Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 01:41
Behavioral task
behavioral1
Sample
eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe
Resource
win7-20240221-en
General
-
Target
eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe
-
Size
373KB
-
MD5
55eda1ca8ed336f54e1d9846abece7ec
-
SHA1
7510064da4f0992ce1a8f0a7e3ad95d46512a559
-
SHA256
eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748
-
SHA512
02ad56ebe494a76ba75a214e680e9ad9eeba46fd84da938b96d4c352ead751ece83d5ceb64fe333660d0818c5035c99c0336bad04cd274d831bfde753ab9990b
-
SSDEEP
6144:LlwArTEDSCs5wL0q/mdwoJgugiIX9Ghal1qU/YagPOl6xVrprI3F:LKmQDSCs5woMmd9axVNG4qugPO+V8
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/1892-0-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral2/files/0x0007000000023231-6.dat UPX behavioral2/memory/3200-12-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral2/memory/1892-14-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral2/memory/3200-17-0x0000000000400000-0x000000000045E000-memory.dmp UPX behavioral2/memory/3200-27-0x0000000000400000-0x000000000045E000-memory.dmp UPX -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation nosit.exe -
Executes dropped EXE 2 IoCs
pid Process 3200 nosit.exe 3204 capyj.exe -
resource yara_rule behavioral2/memory/1892-0-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/files/0x0007000000023231-6.dat upx behavioral2/memory/3200-12-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/1892-14-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/3200-17-0x0000000000400000-0x000000000045E000-memory.dmp upx behavioral2/memory/3200-27-0x0000000000400000-0x000000000045E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe 3204 capyj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1892 wrote to memory of 3200 1892 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 90 PID 1892 wrote to memory of 3200 1892 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 90 PID 1892 wrote to memory of 3200 1892 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 90 PID 1892 wrote to memory of 1724 1892 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 91 PID 1892 wrote to memory of 1724 1892 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 91 PID 1892 wrote to memory of 1724 1892 eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe 91 PID 3200 wrote to memory of 3204 3200 nosit.exe 105 PID 3200 wrote to memory of 3204 3200 nosit.exe 105 PID 3200 wrote to memory of 3204 3200 nosit.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe"C:\Users\Admin\AppData\Local\Temp\eae1f6609862456c8dbd5e21484a204fc84ab5b48ebb131aa46a4a9368b3d748.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\nosit.exe"C:\Users\Admin\AppData\Local\Temp\nosit.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\capyj.exe"C:\Users\Admin\AppData\Local\Temp\capyj.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:1724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD525bd150d109fb53389a2cf661df68153
SHA1e91680efee4cc527c342cddecd48a36a82103403
SHA256dd59bd7184b5c42ece2f987a4b1c1364dbdf49d167cd5801aed11bfa3fe2edf1
SHA5121c6278dc3ac0557cd2702f3afbd447add58431f20c4ae90366417cbfd99e444b23edca02e099a5b3330d41a49089ca97478931cc262b8795866445645cc822ea
-
Filesize
161KB
MD54d3b2458e34a7379220b397e9569df91
SHA1536ea53a668fb349b1698dababa198b9f4cb701f
SHA256ba4559fe75a96473f4796f1c3e1507271ddd903cb9205f1cc07dfa6de0910b69
SHA512b8d3679aefecd8544561bd15fcbc508abce132ac53c16ba5fd6f26f4fdedbc5342d2b57ba0a0b285700a98826d9d38704a4d5dc302e62648d45bb89379130713
-
Filesize
512B
MD54749254221d314690f003206a386b614
SHA12585b79a6a8df7dd181bddc80d931dd18875fedd
SHA256db7b1d0149e6e4d84972056bfd88adc83b4d7233da53fbb97260f78bdb65bca4
SHA512e4040adf1fc9ab782e7cd4fbd42c52f28fb9d384a83bad4b8928e955bbd65dee63b54e491edd0855227f645f1c6b68f5826b51fe45ceb05fa5d2b9cd1e257f55
-
Filesize
373KB
MD568320299aee7ab92ec40e95f033f3964
SHA17bcb2041e08beacfffaf9383aaf583dc941304c4
SHA256f65a77a54eda638c0bf2e9b40dd47ad30b54f3d8e264110b515519b0dee03dd5
SHA51250c57e2630d7678f7c0d78c93a7ff72451a3cbbb6005ce84cf72e82b1c0596354694b5b5270217609a5586428f9083d7d4578b0fe5aa0f2083afe485724ec6d0