Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 11:20
Behavioral task
behavioral1
Sample
c076766fce89bbd06b0a57633dd0863b.exe
Resource
win7-20231129-en
General
-
Target
c076766fce89bbd06b0a57633dd0863b.exe
-
Size
536KB
-
MD5
c076766fce89bbd06b0a57633dd0863b
-
SHA1
5b3bfe3bf94dacaefb932098c787f55fdb421cd9
-
SHA256
1a14dfc79b002101f64dda982c6ac8a8697fb4f88df8871b0ba7f44fbc7309dd
-
SHA512
cc1bda7983ebf5827f030d67bb6ce06d6bfc34e347f54a60785e7ffc75f34ce9520c219d30eb6cbe41178ac37a9eedb37e44724c9ea4296210beec8c0e2f93ff
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPT:q0P/k4lb2wKatT
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation c076766fce89bbd06b0a57633dd0863b.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation reroc.exe -
Executes dropped EXE 2 IoCs
pid Process 4760 reroc.exe 4660 jurek.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe 4660 jurek.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3292 wrote to memory of 4760 3292 c076766fce89bbd06b0a57633dd0863b.exe 91 PID 3292 wrote to memory of 4760 3292 c076766fce89bbd06b0a57633dd0863b.exe 91 PID 3292 wrote to memory of 4760 3292 c076766fce89bbd06b0a57633dd0863b.exe 91 PID 3292 wrote to memory of 3632 3292 c076766fce89bbd06b0a57633dd0863b.exe 92 PID 3292 wrote to memory of 3632 3292 c076766fce89bbd06b0a57633dd0863b.exe 92 PID 3292 wrote to memory of 3632 3292 c076766fce89bbd06b0a57633dd0863b.exe 92 PID 4760 wrote to memory of 4660 4760 reroc.exe 106 PID 4760 wrote to memory of 4660 4760 reroc.exe 106 PID 4760 wrote to memory of 4660 4760 reroc.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c076766fce89bbd06b0a57633dd0863b.exe"C:\Users\Admin\AppData\Local\Temp\c076766fce89bbd06b0a57633dd0863b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\reroc.exe"C:\Users\Admin\AppData\Local\Temp\reroc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\jurek.exe"C:\Users\Admin\AppData\Local\Temp\jurek.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4660
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:3632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5fb984991ea81f8ce3046df1b4b34c929
SHA150db6a8405a5a6e6aa16fa47bab8dacd284884dc
SHA256e7dc351791c947a541cdcfe4cbbdbae0813c63adc94e55728dcf5a8197e3eb3a
SHA5120a6d04128b955a77eb3e76cd25e1ab444275cd49352c1d0107aecdaa559163c0b3ad3f28d78a544d89f065f18693d730221b7790566087297639a288f3475e2a
-
Filesize
512B
MD5ea8df2d272ee076fba7cb9b9432668ec
SHA1c11784a2d7d049b529e801b3c71c5b6580562562
SHA2569c3ae05c2f3812aa530ce9e67ce208a0261d246133918c94605b533d9771f59c
SHA5125f83008ec431e06be9516bf43222f2fbc80d1cbdd07778c3eb33a3fe2158ab6a2f108481d262f01492c35c185198ba36e004d6cc0b347f9c43ff9b264b81cdbc
-
Filesize
236KB
MD5be86847a1c67179771446d5db80c2ddc
SHA120c034b85f68a22bcc55609b6c1253bb90b90f93
SHA256983c46e541070626283737d05bc5fea3b440c56807cb93c0f1c4143dc479babb
SHA512a0ce29492e0d58735f42efd13ecd4bf1b99550157f3076717de627f1890f522b1d75fbf71a3356c532d102b717145e297013e3f3d7962df75ad897b9a7e9ad8f
-
Filesize
536KB
MD5869bb8656925aeac4748bda929781790
SHA1706a44b1b37b2b6c0c2f565286d2650c8c45c4bb
SHA256d4eebd268b86827ebf579e6d63f6ff9ddf2ad95d9e09703a449a3be24dee4526
SHA512d21843484f79207eeb94d96db803d86a1ca1a60428e04f116c3669b2236694d0b86ec96a1ebbcb6182e73168ec66975017ab055d1c274d4685b4dd1497e14cf3