Analysis
-
max time kernel
153s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe
Resource
win7-20240215-en
General
-
Target
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe
-
Size
329KB
-
MD5
e530079cb433d24463b761dded0368a0
-
SHA1
ecb67cf4344d633d423aa0cc61893af7485a438a
-
SHA256
addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e
-
SHA512
f1d912114240d2379590b321375cf48594cb4dc382d06c882e9622f97f728f2c76c9ddcfa0d41716dd2acecf9a95504f6e7a5f2ba662c9568595f93a5655a534
-
SSDEEP
6144:sY4zSop9m06QbGTCnTRoOIH3FPA7AthtLpD:PkXpd6jqiOIHZAy
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ujjyt.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation qyresu.exe -
Executes dropped EXE 3 IoCs
pid Process 4740 ujjyt.exe 1336 qyresu.exe 916 ufogw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe 916 ufogw.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3704 wrote to memory of 4740 3704 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 97 PID 3704 wrote to memory of 4740 3704 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 97 PID 3704 wrote to memory of 4740 3704 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 97 PID 3704 wrote to memory of 1492 3704 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 98 PID 3704 wrote to memory of 1492 3704 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 98 PID 3704 wrote to memory of 1492 3704 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe 98 PID 4740 wrote to memory of 1336 4740 ujjyt.exe 100 PID 4740 wrote to memory of 1336 4740 ujjyt.exe 100 PID 4740 wrote to memory of 1336 4740 ujjyt.exe 100 PID 1336 wrote to memory of 916 1336 qyresu.exe 114 PID 1336 wrote to memory of 916 1336 qyresu.exe 114 PID 1336 wrote to memory of 916 1336 qyresu.exe 114 PID 1336 wrote to memory of 2288 1336 qyresu.exe 115 PID 1336 wrote to memory of 2288 1336 qyresu.exe 115 PID 1336 wrote to memory of 2288 1336 qyresu.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Local\Temp\ujjyt.exe"C:\Users\Admin\AppData\Local\Temp\ujjyt.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\qyresu.exe"C:\Users\Admin\AppData\Local\Temp\qyresu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\ufogw.exe"C:\Users\Admin\AppData\Local\Temp\ufogw.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:2288
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5633205ec749975506223464132d91c15
SHA165a767479594aedf26b17ab0252bf06f45020cb3
SHA256ca36527edbcf227f7d06d1b784ff170bc82363fe534c78e4d9272b7d8104b221
SHA5122a4c72d658e2dc1a859101e1e7be378179a71545b6e839fe9c362cdf6c766eb6459ce6c8ac77406018e77e96cf717dd0c200a09f02bd95bdc59ce4a9f7fe1ed3
-
Filesize
224B
MD59a8503d17c559b2af93906532bf42f05
SHA1d0137f68f47dc67830ee8e448cfa2cb2ecc437d9
SHA25633b63c5cea03524e0139018d8d7861a0ffa6c6b8af874d80e06c7304cad24458
SHA512db33775d1a07d3417f9f748ca47dfd13756ccbb6a2fcd7bd13b16343a502eff9f56546aff551d966f9330d3df1e0c5d1be80f5c8af242d0280c2fdd8e08ef723
-
Filesize
512B
MD507073eb0c2388e49ab3e96a8384064b2
SHA1a815cb39d58138068fa01ca42a089260ab4cfebe
SHA256f348e20e6cf3f8d546de665db01372bdaa874906f6147f18a66f20289e093d02
SHA512418b9d7e5718dbb3d6228c0209ce61122113601d65301ccb378ccede01e27d5f7dc79a3f403035546692abedae97ba440b0f591e866dc278cb64c8259ddde4c8
-
Filesize
329KB
MD5a62f77fc6f5cf3135dc519e60066c226
SHA1164d7f5b6a24584cd3f037fd4eedbe715cd83542
SHA256d942689254065f7ac74d6aa94def53c420d97471de059c194539fde5de1d6a63
SHA512f0481a3f83e227210633b4ee38714d3c7d5c0470fb71b56de2aa555e2853faf5c335dbd2d38a6c48c263d72a3473c5aa335155845b9ffc3f3ff7abec536ad921
-
Filesize
223KB
MD5ac8ccfb03cae0dea0480f0ccfe47b16e
SHA11524d516b5a84b8a0b678679d3ed9422288e6810
SHA25622a491ac53fb6aba9864e45ab17a7d0912d84fb10ab5e074f3e325831f58ef0b
SHA512cb15ff9aa8902fca35c22061304226b21b3b67c6de9d4faa8a90c11b7e9310bd1ef4a00f0c2d5e973096a7c15468597d71ef8a467cbabc9ec992ecdee6ffd8d8
-
Filesize
329KB
MD5b4354da8a4809ffd67ec1ebf38cbdb39
SHA196286e0b0bf78f3d5a4ad480c27f09eda96f63c1
SHA2565c86f9b7f40c740ca16a24c17641865c4c94d84043e2496215040de362dde293
SHA5122c7c0f9e2392597e83e1a3ac33cd32a366d7eae5ae774d0489eb129351e0e92162c776bcd9d874cb418ed8e42545146ca1ce3a66ada31f64db53c7118679de1d