Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/03/2024, 22:31
Behavioral task
behavioral1
Sample
7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe
Resource
win7-20240221-en
General
-
Target
7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe
-
Size
112KB
-
MD5
290db70ba4d8a33e88c2d686003f2f2c
-
SHA1
a7d94088fec81d451520e00c06267c370ff29abd
-
SHA256
7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59
-
SHA512
7cdd57876404657aaacd82fdefbdc49f4d341f64c56f123cd954a2416c6567bc4db2fa374eb5166bfac35682fdc867d255f4b427c837edd79524b0651e8734cf
-
SSDEEP
1536:mCnrJLwAXDtIBcUyk+8CooNvy3GNbcq7+sWjcdgy64TNSek:htpCP+/oGvWSldgy64TNSek
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 2768 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1496 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2812 wrote to memory of 1496 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 28 PID 2812 wrote to memory of 1496 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 28 PID 2812 wrote to memory of 1496 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 28 PID 2812 wrote to memory of 1496 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 28 PID 2812 wrote to memory of 2768 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 29 PID 2812 wrote to memory of 2768 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 29 PID 2812 wrote to memory of 2768 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 29 PID 2812 wrote to memory of 2768 2812 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:1496
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5b8177da482e6871be0a7f46509b194bf
SHA1d8e101d7d995ad5779a00514db9de0019fd17656
SHA25665567a41de60d406a6d14fa0c6adda4245550c2b4f3f4ef6f8ca3dd9e3bcdcbd
SHA512a7b1035a267c055365e2ba403ec87313b991535c117512e69997fc15cc11331c3c82d3327ced0ffe7fe94381e38fa8cf8fdef93e5ed8b1667ed0841b7deb1f11
-
Filesize
512B
MD5f0d42f2e44d35f66afa6c7a98d053021
SHA1f874284acb7ed4b80e2733ed4f66656bd2c5447d
SHA256d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d
SHA512d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94
-
Filesize
338B
MD5e5451e5ffeb42e63dc77fefdb5ce1487
SHA1d3970fedddbee411a7fc69ee25380b32d9ba55df
SHA256c04c3704bd14b3cd4b8dcef9a5b5a6f7a4ae017f82de70e11c34477ebf729c8b
SHA512a62cebc57608e9cd22a523a21048ff7383b532abbfc89cf6c27d71158ae8c492b455f241e73c3808b8726a13904d2158d6d48e836190aaf329b5f21a8716981f