Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe
Resource
win7-20240508-en
General
-
Target
d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe
-
Size
289KB
-
MD5
bd5f8a05982a2f907a416dd5ce6707c7
-
SHA1
e0d4e8d2ddd5743d074e61ca9fee4ede506c9c9d
-
SHA256
d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120
-
SHA512
a46d1302409d5c38dc92cd92442ad4abe99ab2f62ce57b0219ad3f63decdb13c48c6501fa713a9616f3342fbb8d36e385770f2bfeef6acc6f427e94ec4c7b053
-
SSDEEP
6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKZN:9A3NtUISdPw+Elq2Jsm2u
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x000a00000001d9e8-33.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation vibuy.exe -
Executes dropped EXE 2 IoCs
pid Process 1976 vibuy.exe 4024 tuwig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe 4024 tuwig.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2916 wrote to memory of 1976 2916 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 86 PID 2916 wrote to memory of 1976 2916 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 86 PID 2916 wrote to memory of 1976 2916 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 86 PID 2916 wrote to memory of 3840 2916 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 87 PID 2916 wrote to memory of 3840 2916 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 87 PID 2916 wrote to memory of 3840 2916 d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe 87 PID 1976 wrote to memory of 4024 1976 vibuy.exe 100 PID 1976 wrote to memory of 4024 1976 vibuy.exe 100 PID 1976 wrote to memory of 4024 1976 vibuy.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe"C:\Users\Admin\AppData\Local\Temp\d8e8472ff870bb8d3735fcaba25630b3fbc8da53dda6e4eb203a5635562ef120.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\vibuy.exe"C:\Users\Admin\AppData\Local\Temp\vibuy.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\tuwig.exe"C:\Users\Admin\AppData\Local\Temp\tuwig.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:3840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD5be6f41c533e8e7b4b21a618d3c6cc8dd
SHA17be082566040aba09f90e8754c71c0fe1e539092
SHA256e0e9ba3077a250ff40642c9ccc7c363795d88fad9fa778557dc7e5c6b4b31922
SHA512b8e66dc4a5f9294bf568dc5ff25657412780bffa4c27d9a5f3412a3c69cb69ce4130d0fb813ce1e89bab5930598fa85cee401d7f46ea37b53aa0539d7193d6b4
-
Filesize
512B
MD559f302482ba71c07f438e629e89dcc81
SHA1c08758b2206d1d4c00cf06efc57d5fe2de8b7616
SHA25634d91e985d54754bda153469ca5ef99ffabd696db2a5b04e50018b326a04e761
SHA5124ee34c1105036f0cc39e0748b0ae6a826d67aa1a3869bb7d408abd44dc2eda1abc69a61586c6e97875f66a870b70f987107772df5757838e67282494b818df07
-
Filesize
216KB
MD54986e95b6745570930a3b9f7b0804c2b
SHA1bf011b4f2e3e7eeaef41a6a660097ea19402e789
SHA256c0e8c83ec65c9de0a718ad7719badbe69594a8d43e0897798e4869015d04b227
SHA51207f37835f2557ec67a3ed602b79f519f7725fe93e926ae478fcee14c16af9a36e9989221a1fb32b937a66568156b6dabbaaa2d8ed35b5c2a2e563cb33077fc11
-
Filesize
290KB
MD5415f973ca5ed65ce0fb123408d7edf41
SHA10ed0e84fae94a132f3e19a3412ab3614ebf0f635
SHA256059aff971e7b2aef64e2a016fa6557429acbc031a4b5f2bf0be015c9765ba06d
SHA51219a4d7f7f54d904249e65bf9f8122508b722cf9abc96d14af3fb720a26391cb3e32b725e3fe79d1483fe60349be38cdc8af8bb440c5a2160befab8bf64297d97