Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 23:28
Behavioral task
behavioral1
Sample
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe
Resource
win7-20240221-en
General
-
Target
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe
-
Size
483KB
-
MD5
eadc232be0040abee0332d39feb2c056
-
SHA1
b59b6366246015d41fd15f96dff30e3cd15c63b9
-
SHA256
b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa
-
SHA512
0068689d8e5b72182c6c9db3820369bf25ffc180c9270d0291dcec6589ee3d480549a7255497e337ec2741f910c9132526e37bb008eefacea1595e492fd684a6
-
SSDEEP
12288:k2PxDgZo3ijniea8Xih9abyNK95ZA9u3y2XWbW:k2SLi7oih9abvcet
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation sykur.exe -
Executes dropped EXE 2 IoCs
pid Process 2140 sykur.exe 4232 exajr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe 4232 exajr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4784 wrote to memory of 2140 4784 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 91 PID 4784 wrote to memory of 2140 4784 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 91 PID 4784 wrote to memory of 2140 4784 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 91 PID 4784 wrote to memory of 4484 4784 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 92 PID 4784 wrote to memory of 4484 4784 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 92 PID 4784 wrote to memory of 4484 4784 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe 92 PID 2140 wrote to memory of 4232 2140 sykur.exe 112 PID 2140 wrote to memory of 4232 2140 sykur.exe 112 PID 2140 wrote to memory of 4232 2140 sykur.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\sykur.exe"C:\Users\Admin\AppData\Local\Temp\sykur.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\exajr.exe"C:\Users\Admin\AppData\Local\Temp\exajr.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD51c505d0bca466dac41c60aaffcc4998a
SHA14e38ad56df8f28c47eb7ea8fc2bf5014a80d669a
SHA256118208fb8df7fda363c09ec165ec6e3bcc33e1f15eaa05a5221d8b8b98b32ce2
SHA512c2da05ccc4a3fc4f536705f29d0b733bd5f9d0268d919ca285c2ba1e04165a06e8403f2f3633b7b8b98fc56ecfd6435e3eefdf6afe75d42c627b612cb85ff522
-
Filesize
200KB
MD5f2d93f3789e69294fd9adcfb409d7db9
SHA1e9b777b8868512d41f816821d767f68ccb9ff195
SHA256b213c0eead4ff41f70be5ada1ebc3890694af49abe296d0ee56de7ce849b1bd2
SHA51240fe52d0fbcfcdbff9f4d7c7ec167eaa6f2db2258e920818dd8849f937a1e88e695672e92665e89114e2783b162c111a5ef7f0ce141c17b14d82738b8a568e72
-
Filesize
512B
MD5070d3d90270ce5a3bc8f330c1f083ce5
SHA175ce0382285c21923f718c2cfeeeb1b8be8af833
SHA2564197336ef812f77916546e8c4aed777a17db94097926e7d40cffab12e63be025
SHA5121f2191f13a6e0c8e7dd94c075a3da4cebe3a20714d6f666bf4e9121722f6ba50c8e15c0951bab8c0dae08474d8475a38223679d4d7374cb49f5b9e29d45e22d3
-
Filesize
483KB
MD55ec262871a9ac32cd663e562238dbe2f
SHA1d99987dbdf7dedb3915abe6f3bd2b76b082d8f37
SHA256e00406cfd02f341a912931d54cfae968d1086820b06fa1ca5e1c9c371b14c721
SHA512263ca922d4eae31341e3e18052cb5f64a14e34afbf2d2d3353b193f00ddfa56cdea2260b0afcfc15def2648d930e055113c8733a14f6858de825e61dc87da456