Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 23:28
Behavioral task
behavioral1
Sample
b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe
Resource
win7-20240221-en
General
-
Target
b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe
-
Size
312KB
-
MD5
d1de47776076580de4d6dbd71acfbebd
-
SHA1
31708125cd48b6774a79c6be4af524eaae040819
-
SHA256
b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8
-
SHA512
d171f0be0037cca1dae457da0d4fe4a5d278377a30952ef43773728821250c31706d8d872f1415964b38946c3c98264e13ec1b939d572ff4a4538f45d85b2774
-
SSDEEP
6144:AvJHbHWEQyhCmhVAc4RgCM1GxVAOCIr7nAFHxtKWJZ6PwLusisAzKTyr:uJHbH1QwlARgCCySf47AFHLJ4uusCzZr
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Detects executables built or packed with MPress PE compressor 7 IoCs
resource yara_rule behavioral2/files/0x0015000000023123-31.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/1192-35-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1192-37-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1192-39-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1192-40-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1192-41-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/1192-42-0x0000000000400000-0x00000000004B5000-memory.dmp INDICATOR_EXE_Packed_MPress -
UPX dump on OEP (original entry point) 6 IoCs
resource yara_rule behavioral2/memory/4668-0-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral2/memory/4668-3-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral2/files/0x0004000000022d20-7.dat UPX behavioral2/memory/4668-15-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral2/memory/3636-18-0x0000000000400000-0x000000000047E000-memory.dmp UPX behavioral2/memory/3636-34-0x0000000000400000-0x000000000047E000-memory.dmp UPX -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation byxuk.exe -
Executes dropped EXE 2 IoCs
pid Process 3636 byxuk.exe 1192 jyhik.exe -
resource yara_rule behavioral2/memory/4668-0-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral2/memory/4668-3-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral2/files/0x0004000000022d20-7.dat upx behavioral2/memory/4668-15-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral2/memory/3636-18-0x0000000000400000-0x000000000047E000-memory.dmp upx behavioral2/memory/3636-34-0x0000000000400000-0x000000000047E000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe 1192 jyhik.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4668 wrote to memory of 3636 4668 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 99 PID 4668 wrote to memory of 3636 4668 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 99 PID 4668 wrote to memory of 3636 4668 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 99 PID 4668 wrote to memory of 4856 4668 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 100 PID 4668 wrote to memory of 4856 4668 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 100 PID 4668 wrote to memory of 4856 4668 b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe 100 PID 3636 wrote to memory of 1192 3636 byxuk.exe 115 PID 3636 wrote to memory of 1192 3636 byxuk.exe 115 PID 3636 wrote to memory of 1192 3636 byxuk.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe"C:\Users\Admin\AppData\Local\Temp\b9d3afe2e1978b9cc83d3e76a46fcedb7f8c6693edc517f918d310de943cbee8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\byxuk.exe"C:\Users\Admin\AppData\Local\Temp\byxuk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\jyhik.exe"C:\Users\Admin\AppData\Local\Temp\jyhik.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD508e43bba9c06ed96ff729585579b94b4
SHA1052a467d049282d5759e6d5bd7469adfa88e3e07
SHA25660d3d18edacb0caf0a089c7de9d5e30ee2e00dd9332f82c72282c8c1d8fdc773
SHA512bb17882ac258e50d99be40b2724ed41071c4b22151de259ca3b2137bea742e61536068169dd7b0a0a2f81571d0ccb928147ede90d07b1a63fa472ed8a0e58001
-
Filesize
312KB
MD550a50ee1133585b24e4d2a3898b7ba94
SHA1ac463730a7235a38d8e38a5e23a0136211a05c1d
SHA256e24ba90fb24de87564ac8e5fa9d6326b0cffdb861113251e99e9eae0370bb5cb
SHA5123b2a95d6cf71ef94907b18ba10fd52ae65942793dddb14bd8e7fa53cbe858ddf2b500b5303c5cd6e4dd74622647c518982cb68b0e3b3de1363f83ad8c53c518a
-
Filesize
512B
MD5c16c12a1a0ec4ab7e5f84e76dda0186a
SHA1251ae79b093dcd8d2515924a11a0a86119070caa
SHA256519c93c5b7e45487e89368b917b98ab38a2bd544511d23521f0ea43a5c7cfb54
SHA512de7582981a02f5e5037755adec24a7ccd526ad6a0de33badac46336ff0faca161e32358862df287dd83c881ffb39bf30996ecf4c7d6c6304afeac90a25a914bc
-
Filesize
223KB
MD5d17386016b392ffaf910ccaa605985ba
SHA100c7812e0ffc9dc64b62dfc79640d3af84ec369f
SHA256c9f0b39e52ee23dab9877e62020b68abb03085b469232d3d9e5b6438900a1b39
SHA512d11942dc26dec746cb0e9e253503807f68adecd631492ea9fdff146fb4019cc72460fb4c6ec8ef1f97e26e0f5bac7a4c227937d49d3798c369bc18082142e049