Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe
Resource
win7-20240419-en
General
-
Target
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe
-
Size
289KB
-
MD5
6d25a28958e8ecc61a82a7866dabd79a
-
SHA1
a7ff2b34ad2455a4bb0fece62350c00368770d23
-
SHA256
f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688
-
SHA512
40facb3f95f712a7155b64ff67355d31a6a48357659be99891fc10ab22442eea73b35f04186ea017a0782018e48f21fb7f1bf6bddc13a182042f37469616583b
-
SSDEEP
6144:96xwSR5NtUIJEWyXuew+q1l0d2Js6H5/TZkKg:9A3NtUISdPw+Elq2Jsm2z
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x000c000000022973-33.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation mofua.exe -
Executes dropped EXE 2 IoCs
pid Process 1816 mofua.exe 1884 cakow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe 1884 cakow.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4420 wrote to memory of 1816 4420 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 89 PID 4420 wrote to memory of 1816 4420 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 89 PID 4420 wrote to memory of 1816 4420 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 89 PID 4420 wrote to memory of 4092 4420 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 90 PID 4420 wrote to memory of 4092 4420 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 90 PID 4420 wrote to memory of 4092 4420 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe 90 PID 1816 wrote to memory of 1884 1816 mofua.exe 101 PID 1816 wrote to memory of 1884 1816 mofua.exe 101 PID 1816 wrote to memory of 1884 1816 mofua.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\mofua.exe"C:\Users\Admin\AppData\Local\Temp\mofua.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\cakow.exe"C:\Users\Admin\AppData\Local\Temp\cakow.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:4092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340B
MD52dd4c59f8cf29c07a29920d74d85222a
SHA12ddf9f8dd6ec640960265884ca9876d34f7af925
SHA256729cb2e8d2580599ab02345b6f6a9c78507356bb0ec1fbf5a15b81e0d533a7cc
SHA512918e7d0cd049bd025ff662d9b061b7f8e416b790de09d783af9b6f9f3f0cfd94e57ea790ea0329d152b3ae97566b87d4b498c845398c4d48446c26d24e3e399e
-
Filesize
216KB
MD556a3778286809160ebba2b7ed8544e2b
SHA1214ee556b63c1bf8e09d3f9a4092462f00ae7bc1
SHA256313a5dcdcd49630549be47db90998e812cb4b64f6109590149c7a7e3c5b0abb9
SHA512d7481bfa4c59206ace94e8c1598ee0c2f8a5517a9d41e52bf1b9b9f6426b6566e4a9bc35b6c115278575b0a6b36d11ac77081c02359a90deb967cd753a61bddf
-
Filesize
512B
MD55baedff35430945085580c3c2899d042
SHA102884acc4385d474f6b3b281ef5d15ba9ebfcf22
SHA25628112cfbf7d54344dd2724c62c2aeac7ca8566f6294c57872f13b29d4bb8fdda
SHA51215e1b8b59bccde3ed709ff4db790c9ca54fd460d57e3e4c27cc2ca0e62c2fc5a7ec0a78d588a1f4915d33c6001dd112b9791228fbf2eddebce9952a3befb275c
-
Filesize
289KB
MD5dffb5d29b31620ca517a0b5c55b125e5
SHA10e84da6ecb68b0a0906542dc70d2cb4b2e22f3db
SHA2565338702a1a0098d9f038a77f112d742d5582f039769369b95a9d12b129430495
SHA512300b46a879f5ab9806318ae9d3bfb39b7ba1170428474498d806515d1dc818e41ec629ae1867299835c0e7be0edcec3644a489c9eb378ad780407af6e798ad46