Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 00:07
Behavioral task
behavioral1
Sample
b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe
Resource
win7-20240221-en
General
-
Target
b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe
-
Size
470KB
-
MD5
4a5298ea39ded905fee91d92f993e5a8
-
SHA1
ea62984293b5717220f54f19269cfd856d481cbf
-
SHA256
b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263
-
SHA512
b57e3b8a759bd62a0462bde84659441b64db7c3a12e08a9b5f6363ea3f855c2a9dec2a5dea221a27230523d54e4b216894bc4b77c756f8a6326b1e1a4870e978
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6mwrxcvkzmSOphmYHa:PMpASIcWYx2U6kQnaHa
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation reuzu.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation qozeso.exe -
Executes dropped EXE 3 IoCs
pid Process 2412 reuzu.exe 3548 qozeso.exe 4388 abjas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2796 4388 WerFault.exe 97 1004 4388 WerFault.exe 97 -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2412 2280 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 85 PID 2280 wrote to memory of 2412 2280 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 85 PID 2280 wrote to memory of 2412 2280 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 85 PID 2280 wrote to memory of 4204 2280 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 86 PID 2280 wrote to memory of 4204 2280 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 86 PID 2280 wrote to memory of 4204 2280 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe 86 PID 2412 wrote to memory of 3548 2412 reuzu.exe 88 PID 2412 wrote to memory of 3548 2412 reuzu.exe 88 PID 2412 wrote to memory of 3548 2412 reuzu.exe 88 PID 3548 wrote to memory of 4388 3548 qozeso.exe 97 PID 3548 wrote to memory of 4388 3548 qozeso.exe 97 PID 3548 wrote to memory of 4388 3548 qozeso.exe 97 PID 3548 wrote to memory of 5100 3548 qozeso.exe 99 PID 3548 wrote to memory of 5100 3548 qozeso.exe 99 PID 3548 wrote to memory of 5100 3548 qozeso.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\reuzu.exe"C:\Users\Admin\AppData\Local\Temp\reuzu.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\qozeso.exe"C:\Users\Admin\AppData\Local\Temp\qozeso.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\abjas.exe"C:\Users\Admin\AppData\Local\Temp\abjas.exe"4⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2165⤵
- Program crash
PID:2796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2205⤵
- Program crash
PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:5100
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:4204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 43881⤵PID:4340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4388 -ip 43881⤵PID:4996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5da843167b8bdfc6f7477976a7a7d4a42
SHA1f8c20bf59448b35227b26099b63724091a0b68fb
SHA2564697cba571b98d6b6c099546181734044ac5e7738785e267c07866075cff3d67
SHA5124a02893e64b6ef9d24e76cca9717db6947c2e26ff3e829cbba3980be53ce8eaa599d4a29cee123cf8274bd63550526de94763278bd2da7702c16930aaefd6d89
-
Filesize
340B
MD5392fe03859a4f294d2c15cb4fd401002
SHA12dacf37e880afcbe94f8beb123cf64ca3571336e
SHA256c8c8530256248be7c054c1657b998440bc6b3371985033bcfdedd490dd14a99e
SHA512c7752051a881f0038ec9effe69d896f24264bba22dd189e8a59f328ed56bc2d285e3b96bafb7eb02ed4463923d451377960582fee4bb7c43ce8e950f4c8b2f03
-
Filesize
223KB
MD54091050586686180c782b16c79c7d2b8
SHA1b9b168e16f1e1cc731ba09983233b3810f6e887a
SHA2566da6aaae31932108601ee627b099c7d365e874e37a32eec10cef788fba90a06b
SHA5126bb8ec522a407e13eaff8eea9d938ab66f15d60d2048209a645c4d01ff609123918c25d81fde39f14127e462761f39b6dde064e81f67515a6a1bcef5169c56b7
-
Filesize
512B
MD56bf66ae60e32751c890307931922529d
SHA12d2a8e37de5a111c13d30c2b1d1194b95a5710e4
SHA2560fd7d3d36f2c71ad9a8d00db273e424a8964b650ac8c8d5c81afc76f26b06205
SHA5127538520615300bc708231e2b2354ce4e60148d016377189fc06c42b44100af00bfaec8e655559fa1931d5a1ad37d4f219a88d73da8ae437374bcecc734213a39
-
Filesize
470KB
MD559a4ae54b766af8467f135cf98f88b39
SHA1b8a073d4de9ad174f79bae455ea2903f09eaa0d7
SHA256c77159fd85da67e8a82d7e3a59287c67a1aa0a4f09a068365ada71a95f286c87
SHA5122379bc030393fd1624a2e507696adfd543b174b7876f001aaeafecd9025cba2662f7df1955ced0e03fa0abb92dc8dbbf273d32d44c4eae8b0a5a19d4dcc15f33
-
Filesize
470KB
MD52873087efcc5ad82e7edaab61fc20ede
SHA10b26154719ba6c6136487f26e128e36d4f34d6ef
SHA256ad79e65f08cfe2e0d76eb8a53f6c382f79102c02e3271fbfb5fdabd787f37162
SHA512648b387e0947fc1ff65bf1998f03c868d69a9e3d8bc44d9a241e5949bfa5dbce43f63cd8cbd188a0475dd657a6d611e0b9fb95b5f27abdad83c9fec003bcdbca