Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 03:16
Behavioral task
behavioral1
Sample
bfb2d0ba26e58380d9726ff90275fd8d.exe
Resource
win7-20240221-en
General
-
Target
bfb2d0ba26e58380d9726ff90275fd8d.exe
-
Size
236KB
-
MD5
bfb2d0ba26e58380d9726ff90275fd8d
-
SHA1
51b2ae4a3eb1d814eb6c6e288ba51a14d7667b0f
-
SHA256
0f09f3e21430744c3c858ea52acccae0a78e5f4877db67888907d0b524694c2b
-
SHA512
d71772f65ff878657b2febbe785ac5c8e4351b2804220c8fa3ba748f674d11ef3eebdc15f80d20cac9336b4ae03370c4bbae96b2e944e4f86b1ab20fae415769
-
SSDEEP
3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2R:ZASpvo0LKkRzpxJ2kRqroiR
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Deletes itself 1 IoCs
pid Process 2536 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2632 huter.exe -
Loads dropped DLL 1 IoCs
pid Process 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2632 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 28 PID 1908 wrote to memory of 2632 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 28 PID 1908 wrote to memory of 2632 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 28 PID 1908 wrote to memory of 2632 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 28 PID 1908 wrote to memory of 2536 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 29 PID 1908 wrote to memory of 2536 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 29 PID 1908 wrote to memory of 2536 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 29 PID 1908 wrote to memory of 2536 1908 bfb2d0ba26e58380d9726ff90275fd8d.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:2632
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57295fb9368a0ef278de4b9755bf9fa1b
SHA1db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a
-
Filesize
236KB
MD5ab256c064d4f0976a2f3b2d793c537a8
SHA1fe1884631a196957a7fc210267e2bab34d7a4ad1
SHA2560f8b69ab136d0985dc56a6d6184d620410dec86eb37d3ed3e3f3686326e9ebad
SHA5128130cc242e0ca5d84c7d8b4034e05231587c4cd925818f4abddd0dd52f2c0e74013d963ca4591c3d0f28487c5c48d93f4a8a6a90cfb5697d9422b4a7a6d86f05
-
Filesize
274B
MD59b2b6a72b0390126bd9f0c14bcbae8db
SHA1d37185b590933823b126ccf44a019173d5d2ae30
SHA256ab9629033942bae26ad02445573bcf94471b439859cf7074c24d11372a29a507
SHA512aebef38a95a92b56897cd23fb4a0b72de9baeb203a86b62a923422459e7a5f4a9cb0b607e43d83273ebc795636fae2723a07f78e5476e31e6d6ca48172c58358