Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 01:23
Behavioral task
behavioral1
Sample
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
Resource
win10v2004-20240226-en
General
-
Target
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe
-
Size
368KB
-
MD5
5865754070c52488a9d6a4d6bbc1aa8f
-
SHA1
4981a3119b99a5c7f415cb7e1376b73f4b42e2c1
-
SHA256
e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83
-
SHA512
e4c98eb29093dde36532baad3056e4089501975351ed9289a78da6b01f9b0182484b20a3e560dec07115fec8a20f37e90d85a3ee13d65c0436836a2f10f4e4bb
-
SSDEEP
6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pih:CzGL2C2aZ2/F1WHHUaveOHjTeh
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation kuwos.exe -
Executes dropped EXE 2 IoCs
pid Process 4608 kuwos.exe 3044 qytur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe 3044 qytur.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3504 wrote to memory of 4608 3504 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 92 PID 3504 wrote to memory of 4608 3504 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 92 PID 3504 wrote to memory of 4608 3504 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 92 PID 3504 wrote to memory of 4376 3504 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 93 PID 3504 wrote to memory of 4376 3504 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 93 PID 3504 wrote to memory of 4376 3504 e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe 93 PID 4608 wrote to memory of 3044 4608 kuwos.exe 106 PID 4608 wrote to memory of 3044 4608 kuwos.exe 106 PID 4608 wrote to memory of 3044 4608 kuwos.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"C:\Users\Admin\AppData\Local\Temp\e10d0788ff488ac7687575891e18ef969f31290a72571deaa7097f8c138c1d83.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\kuwos.exe"C:\Users\Admin\AppData\Local\Temp\kuwos.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\qytur.exe"C:\Users\Admin\AppData\Local\Temp\qytur.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b3f3a09e69a384384dee5a7aab5b1eb9
SHA1c824ef2a85127360a79c6f9e05cb17dbe3487482
SHA2560096b4fb55ac09fbad09fe5de526ebd1eee8fc9a93d42d78c7e75e1fadc846ce
SHA5126c65782abbef3f0034dc1d7c2f6d79597a8fa502dcda529e4c4811770a677a72c02c561643045af92a3570c5f2a89c33da94c70e562998e82eb708285defdda7
-
Filesize
512B
MD5d74d0126be76b801d73a4216cbabe375
SHA139c1023960e22acca2e78517321db24318239cf9
SHA256d7f12cd0a3ff68dfc6aec812083fb7b4ea9305ef41b724051fb75fdd07e61567
SHA512ea38c4d7eab6c72c286aeb9f51102609e3435fe0a9ba34103ada38590c16b325d526963cb205affc24651f40c65de8d44fa7c9c53a6c590f042a86fbdd9d08c6
-
Filesize
368KB
MD5fe81a55854a3fef3e20991d17671c5b1
SHA18dad84d5874a76158d89d2ee861e98df86221453
SHA2562b345db394559844e2b33708697c76c23fd137968378e025d6326114a1e470f5
SHA512ca8d38e6800c13d624007b79ec93c14f05a671efd8cf2b97f8f2da3187154e6d1c35d8f8d9b10b5770e86f9ce0adfa28ad71e1328e4c87cf8537f2f0d8dece89
-
Filesize
303KB
MD59ae3cd6b502a09fb77937f7d3b0f7a7a
SHA19210a676b51ab0cab42008a9121634ac90881a14
SHA25681fccec4a237bc011c361858eae6a8647662581167db39e466c962bc334f8e8f
SHA5128399fb006784297aef0e083ddbcb9157fcd536b34474d1ee20c6b533fee5a1c342760fea4f5fc6db0f706cfdd3f8faf799bc0be15386181e24a0d3502d963031