Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 22:17
Behavioral task
behavioral1
Sample
92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe
Resource
win7-20240215-en
General
-
Target
92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe
-
Size
453KB
-
MD5
7cf19309574d5bf7a7e8fd72cda93f93
-
SHA1
4c5194df07a8625883204ccaf9b9f1a5e550d1f2
-
SHA256
92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25
-
SHA512
6428fa21509b031e36c4336c80e541fbeb07818a17f4435de203b88e239cc4fc1ec1020b97f3c663e7fbab4c9addf57f8f28f6cfe7717a7549b43acfcd476590
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoz:PMpASIcWYx2U6hAJQn3
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation tymib.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ipfaju.exe -
Executes dropped EXE 3 IoCs
pid Process 3044 tymib.exe 864 ipfaju.exe 5060 wadag.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe 5060 wadag.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1032 wrote to memory of 3044 1032 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 90 PID 1032 wrote to memory of 3044 1032 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 90 PID 1032 wrote to memory of 3044 1032 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 90 PID 1032 wrote to memory of 2912 1032 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 91 PID 1032 wrote to memory of 2912 1032 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 91 PID 1032 wrote to memory of 2912 1032 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe 91 PID 3044 wrote to memory of 864 3044 tymib.exe 93 PID 3044 wrote to memory of 864 3044 tymib.exe 93 PID 3044 wrote to memory of 864 3044 tymib.exe 93 PID 864 wrote to memory of 5060 864 ipfaju.exe 113 PID 864 wrote to memory of 5060 864 ipfaju.exe 113 PID 864 wrote to memory of 5060 864 ipfaju.exe 113 PID 864 wrote to memory of 1380 864 ipfaju.exe 114 PID 864 wrote to memory of 1380 864 ipfaju.exe 114 PID 864 wrote to memory of 1380 864 ipfaju.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\tymib.exe"C:\Users\Admin\AppData\Local\Temp\tymib.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\ipfaju.exe"C:\Users\Admin\AppData\Local\Temp\ipfaju.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\wadag.exe"C:\Users\Admin\AppData\Local\Temp\wadag.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1380
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD565cc4d9ba6ead3f011512c2fe89cd539
SHA10216586f28e2aeddb906e71d450b8b373d177862
SHA256bf8a259d91234833c0761e819fd2586a7c955ed4ff802c981a12109d89a4b22d
SHA512a9d63e92455245c34da2e749c60a0638887795f33e5e369417f6344903e6fc32388900b7546b49339f8cd08285275d422b1f7dced65dc35d6dab5d5b9b568ab6
-
Filesize
340B
MD5a76e13bcc28ddab8b9f29db5cd0076a3
SHA11e86f77dbb2e8d033d56706203025ee77c844b61
SHA256e1111640a0361091a433c072374681be71bd0b725e9a8082ff2a5d531b49c22f
SHA512e131daf47e86ea2a08e4d8bafcaba04d2c5ef2c7853d9589f50b5c912e1a4c825739c170d32475d8e29e44d777e74042027d05d87431851923f7e02a07d41075
-
Filesize
512B
MD5057da1d21a28c463978a7879cffa3b41
SHA119c14e44c74facaaa7ff7761159d29e1e6e36fef
SHA2563f471c16aaa1991d07b92c03b25f6122860eaff5511b4cc0a4ca18618fd4ea9f
SHA512b692d01d76265e5c8762b5ee34e30108837baf703556de6856be29207fdf113cfeb731438769d68ddd2d7236a530856bc5e07dc3bf289cee958cbbcae73285f7
-
Filesize
453KB
MD5423a4931703c323e28ee1c05d7e3a621
SHA19317280dcff0b898446da264539a1d2a8ef01950
SHA25698da8b4fdeb1519f240efd17142d44e47bafd3ac8d6a67ca4e899e89a9fba8eb
SHA512a885bcd474e2243e91eee34b4c314043b7f73756c9b6daa908fb3343c95b2057a1f69d521645574ba61a55018f2018c7eae90da9b13fcc7ddf42c61646caac49
-
Filesize
453KB
MD59b8aed63feb8b65ea8764deb3128aac5
SHA1fca27336de0b5c06523d82788b46395fc1d42381
SHA2561e4c90eeb1f9b5044460d9d64076c39541992c332a7bd39773850b1ff8abd0d4
SHA512a5ea00825976ced039bd81afdb3db588571917d49851ebc00f7f5a173964092714e5ce4c297c6783201864355031abe557217c817fab3b79bd0c15dd43910ecd
-
Filesize
223KB
MD561a15fc8654559aa3182464ea09b9454
SHA140883e4bcf63a1a55d5fb5f3aba2f426961394df
SHA2569f05d5f35f91d1680e8a0fdd7960b18965f6aabaeca960f67bdb5c8cda939bdb
SHA51213a12d15d9516c112d17342d560ed7590649f329a54912388bf2c13ca894c45f094136e3bda5245d9812b237e0dd5d2612c63b126de0e3468f209511193a8b02