Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 23:47
Behavioral task
behavioral1
Sample
c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe
Resource
win7-20240221-en
General
-
Target
c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe
-
Size
487KB
-
MD5
7b4680c1c19a6d291953f25d24e76b45
-
SHA1
43ce5530346df5fe3bcb773bc00a40b934ad2a1c
-
SHA256
c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0
-
SHA512
8394837fd731945faad3c593a7b85e1220bd0fb048fae25fa04551a3f64e5dd33c4d99f07d8c15d9b33f36c7161466e18763b9cb629ec99d11a6c32276ea5834
-
SSDEEP
12288:Vpbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbe+:VpbXi5xzFUBaazsiofx83
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation loqir.exe -
Executes dropped EXE 2 IoCs
pid Process 384 loqir.exe 1116 ejemo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe 1116 ejemo.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5084 wrote to memory of 384 5084 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 93 PID 5084 wrote to memory of 384 5084 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 93 PID 5084 wrote to memory of 384 5084 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 93 PID 5084 wrote to memory of 3688 5084 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 94 PID 5084 wrote to memory of 3688 5084 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 94 PID 5084 wrote to memory of 3688 5084 c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe 94 PID 384 wrote to memory of 1116 384 loqir.exe 105 PID 384 wrote to memory of 1116 384 loqir.exe 105 PID 384 wrote to memory of 1116 384 loqir.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe"C:\Users\Admin\AppData\Local\Temp\c3f5dc0ef0c5ce86c10feb602edbe6a3be24177d52608f8f127967b158a1d3a0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\loqir.exe"C:\Users\Admin\AppData\Local\Temp\loqir.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\ejemo.exe"C:\Users\Admin\AppData\Local\Temp\ejemo.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:3688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD558350343aa0b4f8f67a75c5b2c5c133a
SHA1e1fd6002d93954622545031b127c7ec30fc898de
SHA256768c43becf6daa0bfea4b94d194f9b090b67ac32e5ebfba43ebf7f379e1f1039
SHA512baf33270115d230ef01f8579661bc1d6d8db2ac9bac4cb215f0d1d915360e53fee8dde2e66ec2d841fcb70ac8ec2c1d7560aa83a35841e77c744fefeb28bd09f
-
Filesize
217KB
MD5b8fafd62ed997630aac06226950a9940
SHA1c73eb764b6e4387bfb091b8e72cf647c4c7c5d2d
SHA256299a8ad934ffec1befa3c1530283279ce2df20930c1f4191cb7512bac84de6b8
SHA5121895196122404dd325877469201c700a3b15f9b08564172c8de8c055583cb5fbe0865ff6925395ff06ec5354f2a6520d4bb01565c7f6957a79780c3301793d0e
-
Filesize
512B
MD5a06a4499b76292b673a3688a29bb3628
SHA1e9d42669969a4cdefd9e16115a82aeb7d11e33d3
SHA2567a3c1b544b042028bef44d7f5727c6454e7f2098508f3bc2fbd05fc4fd5ea46a
SHA512eb3f6612619a762cf9498a685a3bf3d0f47a688c9afe50108b59aac2b8903490da1f112e78619902b6adb62473de5a8541e48a6851d69328a4b486848ac49e7c
-
Filesize
487KB
MD58241bc2939dbff73a92d73aead439b90
SHA1fc4d4d300b21308a70a3718b7a1cafe82d9d59b1
SHA256805d130bc0ece281df5297ea4c0541548d13395ae1b5dd0082b9543a59084943
SHA51281d5f63e8b383e8d921445b80109cbfef930c3cefb4230dc68d11a6a9f3a01a8ff51602a4bb9dbd7f051a412409f06c70e5924bec7c915c4c1a81838bb3ba233