Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 12:00
Static task
static1
Behavioral task
behavioral1
Sample
c08c38b909af8bcd4ff86db7ce941b18.exe
Resource
win7-20240221-en
General
-
Target
c08c38b909af8bcd4ff86db7ce941b18.exe
-
Size
95KB
-
MD5
c08c38b909af8bcd4ff86db7ce941b18
-
SHA1
a288da54333f293907e103be53af9508c165adc4
-
SHA256
3ed6a6178dc642ad7d4fb33f0f13561b15012d5c031424f5ee6f20ee92aef83e
-
SHA512
e786bec2a5f7fc3ea8c6b5d53e2c97ef773588c12e28cfe08ddc82d3cbe0f87e41728fb59d5a7fd9a634b74ab617a2f22810243dcb2a081ae45782601e04e046
-
SSDEEP
1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9c3:nqV9MziU4piRun7C3CP3Ma
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.209
112.175.88.207
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation c08c38b909af8bcd4ff86db7ce941b18.exe -
Executes dropped EXE 1 IoCs
pid Process 1304 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1128 wrote to memory of 1304 1128 c08c38b909af8bcd4ff86db7ce941b18.exe 92 PID 1128 wrote to memory of 1304 1128 c08c38b909af8bcd4ff86db7ce941b18.exe 92 PID 1128 wrote to memory of 1304 1128 c08c38b909af8bcd4ff86db7ce941b18.exe 92 PID 1128 wrote to memory of 2348 1128 c08c38b909af8bcd4ff86db7ce941b18.exe 93 PID 1128 wrote to memory of 2348 1128 c08c38b909af8bcd4ff86db7ce941b18.exe 93 PID 1128 wrote to memory of 2348 1128 c08c38b909af8bcd4ff86db7ce941b18.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:2348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD502167b944a214fee3d34f9a7e356dc6a
SHA1ca5b3f38a7151268726401593eb35f9b67bdde97
SHA25677fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817
-
Filesize
95KB
MD5add8f874c84f0d94e44c50d21bf24490
SHA16a966a0bc637828e2a8c68d20e2305f3e36be0dc
SHA25624fcc8f0b8c21b2e1d20f6454ea1862142012b50d91c42cf71bcfae421e762b3
SHA512253a029290c6b859964684dec2bc16d3315fdee88a7add42198a6dd46937477ce14f16d6531be9df4095f163125474ba3ba100abd27a2388d8e6e9a2a797b341
-
Filesize
274B
MD50f11887a5b30f2407e8ef79ec28901b8
SHA129e8234eb652ba220aafc35c0f5c3b0444d9fd43
SHA2561fc3b2039b132ae771964254d6e3fe2a4c172374f8d865159d3ab23acfa713a3
SHA5125f15b26b16e551ecf20d388a4a3d1554e09a7cbfdc2824877fb58457264a06c23811ec30517cdb6d6d4d60b2dc9f471f95bac81078af8474593329a1ce25631c