Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 01:25
Behavioral task
behavioral1
Sample
bf7a5db5b56489321d405dccc39b0f58.exe
Resource
win7-20231129-en
General
-
Target
bf7a5db5b56489321d405dccc39b0f58.exe
-
Size
465KB
-
MD5
bf7a5db5b56489321d405dccc39b0f58
-
SHA1
76c90577e132541b4f53928d04bf7fa10b508699
-
SHA256
2360ff4b08c781ca8bad30e528d943ad791611cc26a9df276043423b0566ad5e
-
SHA512
de132c95ab1a31e84e32ec0626a500142609a9dd4fdf7b333dd156dbfa0b623f9a39f500df604ffd6a23e498eeafa2013f63dd695bb11f986fdff79cdefbf128
-
SSDEEP
12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uo:m6tQCG0UUPzEkTn4AC1+7
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation juafk.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation bf7a5db5b56489321d405dccc39b0f58.exe -
Executes dropped EXE 2 IoCs
pid Process 3112 juafk.exe 4336 devel.exe -
resource yara_rule behavioral2/files/0x00070000000233df-21.dat upx behavioral2/memory/4336-26-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4336-28-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4336-29-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4336-30-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4336-31-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4336-32-0x0000000000400000-0x000000000049F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe 4336 devel.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2576 wrote to memory of 3112 2576 bf7a5db5b56489321d405dccc39b0f58.exe 94 PID 2576 wrote to memory of 3112 2576 bf7a5db5b56489321d405dccc39b0f58.exe 94 PID 2576 wrote to memory of 3112 2576 bf7a5db5b56489321d405dccc39b0f58.exe 94 PID 2576 wrote to memory of 752 2576 bf7a5db5b56489321d405dccc39b0f58.exe 95 PID 2576 wrote to memory of 752 2576 bf7a5db5b56489321d405dccc39b0f58.exe 95 PID 2576 wrote to memory of 752 2576 bf7a5db5b56489321d405dccc39b0f58.exe 95 PID 3112 wrote to memory of 4336 3112 juafk.exe 110 PID 3112 wrote to memory of 4336 3112 juafk.exe 110 PID 3112 wrote to memory of 4336 3112 juafk.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\juafk.exe"C:\Users\Admin\AppData\Local\Temp\juafk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\devel.exe"C:\Users\Admin\AppData\Local\Temp\devel.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵PID:752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD51e0d50a82fc10397abbb7ec39a3b9f44
SHA116253bb940e51d513f8b6605bfb58c1f10bc8e9a
SHA256e8ca7f9eafcf0ac65bc881697efb9310becf7f810c0589d9baf5c798b088ce9e
SHA512980aca66c367ca6e227c28a3e95cd06f3c91a1f237cdff37f0909af2f4bb3a3e74dac72420c4947e1a3c4c383d79d8ba132161510406216b6a1967afc1db8088
-
Filesize
198KB
MD5b457a05034a9f75de5f24b75ea42c882
SHA12e9c3efbd76c41c8d505a3ecea5244916771245b
SHA256cf1f8c0aab715fa116212d211de27193c79d17e811e4379d01a9d6195394d589
SHA5129709cb923e4c631f41b908cee8c3fd74c66a47439a22c220287cf095f14b6136c6cc6c991434a6a14f497f72c491c61cf5a7c25185829d97a6f584cecffc0670
-
Filesize
512B
MD550b0d9db19bf0013425997997232524a
SHA16eef77052529f31179724f7696a5fb61e5713dcc
SHA256b4650df961e91e1e72d155ec53606658f2cc60e304f94f7df762113c9c369a71
SHA5129551a52a636dcad29943ddc81704a62bfd989ec0bcc5149a1eec06c070e377eab5398e9b6fdbb2c722aee168099d75f3dbf17ebefb1e00e46a86ec365f445600
-
Filesize
466KB
MD5899ec373e977e110441f1bb378e34215
SHA1be504b3ca7ec4419275930a752a0007d59a49032
SHA25645033c2e39a999b6b8bc3a516ed62327c6a6e6058267ced8c77acacf38918484
SHA51269803b4ee6276ad84d60eb604bab95a0d1a2df781cb309b0ba855103361fa538804c659dd7a7e86df28285dd830c890bb44e291dd14e9495a2d6882c3e27a45c