Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 22:22
Behavioral task
behavioral1
Sample
cf389a6edfd132de5bfeb2deb343d5e2.exe
Resource
win7-20240221-en
General
-
Target
cf389a6edfd132de5bfeb2deb343d5e2.exe
-
Size
401KB
-
MD5
cf389a6edfd132de5bfeb2deb343d5e2
-
SHA1
42a47204b264bf4c1bc00f38fb8a9b345dc40028
-
SHA256
614c3bbd21decd89fa9045ef7960de748ddd0ab3574645441ca014f81e1002d9
-
SHA512
92044df4ae0004069efe3ac598ad3dcc4414d5c4736143398200499d44c6402e0728dfcb8a9593a6f8e14ce96a9ac9f774451ae509a5d2eda724bbc523c9cfbd
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohCR:8IfBoDWoyFblU6hAJQnOC
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation cf389a6edfd132de5bfeb2deb343d5e2.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation axrot.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation ukfooh.exe -
Executes dropped EXE 3 IoCs
pid Process 1756 axrot.exe 1532 ukfooh.exe 1388 moeqo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe 1388 moeqo.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 224 wrote to memory of 1756 224 cf389a6edfd132de5bfeb2deb343d5e2.exe 90 PID 224 wrote to memory of 1756 224 cf389a6edfd132de5bfeb2deb343d5e2.exe 90 PID 224 wrote to memory of 1756 224 cf389a6edfd132de5bfeb2deb343d5e2.exe 90 PID 224 wrote to memory of 1372 224 cf389a6edfd132de5bfeb2deb343d5e2.exe 91 PID 224 wrote to memory of 1372 224 cf389a6edfd132de5bfeb2deb343d5e2.exe 91 PID 224 wrote to memory of 1372 224 cf389a6edfd132de5bfeb2deb343d5e2.exe 91 PID 1756 wrote to memory of 1532 1756 axrot.exe 93 PID 1756 wrote to memory of 1532 1756 axrot.exe 93 PID 1756 wrote to memory of 1532 1756 axrot.exe 93 PID 1532 wrote to memory of 1388 1532 ukfooh.exe 110 PID 1532 wrote to memory of 1388 1532 ukfooh.exe 110 PID 1532 wrote to memory of 1388 1532 ukfooh.exe 110 PID 1532 wrote to memory of 1732 1532 ukfooh.exe 111 PID 1532 wrote to memory of 1732 1532 ukfooh.exe 111 PID 1532 wrote to memory of 1732 1532 ukfooh.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\axrot.exe"C:\Users\Admin\AppData\Local\Temp\axrot.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\ukfooh.exe"C:\Users\Admin\AppData\Local\Temp\ukfooh.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\moeqo.exe"C:\Users\Admin\AppData\Local\Temp\moeqo.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1732
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:1372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5f0a542051f587925e773aed510551c0a
SHA1bd0f7fe15646e1bb9b381ce964be431b56c83189
SHA256ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90
SHA512c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26
-
Filesize
224B
MD55a29d1f10053285c2d1f60faae33dfe2
SHA16baab06febca88249ee6e9a8a5e644961dd5b834
SHA25659971e8d793ae473e572e6cf6cbd1d39594bbb28c18ac6ea4e452bdf243e3f4f
SHA5125d7cbbcb9da7d02a84a4afd67bf0a93410e94aa50d7fde96478aacb4bdad9085ff3ec7435777e090ce4a399d8c9dccbd9e97c4d64eb7c47b6f5075924ec62998
-
Filesize
401KB
MD5f2dd01151aac9dec5c94e0915854d166
SHA136df3452129b5c3fd834f307a53930867648f97b
SHA2568f89a44e9800457ea0ff0724a17bfe52a0796797f70ea5cbe4188830c9345bb5
SHA512ec102f17a6d90832ff3e3f9c1a91255e58f4a9753afcf683b15a5f79404b16d7cec5b28a308f598dba1f9df8f9ab853928b87e394c3f3dbb97715fce729d98ad
-
Filesize
512B
MD5153b993f7150d69b54d15d6e043f5ab2
SHA1b46e2c96c8af461bb4bd9613bd5c91aff7c60285
SHA256f12543d9c55ccd4a62246dfb9fa5537b117d5c509cd199d505498ea0950bf7c0
SHA512014f5db1efb4254053e6657d4462f7eaa586ec47e17c68d6c6c5b2f37fa265bd20a4e19924bc96c3f1c6a5bfd5bf104920b45d043fa258a35d7a01591bcd6cbe
-
Filesize
223KB
MD50596b7e46278d25cfd1c98793f258fc1
SHA16d92961907b41ad0354e1fd1ade0f3433d5a5e11
SHA256927ec232b92f27231c62cb865334a2aed934c67cfba606e3e6c66fce229d4c7f
SHA512277af5f06be1743ce23734a95cdf760e50aade670be6778400c1f35231f69deff5dd984582ec737b147c4b72faebb5c39be276b29844ae6cb415753df0701f7d
-
Filesize
401KB
MD5e77d27b9eae260ff545524c162422c90
SHA163d310c0ae42e1972e8037fa29834aa26d49b6da
SHA256b8feb420b237fb0fdde21edc85bf6331fccad5b74c361f635e1a939a85c90106
SHA512471fd5b23c562e271d03a2f6a3f005bd0025a4c402ab7e674c20fdbd478043a3dfc314c5c809e496b78916b2fea3f595c42d7dee955328a4502fd83731491e2b