Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 01:35
Behavioral task
behavioral1
Sample
edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe
Resource
win7-20240221-en
General
-
Target
edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe
-
Size
386KB
-
MD5
63f8ca27ddacce225638a34121edadde
-
SHA1
70f897e4e843388f656269c5257d7d62b9ce94a8
-
SHA256
edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771
-
SHA512
19687aff5e1e59da7b52bb76e8da49c9e5cf071ea1166484610b681c88c209cd3589aacf673a75eaeec9e0165aca792548884ffec40a75d15f52b9b86f398b45
-
SSDEEP
6144:1soTOQcDCbE8qLi6mADXdJ2dcoARXDR6YZbus8Z+2vFJhcemcyOpG8h:WalcDCbE8qlmx8RkeS+MJueQi
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation juvot.exe -
Executes dropped EXE 2 IoCs
pid Process 4480 juvot.exe 2100 nihae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe 2100 nihae.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3744 wrote to memory of 4480 3744 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 103 PID 3744 wrote to memory of 4480 3744 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 103 PID 3744 wrote to memory of 4480 3744 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 103 PID 3744 wrote to memory of 2592 3744 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 104 PID 3744 wrote to memory of 2592 3744 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 104 PID 3744 wrote to memory of 2592 3744 edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe 104 PID 4480 wrote to memory of 2100 4480 juvot.exe 118 PID 4480 wrote to memory of 2100 4480 juvot.exe 118 PID 4480 wrote to memory of 2100 4480 juvot.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe"C:\Users\Admin\AppData\Local\Temp\edd558c34a72180e44b0eb067930cbdb4a7082f0ec27e6814bc666d711bf7771.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\juvot.exe"C:\Users\Admin\AppData\Local\Temp\juvot.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\nihae.exe"C:\Users\Admin\AppData\Local\Temp\nihae.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:3364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5f8ad78cf3e005e82efb632b03dd94621
SHA1da25be72ebfaba110c6fd1016bba2fa03c84ce37
SHA25647632ec08c6a5a408e6e3cd3d1b99f8c4b75c852486413fdb4fb2dbfa2c30694
SHA5122afb949695e60e4bbdf32095d555db0c3a39519efb17ce09a28e40bba555b76480a5f62725bfd087be0a064ff3666105ff3ea36e8d206ed12680686751cf4e42
-
Filesize
386KB
MD571721d6d852b0c2c1870db48f764d11f
SHA13e7a35e4c818d6edcc7e4c60cf73cd908652621a
SHA256ba0e56d8f6855ac8190a3034b65a88d290aeb12dcb5c814501b25016a47e5a0b
SHA512a1dbdfe805ce9aa8d1651779aa53fe07b19e4218bf0bdf10ebefdda52610d9db2ad534b0e6dd97797fdcfe9e6084186bf0448ffeea26954f1ca73b39db23d89e
-
Filesize
212KB
MD57b35805f9e6ff72bd1e51ebf4132df41
SHA1ea6ca60288adcb8f118cc589aa2c473078347fb2
SHA256eb003b744c24708bc4cfc3ee4289218111b1abf07fc3f19aa4edf3b1269fea45
SHA512b00f7f0a0ab28e67145f922655afcf047f7c70761aaab6855481c7074fd2fb1dac8151c2e6ac043def0bb18f980942e37dafb0a949b2682a614c37719ecb2469