Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 22:09
Behavioral task
behavioral1
Sample
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
Resource
win7-20240221-en
General
-
Target
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe
-
Size
367KB
-
MD5
55e2b28e5b61d0269ad3e4c5c0e05180
-
SHA1
9bdeca964f12f062832e82d3d2bf9847a274040a
-
SHA256
8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36
-
SHA512
3218ab53f7391bfc625d074babc05c56c2948f78920793bb25febdfb55c2334edb422e7db52907cdd45891a49130ab6a6ae94d9ea742a3c317d47b41409d9410
-
SSDEEP
6144:OuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pL:OzGL2C2aZ2/F1WHHUaveOHjT3
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation tomeg.exe -
Executes dropped EXE 2 IoCs
pid Process 2340 tomeg.exe 2356 xuxou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe 2356 xuxou.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2340 2512 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 89 PID 2512 wrote to memory of 2340 2512 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 89 PID 2512 wrote to memory of 2340 2512 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 89 PID 2512 wrote to memory of 1212 2512 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 90 PID 2512 wrote to memory of 1212 2512 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 90 PID 2512 wrote to memory of 1212 2512 8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe 90 PID 2340 wrote to memory of 2356 2340 tomeg.exe 110 PID 2340 wrote to memory of 2356 2340 tomeg.exe 110 PID 2340 wrote to memory of 2356 2340 tomeg.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"C:\Users\Admin\AppData\Local\Temp\8e7639f21b8be401d4d040fa100b3d665418f0d0eb7aca9d6c283f8688765e36.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\tomeg.exe"C:\Users\Admin\AppData\Local\Temp\tomeg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\xuxou.exe"C:\Users\Admin\AppData\Local\Temp\xuxou.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:1212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5b652ce937e0c122bd97f3d0ce6dca2cc
SHA19d2d5ae6790eb024997332be1601baebae93d698
SHA256079f20efb72e006948103e222c1ab454336f81a4a155a23d02d4b0eab67e4500
SHA512628c2a75afcec7499bc103fc3cec36c9eb9d9e98f8b4c0fff4ca40ee63172fea098ebe7acc72adb3cabfdf941424abb4e98ae4e7db65127e8cc3b6af706438a9
-
Filesize
512B
MD5cd76e4a485c1ce375664ade6e89414fb
SHA1b1db70711b5d36665ffb81841c9ba4c636c58c4c
SHA2560c2a0bf09635852eec726dd5d04d4142f409371986c36a907045a52831b22942
SHA512666f3224a7635f352811b1ec80fd22723d204074880f3816cc6e4a709a5563856a7a820e052b1e7fc91ebf109ab7c15f25dd92f52efab8042065b1d32f574879
-
Filesize
367KB
MD5cf14346fb50285f785935e2397b8be04
SHA1b13e87878ba585b14b4f7708aafea87b4667fa9b
SHA2560aeeb889eafba82d102f38660aa00040b9aae49500d087cb926f50a00bf5bebb
SHA512e3bd63a4025330dcfd8dab921512ecc9367494a941b349edadbba5992507dbe647bd456cc894cadd1296c7da9a2684806de43130ed9e5b7c674f89b0e2cb4bca
-
Filesize
303KB
MD5f3f9a2cea6dc17c8cdddb5b6d2576758
SHA153767ababebf2eb566d69c596abe5fb27b33550c
SHA256f2bb125ac0329eb78648e594ae182837f567fc9bf6c3dfd92c96032dd280b383
SHA5128e7e5a4793026a3ca77742db922c3509858da137930eebc2b80df3f5e3976ebda68cb3d785d268b004a2c6185c17f2cc936265c7eb949bcf07aec2972b82da02