Analysis
-
max time kernel
158s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 01:02
Static task
static1
Behavioral task
behavioral1
Sample
d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe
Resource
win7-20240221-en
General
-
Target
d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe
-
Size
339KB
-
MD5
9458e8269e981283386b04277dc91776
-
SHA1
512499b1a5884ec2b32074f9fde4683c6eb6f0e7
-
SHA256
d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968
-
SHA512
f6f9eb7d66f0ab8d358d5217651ec9fa984b6fc40d5f1e210656c8cb1e71d51a40ba400f2aeaa04b0af24d75be8539dfb9d604bceb4633626d8e35a9148b1047
-
SSDEEP
6144:i5tYTzqklVw910CIWrC9foCChVN6XCLWk6aMWgziMV1AXj16NYuLDuUcOibi5EBb:iUPTCBC9A/VIXCCkMWguMcj0vbd5E0/Y
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation voduc.exe -
Executes dropped EXE 2 IoCs
pid Process 4644 voduc.exe 4944 oxtim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe 4944 oxtim.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4168 wrote to memory of 4644 4168 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 95 PID 4168 wrote to memory of 4644 4168 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 95 PID 4168 wrote to memory of 4644 4168 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 95 PID 4168 wrote to memory of 5100 4168 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 96 PID 4168 wrote to memory of 5100 4168 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 96 PID 4168 wrote to memory of 5100 4168 d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe 96 PID 4644 wrote to memory of 4944 4644 voduc.exe 111 PID 4644 wrote to memory of 4944 4644 voduc.exe 111 PID 4644 wrote to memory of 4944 4644 voduc.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe"C:\Users\Admin\AppData\Local\Temp\d4e2343112dffd7534ec6fbc498697c3dadabb0d6a8fc52e4b5fdd7e1eb67968.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\voduc.exe"C:\Users\Admin\AppData\Local\Temp\voduc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\oxtim.exe"C:\Users\Admin\AppData\Local\Temp\oxtim.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD56c989d40332ecbec37ef36c1ebb87052
SHA1ad28ab74a59dcf6480d984813775f1bdb93d2bd6
SHA256807ae5e7038f6247122ddbb681e8fac69cb6f0816dda032631be396024a06769
SHA512f53a4facda108a72db41daedd14a78655810d65445c14dbb2f869980728e6fd358c822eb73ef6bb22da16baf360d5223c78b80f4f5c40d80756a27a980e45f20
-
Filesize
512B
MD5317645df875d0db495a77e94a22e864b
SHA102178f236319777c78db0f1a2c8d7f0908672826
SHA2567a9716e740ee67b651b601ca8eb3f1323e009010762bd32d60f3f0da36e63c93
SHA512818bb5ea759dff702e2c1233dfa1621c72ffd203f8ef7f041bbbe2a952d60ef0901329c55c85598cc37c8c3bfb3c3196054e64ff9c85d41e3c178ab9b627ef65
-
Filesize
226KB
MD5610068b00703b1969475d387970a6a21
SHA1667b09db0b9a15ca6b0231d8686a7db76a2e0c1e
SHA256c5a8912bde4c1d39b192d53f2fac1651b1fe1048f6d5dc28242820fd593f4542
SHA512e49a58733e24d6d89456037d89cd4bf2c4084bcaa44ab2301dce619a770122407dd770ec16c4d28e36963b3170e35335cfd1b7bc5d6e5609c1188d98692aedf2
-
Filesize
339KB
MD513f6a93ca5f7642013699e3b3b154c7f
SHA14d1618d87fd4c6fb1dc123b847b428e4a780680a
SHA2565c019bfc26a8e4ae75fe29730ade3b19fa5a3a30e8a1d1987fbdc4feb3703650
SHA5122e5407b3c7001ee47ddf5874136a3f595a8171cd747fcf0455c66e1caf7ba3cc031e55d53ce42fa3ed3ce018e069b6c192ac081fd1c7e74c7fc7ef93fd78acf7