Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 21:14
Behavioral task
behavioral1
Sample
750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe
Resource
win7-20240221-en
General
-
Target
750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe
-
Size
369KB
-
MD5
0b524fc54b4e624bdfd780d36da697c4
-
SHA1
8f091a1d18120e94b70338dab5cdec817a5a08de
-
SHA256
750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b
-
SHA512
bf8e7719cb627ba5b41a031235cfe720f1fa1e7e909f6072601cfdc2e0185896f0e3020725c0b3eb354a1e9c118f5706495b1b632ef02a11013adbabdfb5a4b7
-
SSDEEP
6144:QYml0tyeXfs81owi4yoshiGGrcxV8HkaIHkvxDzU+0md/XAKqTr:NmXEfs81VJbryVYkaIHkvx/UX0AV/
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.30.235
218.54.31.165
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
resource yara_rule behavioral2/memory/5604-0-0x0000000000440000-0x00000000004D1000-memory.dmp UPX behavioral2/memory/5604-1-0x0000000000440000-0x00000000004D1000-memory.dmp UPX behavioral2/memory/5604-4-0x0000000000440000-0x00000000004D1000-memory.dmp UPX behavioral2/files/0x0007000000023270-8.dat UPX behavioral2/memory/5468-11-0x00000000007D0000-0x0000000000861000-memory.dmp UPX behavioral2/memory/5604-16-0x0000000000440000-0x00000000004D1000-memory.dmp UPX behavioral2/memory/5468-19-0x00000000007D0000-0x0000000000861000-memory.dmp UPX behavioral2/memory/5468-35-0x00000000007D0000-0x0000000000861000-memory.dmp UPX -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation woyrf.exe -
Executes dropped EXE 2 IoCs
pid Process 5468 woyrf.exe 3496 polob.exe -
resource yara_rule behavioral2/memory/5604-0-0x0000000000440000-0x00000000004D1000-memory.dmp upx behavioral2/memory/5604-1-0x0000000000440000-0x00000000004D1000-memory.dmp upx behavioral2/memory/5604-4-0x0000000000440000-0x00000000004D1000-memory.dmp upx behavioral2/files/0x0007000000023270-8.dat upx behavioral2/memory/5468-11-0x00000000007D0000-0x0000000000861000-memory.dmp upx behavioral2/memory/5604-16-0x0000000000440000-0x00000000004D1000-memory.dmp upx behavioral2/memory/5468-19-0x00000000007D0000-0x0000000000861000-memory.dmp upx behavioral2/memory/5468-35-0x00000000007D0000-0x0000000000861000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe 3496 polob.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5604 wrote to memory of 5468 5604 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 99 PID 5604 wrote to memory of 5468 5604 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 99 PID 5604 wrote to memory of 5468 5604 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 99 PID 5604 wrote to memory of 4020 5604 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 100 PID 5604 wrote to memory of 4020 5604 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 100 PID 5604 wrote to memory of 4020 5604 750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe 100 PID 5468 wrote to memory of 3496 5468 woyrf.exe 114 PID 5468 wrote to memory of 3496 5468 woyrf.exe 114 PID 5468 wrote to memory of 3496 5468 woyrf.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe"C:\Users\Admin\AppData\Local\Temp\750483a67905f8649c359d1bfc477be5c4d702271fc5956f4884b18859ce200b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5604 -
C:\Users\Admin\AppData\Local\Temp\woyrf.exe"C:\Users\Admin\AppData\Local\Temp\woyrf.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5468 -
C:\Users\Admin\AppData\Local\Temp\polob.exe"C:\Users\Admin\AppData\Local\Temp\polob.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:3872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD59eb0662062290c9925510552d7049754
SHA1f9c1f3c9b51d68a50f51e4b2d39302d95f5263ff
SHA25649c60b3efcd404aead3541b79d0f9eb19f05d5461726ca5000a13123fde8f1df
SHA5123d879450fda5c8543405fffabc01c091d293217aabe82c1ac85af440d5e18356418dc78caae227e3fb425e792c9aec6ffe094cf424e2b0b9b7fbfafaa042cce3
-
Filesize
512B
MD51b715d3a8dd472692c378fca767b7795
SHA15b7e87657815af9f061ffadb2bb41670c23c16f0
SHA256b43427d8c6b4bd2ec287e79e25d4cd4095cd1b51908a1fe78dfdc60988a57392
SHA5127e820ccb3f20a1dbfe123282c1818fa5d427074b1c1203fe9ddd69bfe9099e3dd76f70a76836ee82e19f9a066939bff516c847451f2dfcc473f919c271188262
-
Filesize
218KB
MD51a949a39cc7cfb48e0f4d8e217fa66e7
SHA1bcd4510571e607b81c65e97274a10fdb14b2062e
SHA256947845b9da57f3fa31050541be54981acc8f8baab3dbb4cacd909a93021859d9
SHA512005d64dd553ee187199c242a3285fdd7a3f7cbb2c4f254844a7d6b069cd10466a8ae54736b2b19dd7d9ff8f69ea374dcaeb1e55fb7d50bff6be133356254eee3
-
Filesize
369KB
MD5027ce4ca5250ac9b7542b1ddca6557f9
SHA11a34f254919616dce0a8f316773831913944d403
SHA256a874c4b1e612a66d936af9c0c0216d0d2daaf99a969054082bd74bbe361958df
SHA5127861acad142c4249b69c471420f818a2b8aeaf8e6b4b00d55be0923f9b9ea9895edb5c452d5e388d0dd9c13f09f2bb202972f487c592d7e0bd90aaded4bddbb1