Analysis
-
max time kernel
157s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 22:50
Behavioral task
behavioral1
Sample
cf45b2e62fb61b7f2757cf2d1beb08a6.exe
Resource
win7-20240215-en
General
-
Target
cf45b2e62fb61b7f2757cf2d1beb08a6.exe
-
Size
1.1MB
-
MD5
cf45b2e62fb61b7f2757cf2d1beb08a6
-
SHA1
4d8223aea1671969511f00dca8bf4569753fd8f2
-
SHA256
af464d9f2c1bb1caf81f3cb1dc3d67c7d577fdca066d0c650b995c54e9d74e70
-
SHA512
aca24448c04e3917525ca1aa0b50193feaabeb409d164f427be44ea37c1b813ae7b4d1622d152828df92927b65bd2d05aac95c76b99ba155fc0716ea1656050a
-
SSDEEP
12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Yh:tcykpY5852j6aJGl5cqBQ
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation ryelru.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation cf45b2e62fb61b7f2757cf2d1beb08a6.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation bapea.exe -
Executes dropped EXE 3 IoCs
pid Process 4744 bapea.exe 3812 ryelru.exe 3964 ejxuk.exe -
resource yara_rule behavioral2/files/0x000b00000002314f-31.dat upx behavioral2/memory/3964-37-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral2/memory/3964-43-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe 3964 ejxuk.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3116 wrote to memory of 4744 3116 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 91 PID 3116 wrote to memory of 4744 3116 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 91 PID 3116 wrote to memory of 4744 3116 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 91 PID 3116 wrote to memory of 4468 3116 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 92 PID 3116 wrote to memory of 4468 3116 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 92 PID 3116 wrote to memory of 4468 3116 cf45b2e62fb61b7f2757cf2d1beb08a6.exe 92 PID 4744 wrote to memory of 3812 4744 bapea.exe 94 PID 4744 wrote to memory of 3812 4744 bapea.exe 94 PID 4744 wrote to memory of 3812 4744 bapea.exe 94 PID 3812 wrote to memory of 3964 3812 ryelru.exe 108 PID 3812 wrote to memory of 3964 3812 ryelru.exe 108 PID 3812 wrote to memory of 3964 3812 ryelru.exe 108 PID 3812 wrote to memory of 4728 3812 ryelru.exe 109 PID 3812 wrote to memory of 4728 3812 ryelru.exe 109 PID 3812 wrote to memory of 4728 3812 ryelru.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe"C:\Users\Admin\AppData\Local\Temp\cf45b2e62fb61b7f2757cf2d1beb08a6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\bapea.exe"C:\Users\Admin\AppData\Local\Temp\bapea.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\ryelru.exe"C:\Users\Admin\AppData\Local\Temp\ryelru.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\ejxuk.exe"C:\Users\Admin\AppData\Local\Temp\ejxuk.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:4728
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:4468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD594af0bedc86fabfb20a3ac847dbc48fe
SHA1aae6b2f051fd7a13dbde66b6d4823ea6d8b8c154
SHA2567bae0ce2061162e445660ee0454ccdd5e8e5aab39ab213ef74287135d46b77df
SHA5122d2c80174c4a281ffb8686e808f24fa1a6ee7283bfe7c32f8506b84bb9c0aa611ba3c404945fb1031a3704e2dff784d48704103d0596085072544d4b28963b95
-
Filesize
224B
MD5d706183367d32130c7f086ac59ffaa26
SHA18aa08ef5db34905f51d8094fd012d75dfb6b3bc3
SHA256fa1c12dfe14bb2a499446bc1cc88d135f38315de3f0f3b993b62755dc6a91c3d
SHA512ce42d1275f46f016d2593ba48ab1a811d3edf5f913193fe26f4ea9e5381422afcea192823fb76b129cd20c3f50a87817b807616765c483322cf310cb43ceec8c
-
Filesize
1.1MB
MD5433bf3f9b8f05aeb15ca57973814dc65
SHA19426861f8fd6fd68b23ce037a713ce4f7ad3fe56
SHA25614d40da44766ea30a415967986f308f91d8e3973b3a6e76f9039c0911ac52d36
SHA512722741bec5cf964114112cc27de7045c9de0e5b4c6755cdedafe3d6061c88fc796c5cd6a77b4589c3a0bec02a576726ef2c02b525fd16b7f42de2ec208011003
-
Filesize
459KB
MD5ae440e2dc7019b42193400e93e3518fb
SHA106463df1899e18a7be82ec1175df539061471076
SHA256d651f9dd590548785e15a506dd34758597fabd38087910999ee7aae4b9afeaab
SHA5124eb2eb7e3c68a2a42a165697086480561b7635915830bee6214611f878b60c1f95a3a8f43d8648ce9872224fcee2588b87475a4206c5e06a7d6ea970331f4452
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5f4bebc8008becd98fe31bd373af1d9e3
SHA195ea7fe44330caa7451a0c58776caa51d58cf8a2
SHA25676ef04bee62deb52b1cb3257063be126d8a0330808ab655bede16bc86e968568
SHA512d14b812fa6a01a48a80ca84115ccd2a9d462bda5197b3c06d8147af24ad9b9af0aa980b8cd89f116e700c051776b37c1c16317499975199ba2c3232b78a7c1d3
-
Filesize
960KB
MD58764e3fd48076d45b90f239ed75b4884
SHA1c6d655af1f983c6a4b549c1451f2f8336db5a555
SHA25618b60040282f75f5328099fe9f1f1b5fa17bd1932521ccc50544b49a9342b325
SHA512cd8deca6143a6c15a0d9fba81d153d95ea3e7a00511d242ce50ed015bd6f9c598269bc00a93d058148e27259ebbda31816ccf4665d7a358f4c0982ddbd1816a8