Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 21:37
Behavioral task
behavioral1
Sample
55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe
Resource
win7-20240221-en
General
-
Target
55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe
-
Size
414KB
-
MD5
8150ef5c701e4b93175a661af5937c01
-
SHA1
a3db7b0bd6b262cba1dec404f618e7f81b9ff44a
-
SHA256
55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737
-
SHA512
ee3394726d8f5baa2607649d33cd7597ea44480e1a18001ccbb8a7ca4acfc4ee5bdb0f9413e09b3627d1fb790c724c67afd6e94286f549af5cf5bcab2649cf58
-
SSDEEP
6144:GzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IsInODgR:oU7M5ijWh0XOW4sEfeO8R
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x000a0000000006c5-21.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation puubx.exe -
Executes dropped EXE 2 IoCs
pid Process 5104 puubx.exe 624 ytduw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe 624 ytduw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3520 wrote to memory of 5104 3520 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe 85 PID 3520 wrote to memory of 5104 3520 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe 85 PID 3520 wrote to memory of 5104 3520 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe 85 PID 3520 wrote to memory of 1904 3520 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe 86 PID 3520 wrote to memory of 1904 3520 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe 86 PID 3520 wrote to memory of 1904 3520 55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe 86 PID 5104 wrote to memory of 624 5104 puubx.exe 96 PID 5104 wrote to memory of 624 5104 puubx.exe 96 PID 5104 wrote to memory of 624 5104 puubx.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe"C:\Users\Admin\AppData\Local\Temp\55048563315ec40694cd62cfd34d07665f3acc2838ab32dd3bbbe26b6be9d737.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\puubx.exe"C:\Users\Admin\AppData\Local\Temp\puubx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\ytduw.exe"C:\Users\Admin\AppData\Local\Temp\ytduw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:624
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:1904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5e0470519083d906af5c706342fd1216f
SHA1cb4ace35da38647a20eee368fde03a82caa4b202
SHA256f66cd2dcfb797b1eec39725725c2fb51acc2481fd04c842ee2ebb28248742840
SHA512eee75103da8174e8b77874e65512f57692fef61352df071f2b37047c657cb47e609acaf3f0a7a6975bb1c70963a6d99ff85a2fb385b376348d2ae876c3ee9a60
-
Filesize
512B
MD509f8803518531245c937b310dac5121f
SHA137de958b992d9e91bc80001cbd86ea74da937a86
SHA256be3b32e5c7b86e6a6b8ba66524c39e61a3e2c83036cbc889bf9386842b217ca6
SHA5126d2ec01a8d97bf8f0faa539348de9180344033fc50bb16c445dc57fea45f97b02c211a3cdc4a1c8a98245f784d281ed4e56e14cfb38f36c33f79a6fc2b64ccba
-
Filesize
414KB
MD5e049851e363a5fb9a5a4749f86e3c169
SHA16e76271d68ef0b3b09aac3075ba1c4b44726dc7f
SHA2563ba02ecc508ef1e27cb394e06978544e9276d88902079e112cdf46b1f8f79f69
SHA5127b30dc68a1c5ad8b24ba4606ba46ffe6f5594e02e7d97a224295040b00c50825d9ef606f8517af1cf1f700cfc105986dbc3e32368116ae0c710b776c420e462d
-
Filesize
212KB
MD57a6995aa146c164a94bf4e108e60ad5a
SHA13ed9b60fb991a939544c8bf07a1e1c0e0665a2e6
SHA256bc05fa8803e7202f61ccddef284b93112db068cf313620118de0beae721f33a1
SHA512f67723e27eedc955b8e5844de5f82749d36a31aec13ef9bbe17bf7c055d5ad88d096084a95212e78f5b73bf14b245a12591ad7e0c56d507db817281e71ee6756