Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 00:15
Behavioral task
behavioral1
Sample
d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe
Resource
win7-20240221-en
General
-
Target
d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe
-
Size
260KB
-
MD5
07d5270febab755b5234260f8d4b5744
-
SHA1
82b0db40bfb8dab500edc1f81712334fa546c5e0
-
SHA256
d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610
-
SHA512
8944fcc7c63e98407e41dcc9b46b526ef075f7bcd0cc475b1cf37d838e9c1243f4b124f2bea1412388a4b1975639e4087793756d5e64fa641edfbe6a4ba3018d
-
SSDEEP
1536:DuhL7dKJY/aTztv1UF7+RcbpP/iOOaDXl32oNIVelT2r9ZLzi/4kgg57lmKwrr5n:GBKBy7+8pCOH1ch9ZLqrwrr58VX7C
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe -
Executes dropped EXE 1 IoCs
pid Process 2072 dufih.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4500 wrote to memory of 2072 4500 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 99 PID 4500 wrote to memory of 2072 4500 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 99 PID 4500 wrote to memory of 2072 4500 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 99 PID 4500 wrote to memory of 2136 4500 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 100 PID 4500 wrote to memory of 2136 4500 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 100 PID 4500 wrote to memory of 2136 4500 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\dufih.exe"C:\Users\Admin\AppData\Local\Temp\dufih.exe"2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3876 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:81⤵PID:4564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5efe3a284e74e73225b2f37295f7f8c32
SHA1b66161ff254687c688abcf92338a38f7b1caf0fe
SHA25671d5c10547bba70a33b5ef3ce30d69ccd639a9a667e465214db686a83b00309a
SHA512dc2811b0477b9d8d5afeda41cc93aa7dd3225da067e99e16aefbe236c9d9f8478667869f5d7d5d2230e87f7699c89e2bd128d77ed635928730eb23d080f55928
-
Filesize
38KB
MD5617c289ddac8b0d5f78d19eb6a3edeca
SHA1c04959333c2e96131c8b591149a55e6bcd789f84
SHA256d975a861d233b486e7ecc125a2049e3f1a351842e2b37dd4fbf56ee200853b5f
SHA5129571c63b02ad49c6d98f3d479d7e2b0aa143a9c529d418ce272bdfd5931f4dbb4ad6645420c8f8e84f175e4ca88f34ba57fde9a50b30a9cf64ce48d8a2975ea0
-
Filesize
260KB
MD52352b71a879a806cba7bec60575759da
SHA1f95e742946571477a45942a2a20a5b4c3aa08298
SHA256591c48118e6f6a3134254f535b16d254fe5e22384499529d24dc1fbccdbaf36d
SHA5123b9fb1d3c3c18603e0883c13cf106d195c6dd2ffa4e8028318d5f160ccc8af5f758b94fee2fce1c3efd9167150f8ddbb81fd91ae3bfdf18b45bc063afaee2bcd