf9d72078818
SHA512b2a020339c3d34d57b9874063cabddf2a6a5e30afb4171fa45a9d4886e6804822b4bd022878c3552cc9ee9ebc5b9207956c14c7bfd0bb3f08ec1ee59a0181cdc
-
Filesize
368KB
MD5b3ae69d330bae5313d546469e6e00380
SHA118374fb112ff8d222638df7743dd4943a4e428c8
SHA2560ce9e81ae1fec1108765ae5ff460e6b74b5e78d60046a1dc3e9696f54af91ac1
SHA512b232db36770b037d0f2631b233d3b3ed10eab94c82c90da82d44e5d9d59a57ad99d11374483e175887f30d7482a0e26fd3a5ce37b4a178e5eed82a93efad0cb9