Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe
Resource
win7-20240220-en
General
-
Target
903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe
-
Size
442KB
-
MD5
d80d5435b06be892e95b864f4e51af1f
-
SHA1
3ce543688e3befe4df0aa96fa01d7e95077271b9
-
SHA256
903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa
-
SHA512
14900f79dcd3cc0ef0ca5f5e37918982ad4ff6bd1c482695f2f87ae8caaf785c11fb7221eb2953905552f4d3bc04ce71010ee6bc0f67fd05b834043272f3399f
-
SSDEEP
12288:PRMJysYCl64dH0JlJnERCoa8+yx5Yk7SPTANgLMt:PRzkF2o5x6RrAyQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation yjotj.exe -
Executes dropped EXE 2 IoCs
pid Process 2176 yjotj.exe 364 fuifg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 2176 yjotj.exe 2176 yjotj.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe 364 fuifg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3696 wrote to memory of 2176 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 92 PID 3696 wrote to memory of 2176 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 92 PID 3696 wrote to memory of 2176 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 92 PID 3696 wrote to memory of 1028 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 93 PID 3696 wrote to memory of 1028 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 93 PID 3696 wrote to memory of 1028 3696 903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe 93 PID 2176 wrote to memory of 364 2176 yjotj.exe 106 PID 2176 wrote to memory of 364 2176 yjotj.exe 106 PID 2176 wrote to memory of 364 2176 yjotj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe"C:\Users\Admin\AppData\Local\Temp\903dfc21274d4368b1670a1b308ae7ebfaeb39b33d60b4b2fc1c13b9b0366efa.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\yjotj.exe"C:\Users\Admin\AppData\Local\Temp\yjotj.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\fuifg.exe"C:\Users\Admin\AppData\Local\Temp\fuifg.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "2⤵PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5827b4aafc0c688654d4d4e69badef025
SHA146ea28f78071ecd31bf26dd507c93685c4e3df64
SHA2562475d13e06f0c3dc90ea77f5648911d3d511360aaf4023657dfcfebff73e05d2
SHA512c7424e991390d3b5c1bbe579779d073934e828264eb68fc4ec8c2a96de3843cc46bf6956be04d7de0387371502cea69ceb09998adcacaa5fb0c5b7de92b24918
-
Filesize
416KB
MD5cd141b438362e2c09ea0c9bcd3e39825
SHA110299a5f758a8417a4e63bbd0d2bca388695880d
SHA25637e13e816bc70c3d6221a0f60e5cd6937a178d83c9047f2b0c6001d0e7f47c91
SHA51256d6db1410ab92dab047090c5925c9707de735352c0bf1b17fffad53b11f7ff12b0a0428beabebe2a64488c40b4cc5936270004b11737a2c87d300499e351ac0
-
Filesize
512B
MD5d932c4fab73bdebc6db37a4b7eb28af2
SHA1c707d3cb09ee8fef900d41aa8a1cc27b6f4d2cc5
SHA256342f32c64b09c856dc3730659bb9ac6f02979c94028ec63ef4dcf2a618256a20
SHA5120cfb01a33784ecedac74515227182e099ee3ec69133b0b276bd90e65ba86ad57de25aee3ba0f912ba38acb8544e3a13df581dabc7cff8b26c73b0798a136eca0
-
Filesize
442KB
MD5a8055794d2dec79da0112dea6b8ef552
SHA1e643b91b947c7e2d2d7e5cbbeaea7f97a89d9ade
SHA256ea999bf2f5cf34bb8fd64e252536e87d08a34cc5bcb759e883f22f48bfff41b1
SHA512c2e28a75dd71fd0a470affc5759c1c36d4bef59eae9b1b285ed26f4a63a6e041f7559a46b8e6c8655fe72d6b141462c0e3cb09bcbc709d4847c3a7774683dec0