Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 01:23

General

  • Target

    e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe

  • Size

    368KB

  • MD5

    5865754070c52488a9d6a4d6bbc1aa8f

  • SHA1

    4981a3119b99a5c7f415cb7e1376b73f4b42e2c1

  • SHA256

    e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83

  • SHA512

    e4c98eb29093dde36532baad3056e4089501975351ed9289a78da6b01f9b0182484b20a3e560dec07115fec8a20f37e90d85a3ee13d65c0436836a2f10f4e4bb

  • SSDEEP

    6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pih:CzGL2C2aZ2/F1WHHUaveOHjTeh

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
    "C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\kuwos.exe
      "C:\Users\Admin\AppData\Local\Temp\kuwos.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Users\Admin\AppData\Local\Temp\qytur.exe
        "C:\Users\Admin\AppData\Local\Temp\qytur.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3044
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
        PID:4376

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

            Filesize

            340B

            MD5

            b3f3a09e69a384384dee5a7aab5b1eb9

            SHA1

            c824ef2a85127360a79c6f9e05cb17dbe3487482

            SHA256

            0096b4fb55ac09fbad09fe5de526ebd1eee8fc9a93d42d78c7e75e1fadc846ce

            SHA512

            6c65782abbef3f0034dc1d7c2f6d79597a8fa502dcda529e4c4811770a677a72c02c561643045af92a3570c5f2a89c33da94c70e562998e82eb708285defdda7

          • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

            Filesize

            512B

            MD5

            d74d0126be76b801d73a4216cbabe375

            SHA1

            39c1023960e22acca2e78517321db24318239cf9

            SHA256

            d7f12cd0a3ff68dfc6aec812083fb7b4ea9305ef41b724051fb75fdd07e61567

            SHA512

            ea38c4d7eab6c72c286aeb9f51102609e3435fe0a9ba34103ada38590c16b325d526963cb205affc24651f40c65de8d44fa7c9c53a6c590f042a86fbdd9d08c6

          • C:\Users\Admin\AppData\Local\Temp\kuwos.exe

            Filesize

            368KB

            MD5

            fe81a55854a3fef3e20991d17671c5b1

            SHA1

            8dad84d5874a76158d89d2ee861e98df86221453

            SHA256

            2b345db394559844e2b33708697c76c23fd137968378e025d6326114a1e470f5

            SHA512

            ca8d38e6800c13d624007b79ec93c14f05a671efd8cf2b97f8f2da3187154e6d1c35d8f8d9b10b5770e86f9ce0adfa28ad71e1328e4c87cf8537f2f0d8dece89

          • C:\Users\Admin\AppData\Local\Temp\qytur.exe

            Filesize

            303KB

            MD5

            9ae3cd6b502a09fb77937f7d3b0f7a7a

            SHA1

            9210a676b51ab0cab42008a9121634ac90881a14

            SHA256

            81fccec4a237bc011c361858eae6a8647662581167db39e466c962bc334f8e8f

            SHA512

            8399fb006784297aef0e083ddbcb9157fcd536b34474d1ee20c6b533fee5a1c342760fea4f5fc6db0f706cfdd3f8faf799bc0be15386181e24a0d3502d963031