Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 01:36
Behavioral task
behavioral1
Sample
cf98e1c96efb311bbd871d0e2b974135.exe
Resource
win7-20240221-en
General
-
Target
cf98e1c96efb311bbd871d0e2b974135.exe
-
Size
402KB
-
MD5
cf98e1c96efb311bbd871d0e2b974135
-
SHA1
03e7db2575c8f88ee65107f33d9a260a15ccdb0f
-
SHA256
d14e7af0587c40e259d8b3400b9754d2df6359b3df0e522d261c9b9d117d3167
-
SHA512
d7f2ffffcf4294fa8451ab71a018bd8f269c6895739ffd44868f075bc5ad7e7c7e0f8fd224c2e3cad3a60f3dcbedc5b965d99fd349632ab4997d085686cec934
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh2:8IfBoDWoyFblU6hAJQnOg
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cf98e1c96efb311bbd871d0e2b974135.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation gyfog.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation miekdu.exe -
Executes dropped EXE 3 IoCs
pid Process 4816 gyfog.exe 4796 miekdu.exe 1788 ancio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe 1788 ancio.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3524 wrote to memory of 4816 3524 cf98e1c96efb311bbd871d0e2b974135.exe 89 PID 3524 wrote to memory of 4816 3524 cf98e1c96efb311bbd871d0e2b974135.exe 89 PID 3524 wrote to memory of 4816 3524 cf98e1c96efb311bbd871d0e2b974135.exe 89 PID 3524 wrote to memory of 1300 3524 cf98e1c96efb311bbd871d0e2b974135.exe 90 PID 3524 wrote to memory of 1300 3524 cf98e1c96efb311bbd871d0e2b974135.exe 90 PID 3524 wrote to memory of 1300 3524 cf98e1c96efb311bbd871d0e2b974135.exe 90 PID 4816 wrote to memory of 4796 4816 gyfog.exe 92 PID 4816 wrote to memory of 4796 4816 gyfog.exe 92 PID 4816 wrote to memory of 4796 4816 gyfog.exe 92 PID 4796 wrote to memory of 1788 4796 miekdu.exe 107 PID 4796 wrote to memory of 1788 4796 miekdu.exe 107 PID 4796 wrote to memory of 1788 4796 miekdu.exe 107 PID 4796 wrote to memory of 4872 4796 miekdu.exe 108 PID 4796 wrote to memory of 4872 4796 miekdu.exe 108 PID 4796 wrote to memory of 4872 4796 miekdu.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\gyfog.exe"C:\Users\Admin\AppData\Local\Temp\gyfog.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\miekdu.exe"C:\Users\Admin\AppData\Local\Temp\miekdu.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\ancio.exe"C:\Users\Admin\AppData\Local\Temp\ancio.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:4872
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:1300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD59786f1c23f7d338ca04684c58a97edee
SHA1d6af8b67253f2cc37b3060f8c3415d8c1bdec4d0
SHA2569b36c443f6f2a68be8de192543bccd33f55f851c37e0d011cbd952aa1db9b4bd
SHA51252ad90d7c0eb55b6475067bbdc6c0fd2626745d774e29129ad556879e0e1983097b30e9620388e42396b056964a6ad4cededbbc3a3de4aa1e860d9c63c2a3bee
-
Filesize
276B
MD536c9bf4a55cb8300c6139f9307c087b4
SHA1f02fac771ac36c38d63174907ce30d8272a9960c
SHA2563c6c5d512387419fec7f9e766ab4d85a515748b908e0e91f999fd45b584443e1
SHA51271af02057fe77265d918bf6c06d7414b4f0208ee971ead4101f1f719c614c67a711666ffab32eab5af1f5302b507e30b2da0a06b5b7870cff54b001408df259c
-
Filesize
223KB
MD5535dc6c4d29838b8bc8a7299596f62d5
SHA177dbc16b7739b5a96d4ae4e90b7c81781c362a7e
SHA256de3bbbef9d6864db6f21be44037e4904cd563a4a231d218f08fc6235853cef4a
SHA512228c6648b112fde47fd12ba79bb469bd3a7bb8dc6067727f5729b28f5aea3f7071be28a21c894441c428da76acbc9a0503bcdd2914d6938f738aa9776ab30159
-
Filesize
512B
MD51deed40f1e6cfdc389c44eb46afbefdc
SHA1ee306aaf80375feac79f509e4bdddcbbe94597f3
SHA2561bebe60310ce420d85f842f89087d1ac8d85859468011352da89cc72e2c06a06
SHA5122f3a96314d54c9a6f9ec90a4730189271bbb33529bd12bc1991fea720a16694b45f71f3f750c237ece4a7331f2c7a78d7c97c6d8027ba1cb25515f65d037e596
-
Filesize
402KB
MD5da35388d0d0abffc322389f03f61609e
SHA1ffd82d19943e8fcedc681b9d1ca5c07b28765944
SHA256cfbeb85db59d0d984ad81188bc3124e50d17ad51c3b1d45bf80f2213509f68f0
SHA51215722a4c6fdb8d9923cfa712caa195a79ef69f9b4c14da611ce5f4e35589625668189a2ecec8bd757316d484a199b1ff264a9ed7a6bf09a8f80e088d6512ff35
-
Filesize
402KB
MD5b91b14da85ea731a3d740f14b5267292
SHA1c0cb8dc43b6004c3082dd7e161d10955876615f1
SHA25668a79a90b472d741a9204b7d450267dcaff1ea0c44626b4a8b9ed0eed3533866
SHA512d23089a6175bde2db98b956326905c700b1819455dc6b47e8d7d585176c12dfcb749007cc0318385eba3e14c28e8ef7e553edeefbb8593f286906d5aa42c0c44