Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 04:26
Behavioral task
behavioral1
Sample
bfd7a02cc1d28ca7231b333c14ff280f.exe
Resource
win7-20240221-en
General
-
Target
bfd7a02cc1d28ca7231b333c14ff280f.exe
-
Size
536KB
-
MD5
bfd7a02cc1d28ca7231b333c14ff280f
-
SHA1
f825f75ce4574588f307803b37f24d7d8831bef3
-
SHA256
4dbc1a06048161314d5e154fffeaa5a9ea12615931fb72848860cfffbcd46931
-
SHA512
3c2bce0388cf5672d6283a234338db92c944949109d250668ebf52290592553ca3bc196f1553d8c2cb594d8b513576774cdba0380ba4057711aff290f89f3b58
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPP:q0P/k4lb2wKatP
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation genua.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation bfd7a02cc1d28ca7231b333c14ff280f.exe -
Executes dropped EXE 2 IoCs
pid Process 4144 genua.exe 2748 hojaj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe 2748 hojaj.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1700 wrote to memory of 4144 1700 bfd7a02cc1d28ca7231b333c14ff280f.exe 90 PID 1700 wrote to memory of 4144 1700 bfd7a02cc1d28ca7231b333c14ff280f.exe 90 PID 1700 wrote to memory of 4144 1700 bfd7a02cc1d28ca7231b333c14ff280f.exe 90 PID 1700 wrote to memory of 4252 1700 bfd7a02cc1d28ca7231b333c14ff280f.exe 91 PID 1700 wrote to memory of 4252 1700 bfd7a02cc1d28ca7231b333c14ff280f.exe 91 PID 1700 wrote to memory of 4252 1700 bfd7a02cc1d28ca7231b333c14ff280f.exe 91 PID 4144 wrote to memory of 2748 4144 genua.exe 107 PID 4144 wrote to memory of 2748 4144 genua.exe 107 PID 4144 wrote to memory of 2748 4144 genua.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\genua.exe"C:\Users\Admin\AppData\Local\Temp\genua.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\hojaj.exe"C:\Users\Admin\AppData\Local\Temp\hojaj.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5ae99bd0254865d7d31687d314d7480b1
SHA124fdb3bfd75e25f9175b3ae77166510f1f24251e
SHA256a7e256c5b1d05918094d474c94f1609757d8f8af337d33d58c138b423c5329a5
SHA512abd79e561435c12372c9110a69470a33720aade8ddec84a61ac73e8e33ea4af87d7513d5ab4fba68d8bbe556126c6db00f920eb9d9b412866c348d0387dafddb
-
Filesize
536KB
MD58e61c212f0d171f36279065e0a01c8f0
SHA13480b9776bea1faac49765db82cf4a7622f35962
SHA2563db6b5be93cdae64a97b9fc0f2f26a688c100477614ed253743ea9627c7dfe58
SHA51267ea8c484c3b3620e95d345f94a542391fb3e95ce0ff89da9ec813f55f1179d34245a61ef592d618a33e1ab18591e455b3413bca79e73810610b691709036082
-
Filesize
512B
MD580a372c5118589b5327aa4194d1d260a
SHA10701af1214aa849eb923ea1dd81e1497de503c45
SHA2565437a6ad8b309e29502c93dc25a66deebf403e226526a47240c77860daea052a
SHA512c65adde32b411a4cba8b275fc2b9fd16ed277ae9d51820d0cc5eb7906b4f24bd979a4ce8f2b44a8eeed87150b23515eb7c5523682ad7335d7fbccabcfbf83040
-
Filesize
236KB
MD5eb77b7db4c4bf2a218a496dccee8e7bb
SHA16ea82ce25aa96cb9989edede28ea3730350f2ee4
SHA2564a0b7e940841e008320f0dfecba76d22e033339af78562d16c02ed2ce2eda2a2
SHA512870a068811ea728d63410d06aea4a13b87231c946601c788cb806bada33456a701ea42a32d8aeb81289c3fdf74918b9ba963983419951cf8c795f3c732f8dcd8