Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 02:17
Static task
static1
Behavioral task
behavioral1
Sample
bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe
Resource
win7-20240221-en
General
-
Target
bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe
-
Size
95KB
-
MD5
bf94e9ea9e34e9e1d313b0b2ca4a5efa
-
SHA1
4b8bb8a6e710e1c07fb00a50092d9b9913205fac
-
SHA256
ac08ece39621233dc5293169ab545261c29b1039e4571f4c4d828628068797d2
-
SHA512
652019f9a8fd00f72a1cdd223afde1ff59746f182713d03ac5255bbb154a6cd85a1fc5a48e4f6c624b50ea405f95c8fdf05ed429ef04695d985e42945a514176
-
SSDEEP
1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9ci:nqV9MziU4piRun7C3CP3Mv
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.209
112.175.88.207
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe -
Executes dropped EXE 1 IoCs
pid Process 3196 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2104 wrote to memory of 3196 2104 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 97 PID 2104 wrote to memory of 3196 2104 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 97 PID 2104 wrote to memory of 3196 2104 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 97 PID 2104 wrote to memory of 1516 2104 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 98 PID 2104 wrote to memory of 1516 2104 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 98 PID 2104 wrote to memory of 1516 2104 bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:3196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:81⤵PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD502167b944a214fee3d34f9a7e356dc6a
SHA1ca5b3f38a7151268726401593eb35f9b67bdde97
SHA25677fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817
-
Filesize
95KB
MD589b09ed901ca8069e336823839364e5b
SHA1d193d341cab80a7c912c40d8b22507e504b9417c
SHA256ff88c8292d1bf90ca4dd94a4439a0922c18e5c1924ad5059248bc8122e4d6daa
SHA51291bed91116727e666600cb31558f0742be2b575759932d1b566340176b5c66019ee4b8e6a8b7a1a0968491ef6f7c981f1f4c56f34c64ed6724f59506650aa316
-
Filesize
274B
MD57a4af96776b496c36957275df6376e0b
SHA184650387d66aefa18e3cba6197f74ffd70843b55
SHA25689ace4585665c644dba1d8f2d5c8154553446eebb3e51ce2aa472b6e66e59cce
SHA5121103bbb151a725cdb1616c4756391ba34af23a855cceb222dc14fd80b293a9f334971a9db22f75ec92adb9355c91ccc73709537f78cc500ac62d91d7f1a6864f