Analysis
-
max time kernel
165s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 22:23
Static task
static1
Behavioral task
behavioral1
Sample
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe
Resource
win7-20240221-en
General
-
Target
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe
-
Size
334KB
-
MD5
f520c018ae79683da76d189c76bda553
-
SHA1
ec4334a04befb29467285e5e443ef284c6535fca
-
SHA256
79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a
-
SHA512
acc50cfaa6c185007381d9e32a8ee8d9a6100f378784499eea9a3d5bde9c398e0e67c683ec482abef3b2cc30e0adc54a0a69e1a906d2fcb84bb6e87a16f4484b
-
SSDEEP
6144:DX+psoWJ+IvLI7BziS3qoJGd2Gegu8JKSFGbJ+7+3LdfoPZmxMcVp0XFGK:ymoWkI094og2GXfJKnbkS3LdAPZki1N
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation ezgux.exe -
Executes dropped EXE 2 IoCs
pid Process 2156 ezgux.exe 4556 ruwoe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe 4556 ruwoe.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1164 wrote to memory of 2156 1164 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 91 PID 1164 wrote to memory of 2156 1164 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 91 PID 1164 wrote to memory of 2156 1164 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 91 PID 1164 wrote to memory of 2400 1164 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 92 PID 1164 wrote to memory of 2400 1164 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 92 PID 1164 wrote to memory of 2400 1164 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe 92 PID 2156 wrote to memory of 4556 2156 ezgux.exe 112 PID 2156 wrote to memory of 4556 2156 ezgux.exe 112 PID 2156 wrote to memory of 4556 2156 ezgux.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\ezgux.exe"C:\Users\Admin\AppData\Local\Temp\ezgux.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\ruwoe.exe"C:\Users\Admin\AppData\Local\Temp\ruwoe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b578d81e6d8a659877eec06c889f404d
SHA10aaa73802f52d360dab41648e193e1ae018800e6
SHA256ceee0e409d840995b1dad0b8672930433b60c91755ae2eccc384a718e3d67acb
SHA51224d03f93441094c6e0aa72135af914b1c7492009670679c71e0d38659fbcf048ad5a995ce0c1987d333627268cba43415cd526e8d3d3b459693949b9bf12c329
-
Filesize
334KB
MD5eccc7864bf3ca12987dd3723925b2017
SHA18877b0d99a4652c746b0568d7a41acb297d04f16
SHA256e9b4dbe232e520b3a5848e051c1841bd6a182a3baac81943f0a0555783a2d8ea
SHA512a5beaef1c0ebbddb43d50862dbfc9c91cf06b9784c6b9cfa62df1970d02b38fb345db7c82fc7582554f6ad237731ea5b525492b416c3f0c0fe72e8d39f9c4aa6
-
Filesize
512B
MD535543edf7f2cdc358b57b97d1e84c109
SHA13566c31d2958540fb8bffdc2b636413617c2effa
SHA256485fbfa83e26780f64a270aadf8b677f09f9d3f03198a30a31dc23851faaf74e
SHA512018c7df44fabc30e3da6cd0e1fce6c02bf945705fe5b21f92c4cf2e81243196af96eaa577072383b48b2db500117a80dec82e1b440432a300c13566febe82eb7
-
Filesize
176KB
MD51fd1ef41e89a0138d87ffaafc676f785
SHA175856eb0a7adde21667133d74357ef6a6f20fc5f
SHA25604e35c01977d3aab40b720ed96c5472f8546e8f2c7c01d90954854a92a25b102
SHA512b1a63f9a14782d225a68a8358ec3eda824751c3cadfdea15575e8f130514ae2dcdbad429278fd1609e7cc6b003cf8da4b5817b50a6ab3bc1adf2b4b9c9607e92