Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 10:40
Behavioral task
behavioral1
Sample
c063c49b9aadc37b4bd6a746f157378c.exe
Resource
win7-20240221-en
General
-
Target
c063c49b9aadc37b4bd6a746f157378c.exe
-
Size
465KB
-
MD5
c063c49b9aadc37b4bd6a746f157378c
-
SHA1
c15c71c2b7a926886ef84104ab289ab68c3a9ebe
-
SHA256
f26c344c3e1ad437eee71c72dd28160e3a99b24af0d28c75a1aeb83bb4f94718
-
SHA512
f71263e31d4960c9950565799a32571f5d0c5beac80a0cadcd5c9b64e80953f380253c804a96cbe120484d66b23ed29eef3e4f6bf75e9633dc4ebcb1029da356
-
SSDEEP
12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uv:m6tQCG0UUPzEkTn4AC1+Q
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation c063c49b9aadc37b4bd6a746f157378c.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation nibar.exe -
Executes dropped EXE 2 IoCs
pid Process 2612 nibar.exe 4156 hynaa.exe -
resource yara_rule behavioral2/files/0x00070000000234a9-21.dat upx behavioral2/memory/4156-26-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4156-28-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4156-29-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4156-30-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4156-31-0x0000000000400000-0x000000000049F000-memory.dmp upx behavioral2/memory/4156-32-0x0000000000400000-0x000000000049F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe 4156 hynaa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4488 wrote to memory of 2612 4488 c063c49b9aadc37b4bd6a746f157378c.exe 91 PID 4488 wrote to memory of 2612 4488 c063c49b9aadc37b4bd6a746f157378c.exe 91 PID 4488 wrote to memory of 2612 4488 c063c49b9aadc37b4bd6a746f157378c.exe 91 PID 4488 wrote to memory of 2540 4488 c063c49b9aadc37b4bd6a746f157378c.exe 92 PID 4488 wrote to memory of 2540 4488 c063c49b9aadc37b4bd6a746f157378c.exe 92 PID 4488 wrote to memory of 2540 4488 c063c49b9aadc37b4bd6a746f157378c.exe 92 PID 2612 wrote to memory of 4156 2612 nibar.exe 105 PID 2612 wrote to memory of 4156 2612 nibar.exe 105 PID 2612 wrote to memory of 4156 2612 nibar.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\nibar.exe"C:\Users\Admin\AppData\Local\Temp\nibar.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\hynaa.exe"C:\Users\Admin\AppData\Local\Temp\hynaa.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵PID:2540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD536499ebff821457861dd5ccb52113066
SHA1a521b160afab8e1e31647148b4b7f27d176c3c1b
SHA25621409e7d7366616b2675d50a11f206e26f71f1f36cec705da4d665b46c022790
SHA512dda3b4e0faa469e8b93187ee6ad3edfeb8af727515341b63895c46e80ff1f358216faa1f31aae7a8898883654f70f105e46a19fc926dbb1b88ed9440a01227ea
-
Filesize
512B
MD5794e4fbe78989c75aaf04c8bf656545d
SHA1400647a7a8de040ff20610d34d369373e570d044
SHA2563121ecb126b80763d20ff854b1608a174533018e2706c3c096000298dfb39589
SHA512ae11d0b5a2881daed1ea5b9759806a2e881b5f6cf143d974333e64b264b6bb5576550551ede8e6cc78d47900dec7914de2f737bc250daf584afa7b76f96474e7
-
Filesize
198KB
MD53d95357fba8561c0cbbf14f714fc4490
SHA16655a2f82e6e44edc744667b547ba6b28f51a6ef
SHA2569bf632fcfa3d0c7589b2d9e215384f521dfb7e7357efe0083e357829d4889b1f
SHA5122d8abc51877ccfc61444412d23a3ca3073410ba2fea22094618c7c5ad43bda53ec10080d8465aae6a5dc80bfc40ec148d222cade8cc6f57a0c503d56d6213ce4
-
Filesize
465KB
MD556b7f9f93a209b0f9edd6ff270ad8c44
SHA1f97b63ae5240b15239003c791e138750f897ac6d
SHA256530d8bedcd4dc30bf9f8448115d39ad178cef55f9f8a2a084a4cef91d02da58f
SHA5128f88a47ac0acc9404b21ea35327a480e76ac087f4077037d70ad813ab4ad8218f59143c00cbd911bccfafe3d22541530bfe00676b12b4ff4727749fa7eaad156