Analysis
-
max time kernel
92s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 22:31
Behavioral task
behavioral1
Sample
7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe
Resource
win7-20240221-en
General
-
Target
7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe
-
Size
112KB
-
MD5
290db70ba4d8a33e88c2d686003f2f2c
-
SHA1
a7d94088fec81d451520e00c06267c370ff29abd
-
SHA256
7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59
-
SHA512
7cdd57876404657aaacd82fdefbdc49f4d341f64c56f123cd954a2416c6567bc4db2fa374eb5166bfac35682fdc867d255f4b427c837edd79524b0651e8734cf
-
SSDEEP
1536:mCnrJLwAXDtIBcUyk+8CooNvy3GNbcq7+sWjcdgy64TNSek:htpCP+/oGvWSldgy64TNSek
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe -
Executes dropped EXE 1 IoCs
pid Process 4876 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3536 wrote to memory of 4876 3536 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 91 PID 3536 wrote to memory of 4876 3536 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 91 PID 3536 wrote to memory of 4876 3536 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 91 PID 3536 wrote to memory of 4600 3536 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 92 PID 3536 wrote to memory of 4600 3536 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 92 PID 3536 wrote to memory of 4600 3536 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:4876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD5718e19a1c0f7a9eb39023bd7da27793e
SHA18d723737df763f87d5ef84747c0afbde9e5fbbce
SHA25603c53026e0e2510836ad1a59371236f25718917b8fabf928b2cb0edbf68ddc0f
SHA5126dd6e6f9fd5378db799bba789df641567a391e62d393eccba8ec36143cdc6017d317307e050c7f0a583b22b3b977eac1e120e96f268be140aa4b00b0f492ce4b
-
Filesize
512B
MD5f0d42f2e44d35f66afa6c7a98d053021
SHA1f874284acb7ed4b80e2733ed4f66656bd2c5447d
SHA256d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d
SHA512d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94
-
Filesize
338B
MD5e5451e5ffeb42e63dc77fefdb5ce1487
SHA1d3970fedddbee411a7fc69ee25380b32d9ba55df
SHA256c04c3704bd14b3cd4b8dcef9a5b5a6f7a4ae017f82de70e11c34477ebf729c8b
SHA512a62cebc57608e9cd22a523a21048ff7383b532abbfc89cf6c27d71158ae8c492b455f241e73c3808b8726a13904d2158d6d48e836190aaf329b5f21a8716981f