Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 01:51
Behavioral task
behavioral1
Sample
f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe
Resource
win7-20240221-en
General
-
Target
f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe
-
Size
406KB
-
MD5
891bf6404527fad1fe321fa5a2ba7281
-
SHA1
98ec4fb028e8caa6703062c31d83612c51b58d30
-
SHA256
f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a
-
SHA512
6e4181cbc999981f13dc4967a4359a42c0edd2f02a41d3cde91c2ac9f6f09bfa92f354b039c9da330b2a8ffc718d6e93535aa4348743dc226989c13d3a811978
-
SSDEEP
6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohPS:8IfBoDWoyFblU6hAJQnO0
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation bucet.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation rugifa.exe -
Executes dropped EXE 3 IoCs
pid Process 4236 bucet.exe 5104 rugifa.exe 1308 qyneb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe 1308 qyneb.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4236 2424 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 90 PID 2424 wrote to memory of 4236 2424 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 90 PID 2424 wrote to memory of 4236 2424 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 90 PID 2424 wrote to memory of 4196 2424 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 91 PID 2424 wrote to memory of 4196 2424 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 91 PID 2424 wrote to memory of 4196 2424 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe 91 PID 4236 wrote to memory of 5104 4236 bucet.exe 93 PID 4236 wrote to memory of 5104 4236 bucet.exe 93 PID 4236 wrote to memory of 5104 4236 bucet.exe 93 PID 5104 wrote to memory of 1308 5104 rugifa.exe 108 PID 5104 wrote to memory of 1308 5104 rugifa.exe 108 PID 5104 wrote to memory of 1308 5104 rugifa.exe 108 PID 5104 wrote to memory of 3856 5104 rugifa.exe 109 PID 5104 wrote to memory of 3856 5104 rugifa.exe 109 PID 5104 wrote to memory of 3856 5104 rugifa.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\bucet.exe"C:\Users\Admin\AppData\Local\Temp\bucet.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\rugifa.exe"C:\Users\Admin\AppData\Local\Temp\rugifa.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\qyneb.exe"C:\Users\Admin\AppData\Local\Temp\qyneb.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:3856
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:4196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5047b024223c5fa0c621431007d08b16f
SHA1eb2aef08b0c87407281cada747a5cd5a12af26f2
SHA2564c77c8080060a85d99ca2e0fbd2986dc73378cb8dcd65e7cf3c10de27c12d397
SHA512187bcd8a107b81a3c7e9585b93cabb7e4db9a9cfb105f1e1ead4d18f8154da64c27bb23f127f911d03f06f8555035006e7da0154f203ceb3d920a008972bb1e3
-
Filesize
224B
MD5d889df337f62131abe5ac62f090ec06f
SHA147dbc0cd18ff20ac2e0a696412415c3a2fcdb9fc
SHA25698b985fe85716dcfaa23adea6e08ebe8b904a07823b3d87321c99571bffedf5d
SHA512ec7193ee3547846cbad3e3170a07688d816c37441966fcb4eb22c75c94be10d1b83f67d1b7e055ac47a8441033b0b3e6b00efd3457f1f0e4c59be71e5de6e038
-
Filesize
406KB
MD54371a774b23333b1af3c82fe17eb0f85
SHA1b6d336fcc573def3c5e59cfbe9d6c4653e241591
SHA256c54f2f0a0676e7a478288ba7c7964d54d273aa1be21586933f37a43c72d9a5b5
SHA512d3e1ea59ed7c116e238bb11f21db8d95184e54c23f6eef249e3eb5e9b2dd91a4eb27e885ae6eef0c3ffba5e4552abd00e9b2696e67b6dff7070c184f0a4ae7f4
-
Filesize
512B
MD5aff349671be5058090d6936d451e5776
SHA14a05f73c6cbda293d6e6a3453eef14e58e1a8deb
SHA256e3c07a1962da5399537297da79318ce0999e225f92c52f5c7166f48b4abcf3c8
SHA512c9854e78024f3d1eb45714382c335009377828635a73acae521e9405c59b4f544691e7bc3c391657894d196e08053a165b7e76acace3a0dfa483db4c6d92693a
-
Filesize
223KB
MD55d4c91709faa8b94b8f0b0a62a828c1f
SHA154fef3d3d5e5b8d2529973da1e85867a36db3fef
SHA256a025825667f04ffabbcc0cddcaee5a2ded26bf1946db3954ef2727c0d942c95c
SHA51271ef377ac613d75bc290c39446930ad149d81ae65855c313ed12690c7de6c8ead28d999942798ea75fd5f0e8d5ea352d8b19fcb186c8600a3c05e9e5b4cfad2c
-
Filesize
406KB
MD5ffeb39942993351e4ed069a4db46f445
SHA1be0e86620fbbd595305ab15b7bcc211e3d2cbdf9
SHA256ee3a625c383c04db7e058ea58b3b92ab4a2179d81d731499a3d3c0b41f76e580
SHA512daab2d351358238c26918a1c5de38f7ca46df957d2909d7200ae1fd0dd5da38481dbfbb3ccbe590a04003e6d37b7bdbdf24b0269800be6b434d9ab00739a30d5