Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 05:44
Behavioral task
behavioral1
Sample
bffd92387ce2f42ec3bef3676dc450c5.exe
Resource
win7-20240221-en
General
-
Target
bffd92387ce2f42ec3bef3676dc450c5.exe
-
Size
403KB
-
MD5
bffd92387ce2f42ec3bef3676dc450c5
-
SHA1
c084cba4905f8930d67938a4cc939b3e78a18b3a
-
SHA256
14f8f5e1845ef3a5e480b4d8eb1d6927cdebb85bb149c7c5f4bab48e913e9004
-
SHA512
e8a1ae160ccc1bf89aa1987af2f65da25b78737d71b1b5dec6a89ec5598433fb7a51506da44e8d76811a32822f3ca1bd6d5644c8d911749513ecae073a23ad22
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohI:8IfBoDWoyFblU6hAJQnO6
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation bffd92387ce2f42ec3bef3676dc450c5.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation bisue.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation ezvopu.exe -
Executes dropped EXE 3 IoCs
pid Process 4696 bisue.exe 1428 ezvopu.exe 1924 tyvoa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe 1924 tyvoa.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4004 wrote to memory of 4696 4004 bffd92387ce2f42ec3bef3676dc450c5.exe 83 PID 4004 wrote to memory of 4696 4004 bffd92387ce2f42ec3bef3676dc450c5.exe 83 PID 4004 wrote to memory of 4696 4004 bffd92387ce2f42ec3bef3676dc450c5.exe 83 PID 4004 wrote to memory of 228 4004 bffd92387ce2f42ec3bef3676dc450c5.exe 84 PID 4004 wrote to memory of 228 4004 bffd92387ce2f42ec3bef3676dc450c5.exe 84 PID 4004 wrote to memory of 228 4004 bffd92387ce2f42ec3bef3676dc450c5.exe 84 PID 4696 wrote to memory of 1428 4696 bisue.exe 86 PID 4696 wrote to memory of 1428 4696 bisue.exe 86 PID 4696 wrote to memory of 1428 4696 bisue.exe 86 PID 1428 wrote to memory of 1924 1428 ezvopu.exe 95 PID 1428 wrote to memory of 1924 1428 ezvopu.exe 95 PID 1428 wrote to memory of 1924 1428 ezvopu.exe 95 PID 1428 wrote to memory of 4864 1428 ezvopu.exe 96 PID 1428 wrote to memory of 4864 1428 ezvopu.exe 96 PID 1428 wrote to memory of 4864 1428 ezvopu.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"C:\Users\Admin\AppData\Local\Temp\bffd92387ce2f42ec3bef3676dc450c5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\bisue.exe"C:\Users\Admin\AppData\Local\Temp\bisue.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\ezvopu.exe"C:\Users\Admin\AppData\Local\Temp\ezvopu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\tyvoa.exe"C:\Users\Admin\AppData\Local\Temp\tyvoa.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:4864
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5f87230f2dc5208f9a86475f1cb49ebed
SHA106e13e5b55b018b695e72a955620b00aba32ebad
SHA256847270e4de05d2b6b44992bf791f4883e5c70e464caba00bf6e766e4e81cdcec
SHA512c91873ffa8770ed324ffff57f803fcdc8d86e5ea561de405f8e097001b39ac00990e0d9ebd3189a16f897a84e3099a92d28d3d9fa0badda5601c7b9fa51e2c7c
-
Filesize
276B
MD5f847b5d9d2475fb8fa19d0287199e436
SHA1bd25e1e5bbddc343e6233ce1051d979dac880002
SHA2562e4736cae2231b7b9583c1e768aec1712bc99247eff4662152c7eac6a3ad8b68
SHA512c6a19eb2e99857c697a3c71b04ecc9ec1751d4785d753e59c69cb3891821ecc09451814ed23aa5571e39bbcd69b4e0b7fe47a7c69e9c8b2f312412dc3638fb14
-
Filesize
403KB
MD5ac989931471050c1b394b4262a760c54
SHA17bf31b8ba11c10cca02a24f00f6ed88bf3948b51
SHA256efc1a205b03cb8cb0db49431196bc566b9a7e6c89d85f762c9903b3d2a44384d
SHA5125aa643d2066f51f47f5bb0262f6db33338339b76828b6e2fde38ef8a072d3eb3f765fa71e8488ebccff61d06ac813fc8e8ddac68ed94d803423b6c9ff97fcdfd
-
Filesize
403KB
MD5eaf04b7d70749f5b53965aea752282dd
SHA1873912339192ec629f1ef5e2dc418e92d66da6fe
SHA256c918add1d89d6f1ce0bf8bfafe6d2eaa42b4f0c6dcb85bbdda3e512f84b183fd
SHA512a7b36264aa641f592d7919837e91b70977acab9c3b23e2475b1c5a0ada63ab92c20f79f295ea537e580955a18d6bb886a5581de6c44532d135bbc8ebe5b2ca77
-
Filesize
512B
MD53f5cc9d83a0d6a5a29fa2ae2f9527251
SHA18745fae64eaf681c22b32d21c14bcccb854aaf5e
SHA2565d6d3f168d29c4a825e3cadc097d0403b97a5d1ca583e8fcba9473555dd359d0
SHA5122c03f30906ad3c5ccdee9e098807c66bb98f9163a1005bf338f2497cfca3cd750b0161527f988e36491978f19c983f4553a5c00f6858313c42c0c673e1a2e995
-
Filesize
223KB
MD5ea6316028571c979478ada853dd551b0
SHA12057de0e40263250c52e4c57134c7db0bfdcc53c
SHA25630ab8ad54f5d6bca13ffbe6d1b13f5605b9e8f5e4733bfa7a822a63aaf055ad9
SHA51208d31ac48980923a42445bb69c885de631b99feb11f8ad0577ffdb55e5232f16066e91d2693924248034e372d07729932938b0b878fdcb4df94e74f659e8aa9f