Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 03:40
Behavioral task
behavioral1
Sample
cfd5c1aa6724937811319258b8ef1acf.exe
Resource
win7-20240221-en
General
-
Target
cfd5c1aa6724937811319258b8ef1acf.exe
-
Size
445KB
-
MD5
cfd5c1aa6724937811319258b8ef1acf
-
SHA1
bc03f8c15cc1ff46eb8fc3af6d3b835001b2d242
-
SHA256
a4ba88a728adc6608e0589a1b1f473e1c3b841d7b3b074735e89de4896c56d9c
-
SHA512
62d1a0c91dea0ebba830c9d6a9eb3e3e474121e1ec9c76ecd3e45c2997bd3c6897e3b5935e4cc857e79c12275ae4811f78f40d537158f276a978d860a4451908
-
SSDEEP
6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoL:PMpASIcWYx2U6hAJQnH
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation cfd5c1aa6724937811319258b8ef1acf.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation dyhoc.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation bymufi.exe -
Executes dropped EXE 3 IoCs
pid Process 3476 dyhoc.exe 3172 bymufi.exe 456 vusys.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe 456 vusys.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4432 wrote to memory of 3476 4432 cfd5c1aa6724937811319258b8ef1acf.exe 88 PID 4432 wrote to memory of 3476 4432 cfd5c1aa6724937811319258b8ef1acf.exe 88 PID 4432 wrote to memory of 3476 4432 cfd5c1aa6724937811319258b8ef1acf.exe 88 PID 4432 wrote to memory of 4640 4432 cfd5c1aa6724937811319258b8ef1acf.exe 89 PID 4432 wrote to memory of 4640 4432 cfd5c1aa6724937811319258b8ef1acf.exe 89 PID 4432 wrote to memory of 4640 4432 cfd5c1aa6724937811319258b8ef1acf.exe 89 PID 3476 wrote to memory of 3172 3476 dyhoc.exe 91 PID 3476 wrote to memory of 3172 3476 dyhoc.exe 91 PID 3476 wrote to memory of 3172 3476 dyhoc.exe 91 PID 3172 wrote to memory of 456 3172 bymufi.exe 107 PID 3172 wrote to memory of 456 3172 bymufi.exe 107 PID 3172 wrote to memory of 456 3172 bymufi.exe 107 PID 3172 wrote to memory of 3036 3172 bymufi.exe 108 PID 3172 wrote to memory of 3036 3172 bymufi.exe 108 PID 3172 wrote to memory of 3036 3172 bymufi.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"C:\Users\Admin\AppData\Local\Temp\cfd5c1aa6724937811319258b8ef1acf.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\dyhoc.exe"C:\Users\Admin\AppData\Local\Temp\dyhoc.exe" hi2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\bymufi.exe"C:\Users\Admin\AppData\Local\Temp\bymufi.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\vusys.exe"C:\Users\Admin\AppData\Local\Temp\vusys.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:3036
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵PID:4640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD51ecfb1f41115c25e5379f6d19b5f93eb
SHA1ea02f15a6821c55e490b0e319eec608d36831648
SHA256aebc6e271d131987c9cf9429352ce390e3a500813ca8b734bc1feb3ffc657fc0
SHA5128b1cd7b56df2fe7d6c18f0f070071c07e3849bad4308ee08040b9d327edda0d9f9efecc9cba25f77e10e135a649d125e9d9ec5318754cd9e119c6c67ada532ba
-
Filesize
276B
MD565fd3a13a52c711374fd6ddd251f4568
SHA15e03bab03cd1243d2381f725b1b70b505d88b236
SHA2563caab30d0f3b69820e0cfdf003a77831da6e053417d8ecb744a4b097122ef4b0
SHA5125858224a2f573c9bf6034be522b21500bcae5066b6d56a0d4709095ef500ec1e9224b46633bb23dbee58ae4abc715d8fda698657fe9d5adbd01459b063623bae
-
Filesize
445KB
MD5b0c5c080cb839794f2a2c4e61bdf243a
SHA155f2008372bd3243a6e67d86f5a18da7565269f6
SHA256dc7d4c9288f1c981e89b5a384ab620f867f0e688f44e499dab6ffd96c5bb3af2
SHA512640b0e61842934e40956134fdcc74e93adc0c2d833043ed3de5e2ddafb98718bf8b39ac091f8113afda72f29f04681356da9c2bdf2a8ca5bf9081b29fe49c510
-
Filesize
445KB
MD577f3992aac81e83a052927f680561bcd
SHA1f859715e1b2d60c543f5c8991cf59656e39bd4a6
SHA256b4e1a3c93a9f733de1cec1327801c104ddddc63068cf15f33e18f1542f11a26a
SHA512efd7955b2ea3ed8dfc63abfdbda739abe648d9b9e4da7843be80381a83daceed40ed61ff7c35650027c28edfe129eca766c9544234c96483d3f68efd3015f0dc
-
Filesize
512B
MD5403ea4c0dea8f0f87aa3eac611ec8d20
SHA11a8cc056435375d9f27c35ea1fd281ec182b91b8
SHA25651d09f8d7a9a38670010c3e8d04368d5609cfc5748ba7bdb24f76494e16623d3
SHA512e915737f25945ec9822d628ea7e739c8dbc3a3fbae7d0af4e13cda7e6fac64dbec840cd67d1eb0bca69a6502d51db09aeee06902b5731cd92cb5b25edd4aafc0
-
Filesize
223KB
MD5a494863f04468eb9176edbc6cde9c68c
SHA184fd029b8bab7331f3c351927541a5cc029052a1
SHA256f4a78c60627b58bb61dc7eb772666f8c3e74c3e1f8c2c7a912467b5f891e0492
SHA512667f93c7f237c5a685ddd0ef570e5e9dadb86267fc2ee19a0b3f077e4b177320599f6520d7d8e0d8ee2609acaaaa88d64085f2a94d13c386c2db219d095e8746