Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 23:11
Behavioral task
behavioral1
Sample
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe
Resource
win7-20240221-en
General
-
Target
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe
-
Size
458KB
-
MD5
12291085d34f6891999bb3bb470aaa5b
-
SHA1
5e1eaa82e8ee1e170cd8f51b77aa31acd8cfeefd
-
SHA256
983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de
-
SHA512
dba1fd5853182300356a0e618331cf69283787491fdb47d78b1ce85dbeff5a5555794dba003a004e4c3824f851c949d9b780ebef5c2277efb15d255e0be59fc1
-
SSDEEP
6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFTWHl:CMpASIcWYx2U6hAJQnjF
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation qybyq.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation nupecu.exe -
Executes dropped EXE 3 IoCs
pid Process 4328 qybyq.exe 4632 nupecu.exe 560 rexiy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe 560 rexiy.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2840 wrote to memory of 4328 2840 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 92 PID 2840 wrote to memory of 4328 2840 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 92 PID 2840 wrote to memory of 4328 2840 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 92 PID 2840 wrote to memory of 4824 2840 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 93 PID 2840 wrote to memory of 4824 2840 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 93 PID 2840 wrote to memory of 4824 2840 983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe 93 PID 4328 wrote to memory of 4632 4328 qybyq.exe 96 PID 4328 wrote to memory of 4632 4328 qybyq.exe 96 PID 4328 wrote to memory of 4632 4328 qybyq.exe 96 PID 4632 wrote to memory of 560 4632 nupecu.exe 116 PID 4632 wrote to memory of 560 4632 nupecu.exe 116 PID 4632 wrote to memory of 560 4632 nupecu.exe 116 PID 4632 wrote to memory of 4020 4632 nupecu.exe 117 PID 4632 wrote to memory of 4020 4632 nupecu.exe 117 PID 4632 wrote to memory of 4020 4632 nupecu.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe"C:\Users\Admin\AppData\Local\Temp\983d87e0718e943176a5fa19df36f99dd3acef738abd00d0ec1c03d3491f86de.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\qybyq.exe"C:\Users\Admin\AppData\Local\Temp\qybyq.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\nupecu.exe"C:\Users\Admin\AppData\Local\Temp\nupecu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\rexiy.exe"C:\Users\Admin\AppData\Local\Temp\rexiy.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:4020
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD55daa47aaa9e4aa03e4df4bc7da3889dc
SHA1eb5f15e7e4c3d65d15060d7e2f49ca8dfd1db34e
SHA25610548c39cb9c5647a3d737d12104a09c0b9c669aa02ade016c7e650d52bdec10
SHA51214224f828891d7baf6bf91bf6cdae3e2ccfbcd454c6ea59fe830d6dfa2e03d4474cd957e958585f23743279dae542de2dfff883e7d20e23cd1c9be3f235b70cf
-
Filesize
224B
MD5e6ebdf5980fb7a3176360e98c8066f3e
SHA1c7b37f5c31ed68331fd90ad1c5165968f0b5f754
SHA2567b7153c0e0dc361c113fb68590faf5a11096b24106db591c248c4ee04a85c836
SHA512c752b70d5a1bec3ad33b93bc9efdd6461db2e524d64cfd436d76d19545fc0ba43fb59b3ded40a0f897b7e3f3b86687d9dece6975307a0070dd1a8dc125990952
-
Filesize
512B
MD5d14fd8ebf7c23324ef18c9e2d56f8269
SHA1e01785109625c81d7abe284b826a173d1116cee5
SHA256da9ebcb9066d9180b1fce6cf8680a346c253e3c7b24dd5a347959da62778319d
SHA51221583e2900f5a76959c6ba30e073328d4cfcffd267cbc713a74bb02636aeb9692837649395e66b5a76d313794c95d2eddac061fa5a894cd1283a2dc331ba3fa4
-
Filesize
458KB
MD57caa611e6fc705d04050aed8499a8f96
SHA1878c8c85b835f2b6c9c393e9ad6975f3a7fc8946
SHA256784f0f279d4dd118e08b2cb6900400c2ac5742a68df7c688cff2643ee4225b9a
SHA512b2c879261580b8366e2bd371a131fc9b7d13066cbafef7e72bd4a2793263b3f8c8ce0e61204feff1bb3d5e2085b80492bcdb5304df98bd6f6dec4c4e5d23182a
-
Filesize
458KB
MD53e7f54828b694386051064d776859eeb
SHA156652d869e572d1aa847956924039fceaab5a179
SHA256dd34a5a33d0289f455fe53c7c1e1a708797be0ed94d2b47c9d56b15d8f5145a3
SHA5127a3833686bc5cacdcf9277e0d494877193bdc54c961ecad184a9bd3bad2f822e29031f883a9d1d5b266d1eead9b8451885d7b77fdfbd8f513e92f3e7aaea5cc2
-
Filesize
223KB
MD5cfb49e4a797b7be70cb6d9f0fd40d369
SHA14d8a6ace75d7d6149df42546fba989f947915752
SHA25613756f031fe61ed3fa3a4536279f4890db045e25db21eec2406574c2bee81b8c
SHA512c77e30ed46ed0e4dd32351590d2418feb8f9aa40f0bab37a86f09c954336d8a30d4991e9f6e48f6861c776ba72640638b4d31aeb5b8269717a6cbac68088d915