Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 02:17
Static task
static1
Behavioral task
behavioral1
Sample
bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe
Resource
win7-20240221-en
General
-
Target
bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe
-
Size
95KB
-
MD5
bf94e9ea9e34e9e1d313b0b2ca4a5efa
-
SHA1
4b8bb8a6e710e1c07fb00a50092d9b9913205fac
-
SHA256
ac08ece39621233dc5293169ab545261c29b1039e4571f4c4d828628068797d2
-
SHA512
652019f9a8fd00f72a1cdd223afde1ff59746f182713d03ac5255bbb154a6cd85a1fc5a48e4f6c624b50ea405f95c8fdf05ed429ef04695d985e42945a514176
-
SSDEEP
1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9ci:nqV9MziU4piRun7C3CP3Mv
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.209
112.175.88.207
Signatures
-
Deletes itself 1 IoCs
pid Process 2548 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2544 huter.exe -
Loads dropped DLL 1 IoCs
pid Process 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2544 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 28 PID 2976 wrote to memory of 2544 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 28 PID 2976 wrote to memory of 2544 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 28 PID 2976 wrote to memory of 2544 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 28 PID 2976 wrote to memory of 2548 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 29 PID 2976 wrote to memory of 2548 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 29 PID 2976 wrote to memory of 2548 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 29 PID 2976 wrote to memory of 2548 2976 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD502167b944a214fee3d34f9a7e356dc6a
SHA1ca5b3f38a7151268726401593eb35f9b67bdde97
SHA25677fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817
-
Filesize
274B
MD57a4af96776b496c36957275df6376e0b
SHA184650387d66aefa18e3cba6197f74ffd70843b55
SHA25689ace4585665c644dba1d8f2d5c8154553446eebb3e51ce2aa472b6e66e59cce
SHA5121103bbb151a725cdb1616c4756391ba34af23a855cceb222dc14fd80b293a9f334971a9db22f75ec92adb9355c91ccc73709537f78cc500ac62d91d7f1a6864f
-
Filesize
95KB
MD532b2f5dca650a5e555785c84a087f5ea
SHA1c5a07f2c78295ce30321c1deeaf4dc0a95f7e8e7
SHA25685d1b629c97ca44f467e537d1d06fc85f8916a7a45748683674d9fa76ab14777
SHA512aa2c4fb9d557abbf4cd16ee7a6f303e7ecd67d9f8909e81a23f1e8fa2d68e1ad127419cc2ee7dda283a1a97f7b217a293d7b99eba2221db369eba9fbb455feaa