Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 03:16
Behavioral task
behavioral1
Sample
bfb2d0ba26e58380d9726ff90275fd8d.exe
Resource
win7-20240221-en
General
-
Target
bfb2d0ba26e58380d9726ff90275fd8d.exe
-
Size
236KB
-
MD5
bfb2d0ba26e58380d9726ff90275fd8d
-
SHA1
51b2ae4a3eb1d814eb6c6e288ba51a14d7667b0f
-
SHA256
0f09f3e21430744c3c858ea52acccae0a78e5f4877db67888907d0b524694c2b
-
SHA512
d71772f65ff878657b2febbe785ac5c8e4351b2804220c8fa3ba748f674d11ef3eebdc15f80d20cac9336b4ae03370c4bbae96b2e944e4f86b1ab20fae415769
-
SSDEEP
3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2R:ZASpvo0LKkRzpxJ2kRqroiR
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation bfb2d0ba26e58380d9726ff90275fd8d.exe -
Executes dropped EXE 1 IoCs
pid Process 796 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1932 wrote to memory of 796 1932 bfb2d0ba26e58380d9726ff90275fd8d.exe 90 PID 1932 wrote to memory of 796 1932 bfb2d0ba26e58380d9726ff90275fd8d.exe 90 PID 1932 wrote to memory of 796 1932 bfb2d0ba26e58380d9726ff90275fd8d.exe 90 PID 1932 wrote to memory of 5016 1932 bfb2d0ba26e58380d9726ff90275fd8d.exe 91 PID 1932 wrote to memory of 5016 1932 bfb2d0ba26e58380d9726ff90275fd8d.exe 91 PID 1932 wrote to memory of 5016 1932 bfb2d0ba26e58380d9726ff90275fd8d.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:5016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57295fb9368a0ef278de4b9755bf9fa1b
SHA1db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a
-
Filesize
236KB
MD57c69c71697cabe4e758ed1275bae6192
SHA12fa83281d17947e863bd48fcff5bcce24f2f4b1e
SHA256f3e90a7f922fda72f1007cd5ecc88e9633128af01712e724c4b9e76c765a3bf7
SHA51227259912a900d1d2ccc3e615396a8b818c98090959b57f71a7945ac829a9bb433bd1e1cb13944667b13c9ebfc2ed4ffc4df357e0b3f186b0f2c1caa29f68281f
-
Filesize
274B
MD59b2b6a72b0390126bd9f0c14bcbae8db
SHA1d37185b590933823b126ccf44a019173d5d2ae30
SHA256ab9629033942bae26ad02445573bcf94471b439859cf7074c24d11372a29a507
SHA512aebef38a95a92b56897cd23fb4a0b72de9baeb203a86b62a923422459e7a5f4a9cb0b607e43d83273ebc795636fae2723a07f78e5476e31e6d6ca48172c58358