Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 21:37
Behavioral task
behavioral1
Sample
8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe
Resource
win7-20240221-en
General
-
Target
8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe
-
Size
453KB
-
MD5
21b9b58fa2aa01359b6d84e2b402ea66
-
SHA1
486d4169c82b0574e3c8d65c67dd123d539f67ed
-
SHA256
8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793
-
SHA512
d2fe91817f56f74453d00d0eb4d49e4cca22960a51d7d9eaa2d59cb660e4b0207c429e53505a9630f7fb58a6cebc92b827b0f5727fcf65e5ae8d3dd5c9477468
-
SSDEEP
6144:Z8efQ6QPJGcLbjg0YSZK4UnUHOkb8734A2P6gt99Wvtxrpp29xSE3v/:c6QPJGcE0XKRg04zPZt9mtPON/
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Detects executables built or packed with MPress PE compressor 6 IoCs
resource yara_rule behavioral2/memory/1988-0-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x000300000002276c-6.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2016-12-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1988-14-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2016-17-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/2016-26-0x0000000000400000-0x0000000000474000-memory.dmp INDICATOR_EXE_Packed_MPress -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation qecez.exe -
Executes dropped EXE 2 IoCs
pid Process 2016 qecez.exe 3772 qukai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe 3772 qukai.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2016 1988 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 91 PID 1988 wrote to memory of 2016 1988 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 91 PID 1988 wrote to memory of 2016 1988 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 91 PID 1988 wrote to memory of 720 1988 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 92 PID 1988 wrote to memory of 720 1988 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 92 PID 1988 wrote to memory of 720 1988 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe 92 PID 2016 wrote to memory of 3772 2016 qecez.exe 106 PID 2016 wrote to memory of 3772 2016 qecez.exe 106 PID 2016 wrote to memory of 3772 2016 qecez.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\qecez.exe"C:\Users\Admin\AppData\Local\Temp\qecez.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\qukai.exe"C:\Users\Admin\AppData\Local\Temp\qukai.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD52ed49363141b3a651ae2f19a7ce5004e
SHA10e602feeff46414a51675b0d0989c7bb5ea06a1f
SHA256b91b3d683ec592cae7c070a6ce8138d45bfbaa5b532fa4cebeee94cb2ad520e1
SHA5126685704ab2257d970b3ab298ced5fa46ca9840eadc7cae5ff1ad55d6529ceb9d5a91412f581c6f9c9ef794049e193ab03c83c7534bd78cec35d122f22a5e30c2
-
Filesize
512B
MD504220b628690481880d00212a5ec576c
SHA16bb9aee2bf8eb2af45d1afb5e709b802d641644e
SHA2560b04d52ad167b8824998ca3372c293a611f08a465b06000e77cd4a5707d351a6
SHA5127a8bd119b42c7f6e846a8904fabe46f1d66e4f568527ed13e276979a8c6f6a9522448b7a099863cc40529331739439308eccec9bf9ac70b6055183b88e428449
-
Filesize
453KB
MD590d3bd60a314754fa3f6ed64e0f54130
SHA1f714204819e95791c36bbb6536bc33d1e857d634
SHA25643cfff80f8c39b0c0b0f0f417aaa595a5a5fbfc32b314dbea62967ba18d1bf4c
SHA512d67db70ea1362d1aa02287060945ab5ea63fc866401f00267e32a643e000eb64a4c912c5ea33b4e341467e4dc1fb01d7baa7d1e0dfb4ec4efd5e45ceb586f81f
-
Filesize
297KB
MD5cec2aea1f829b748ea2bc067db445e13
SHA1c28b0f81a5103de9f3af467de2d96816148ac3f2
SHA2569d57d240f2a1ce9f2fe207a03f4a46ab810459d4eb91d104eec23f22d79214b5
SHA51287d3e988e3c2ce42ec6a20d5435396b759449f8cd9cbc8488d6916ac4a16cc2f09be9d83f309c828e32d9949804cb15f780c923a268b2b79ebbb8212284ead98