Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 04:26
Behavioral task
behavioral1
Sample
bfd7a02cc1d28ca7231b333c14ff280f.exe
Resource
win7-20240221-en
General
-
Target
bfd7a02cc1d28ca7231b333c14ff280f.exe
-
Size
536KB
-
MD5
bfd7a02cc1d28ca7231b333c14ff280f
-
SHA1
f825f75ce4574588f307803b37f24d7d8831bef3
-
SHA256
4dbc1a06048161314d5e154fffeaa5a9ea12615931fb72848860cfffbcd46931
-
SHA512
3c2bce0388cf5672d6283a234338db92c944949109d250668ebf52290592553ca3bc196f1553d8c2cb594d8b513576774cdba0380ba4057711aff290f89f3b58
-
SSDEEP
12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPP:q0P/k4lb2wKatP
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
Signatures
-
Deletes itself 1 IoCs
pid Process 2704 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3044 othou.exe 1916 buipj.exe -
Loads dropped DLL 2 IoCs
pid Process 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 3044 othou.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe 1916 buipj.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3044 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 28 PID 2884 wrote to memory of 3044 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 28 PID 2884 wrote to memory of 3044 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 28 PID 2884 wrote to memory of 3044 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 28 PID 2884 wrote to memory of 2704 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 29 PID 2884 wrote to memory of 2704 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 29 PID 2884 wrote to memory of 2704 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 29 PID 2884 wrote to memory of 2704 2884 bfd7a02cc1d28ca7231b333c14ff280f.exe 29 PID 3044 wrote to memory of 1916 3044 othou.exe 33 PID 3044 wrote to memory of 1916 3044 othou.exe 33 PID 3044 wrote to memory of 1916 3044 othou.exe 33 PID 3044 wrote to memory of 1916 3044 othou.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\othou.exe"C:\Users\Admin\AppData\Local\Temp\othou.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\buipj.exe"C:\Users\Admin\AppData\Local\Temp\buipj.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5ae99bd0254865d7d31687d314d7480b1
SHA124fdb3bfd75e25f9175b3ae77166510f1f24251e
SHA256a7e256c5b1d05918094d474c94f1609757d8f8af337d33d58c138b423c5329a5
SHA512abd79e561435c12372c9110a69470a33720aade8ddec84a61ac73e8e33ea4af87d7513d5ab4fba68d8bbe556126c6db00f920eb9d9b412866c348d0387dafddb
-
Filesize
236KB
MD528d9a08c4733dc86d241d350b5995efa
SHA1fd2dd82da6a6c124ba962f784c7be911aefc23e7
SHA256baecd36cd86207dd19335eef736dcec44757e5d3e87ef5540891654a7425e2e4
SHA5127b799af75a11607e23b05c480eb64c8389aef295b1c8088703da7f6d1728715bdcbe84d783c51c329689a7b338fdc5f12299110c316415829e4748ddc4131ef5
-
Filesize
512B
MD5c9750273d031537214893f90406959f3
SHA119c8ce78fd837a5de07281ab48281d31d61ca4a4
SHA2562ab7427f876610bda2816e58b090470e9cd6416cad3d8615230ad819c8d035f2
SHA512e73ea19480856e41014fbf9c83fbd0515f3696ce4f0d6cb9a2a7e9d962a1317ef8e814daf09cd0996574aef413cf2ed41c44e5857b10e82e880c0a4f69e713e9
-
Filesize
536KB
MD506237f49309c960004134f10e9211ad9
SHA15f5844d9e2b2a1c2b88234f9d3e8a5d22f16508c
SHA256a364c2c62d9cf62fc980c5942f8258da966078ec1d13587dc3525969f97b4ee6
SHA5126decaf8da3eaa76c0f1ee4e41a20c116821e1afa6d084872cf5e3aa09d43994d9cb414dbc25a2722133b95884da8337cad65c535c33e8f9d0e371e287c9a329a