Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 01:50
Behavioral task
behavioral1
Sample
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe
Resource
win7-20240221-en
General
-
Target
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe
-
Size
417KB
-
MD5
00724a083da6b4a83fdd91bb2bd99ca9
-
SHA1
0d4183c1360bb304ea26dd9b89ebda0d433db1a7
-
SHA256
efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f
-
SHA512
936a64fdcc9e8dc6af1c0b1c9693743d01275c539f074d86bab0b633601bdb591e2c572cb4ce967a974550a232e8defeed74b359dba89b59aa2946c9e4b490b9
-
SSDEEP
6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrBw/i1:yIfBoDWoyFboU6hAJQnrMK
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation tyemk.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation ugkepo.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe -
Executes dropped EXE 3 IoCs
pid Process 4856 tyemk.exe 208 ugkepo.exe 5092 lunoh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe 5092 lunoh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 532 wrote to memory of 4856 532 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 88 PID 532 wrote to memory of 4856 532 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 88 PID 532 wrote to memory of 4856 532 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 88 PID 532 wrote to memory of 4800 532 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 89 PID 532 wrote to memory of 4800 532 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 89 PID 532 wrote to memory of 4800 532 efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe 89 PID 4856 wrote to memory of 208 4856 tyemk.exe 91 PID 4856 wrote to memory of 208 4856 tyemk.exe 91 PID 4856 wrote to memory of 208 4856 tyemk.exe 91 PID 208 wrote to memory of 5092 208 ugkepo.exe 107 PID 208 wrote to memory of 5092 208 ugkepo.exe 107 PID 208 wrote to memory of 5092 208 ugkepo.exe 107 PID 208 wrote to memory of 1644 208 ugkepo.exe 108 PID 208 wrote to memory of 1644 208 ugkepo.exe 108 PID 208 wrote to memory of 1644 208 ugkepo.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe"C:\Users\Admin\AppData\Local\Temp\efb8e1f2ead7b6bf1a47d362795ac8692c83c07c2b078ce7c9f8462284c18e6f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\tyemk.exe"C:\Users\Admin\AppData\Local\Temp\tyemk.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\ugkepo.exe"C:\Users\Admin\AppData\Local\Temp\ugkepo.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\lunoh.exe"C:\Users\Admin\AppData\Local\Temp\lunoh.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1644
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:4800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5fca81d33e0876b26896217321508cacc
SHA1a1d3a2a38b0b476ffb3810dc6b0f45f125bfebac
SHA256a5052add7e1504063a4b8e2095333c9d594966801c5509c08f508d2510478d13
SHA5121499b88f12d5b650c86210a7c36f93cff01987eebfafc70500f4044f94a183d95906e3064ab25f675965da3c067e0ad9bcc06d0ca057463b0274850b32683b24
-
Filesize
340B
MD5a65cffa3f9e4bd1aacd4d90db2c6bae6
SHA1ab3ef5fe18dc0f4353c5f04dd72e62b52fb14aa8
SHA256797d4c939a4bf6d97f3375d70afe1036ca8902cd94ddf8bc94a190e4383481e2
SHA512dab3b8439c0131a5fda0dbee08bd8c5a307717ec53a24eded50ed667505f6b236d4e9720bf0b3d8ced9699e3601f10a9d36d82cde6133492bfa4e5e6cd3602bf
-
Filesize
512B
MD54f466e6bd8ce8e9145583c87fe175352
SHA12c911abccc9440e86972af23fc179bb0ee23f2b4
SHA25642b80647200bea21f8607bd59d998a24d44fface212d6d6c065f0cc14c4a5c2a
SHA512d10ef6faa6a9a748a830a9b6eedbd910509f526854aa143101797d9ed70e01161eecbb8adc6769a82bdd52ca877432380704bd80218d36cc8ebff0c8e4f7b047
-
Filesize
223KB
MD59ce426467a64883feec9db95a6a8594f
SHA1d587104e480c2734bdf1b75ab5a92abdcd9f0821
SHA256a3bf84b102412137ab610a66a7030f3d65df238995c088c23669a18d54501ca6
SHA5120cc9ff459fd414de589a705e6f558f60db644b02bcff206643fd7975c9ed156221fdee8b289cc358851d64bd73f375f020aea57c920b3384f11abf37cf98a230
-
Filesize
417KB
MD564811161a55bfa10c9f47c2f5d949174
SHA14648dd963a905074b5bb9b25688ab308b89c39d7
SHA25626f4d6de578fc1fca3dbc32a82a6905945c94a4a1b68ec1c9068e9d1847fbdd6
SHA512d180f84b744199a1fe40d4c0a72e115ac321a74b27663efbe285f8db0d301af15a3f70f54777893703890bb46238a8429b7d2627ca11d833a0dda0032f6f78d7
-
Filesize
417KB
MD5a6d835de333da9ff8cc1cb2e25ee29f7
SHA1989a6f4b462d2641cd8631767048fd7462a92f83
SHA2562b4f22445ba475d67eaa90dfa73e50b89b1efc1da9ae411f6855c21b05d5680f
SHA512d90a3c543a87d5c5646c3bfdb5a30fd3fee59ee8b32e14906fc3a68a36f7627b23cd9adb4c146e228fc402c685f88ef32e7fc779e8316d67d5bc702186c2e79f