Analysis
-
max time kernel
92s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 21:27
Behavioral task
behavioral1
Sample
7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe
Resource
win7-20240221-en
General
-
Target
7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe
-
Size
125KB
-
MD5
6722222e3dc78a102eafdf8d2f9fb340
-
SHA1
e14fe7b40686cb36c0b54e65a477b81a56410420
-
SHA256
7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d
-
SHA512
45501b8f23e300f5ada301f7968c1bd234f4f056503beed4978d3ff17beee42e930bf50de9b5518e3f4e72fed1d586ad59c28532a3994d905924926613f84f67
-
SSDEEP
1536:Ko6JdvxttIBcXISDPV2Mhg3GkFceersWjcd06UsfqW2vxq6UU/HpX:iHC6D92O8n7eU06UsfUpqCx
Malware Config
Extracted
urelas
112.175.88.209
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe -
Executes dropped EXE 1 IoCs
pid Process 5008 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3036 wrote to memory of 5008 3036 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe 83 PID 3036 wrote to memory of 5008 3036 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe 83 PID 3036 wrote to memory of 5008 3036 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe 83 PID 3036 wrote to memory of 1480 3036 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe 84 PID 3036 wrote to memory of 1480 3036 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe 84 PID 3036 wrote to memory of 1480 3036 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe"C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:5008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:1480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD536bd298f96e4aaab5bb2c302b35fb2a5
SHA1221755e11cbff8be720bb18bbde999137c63c49e
SHA256144e727fd30c96907af7e7c3dc8f76af4c448ade28fa6c545dc6c2d456534763
SHA5120014820647403fa713902f13936cd7ce340dc07840db3a92f5c696f513b170fb9d50e10089581eb0eeeb5d0a259a411a89d5aea06100726b02390b67c113fa5a
-
Filesize
512B
MD5d8b6fb23d659bed3f6b1cf40a104e95a
SHA107c9c74af6b0fe9b78bb1b3aed5bdc1e0b5de952
SHA256f28d96334bf66f634f899c800b4d5c6195bcf407cb073761f8a4f30a4061f136
SHA512e841cd9283c63a92395b4221492e2ae6b06d9c4108fcbbfe7d8a7928cfca405c14c0634a6388a4f18da3db611696ea797f9b825ed314d1640a17aa767593e412
-
Filesize
338B
MD5d0eca34489c003255da2ab93c491e6ee
SHA1a72bb0bf2f8b425f905b8357545b22db3e42821b
SHA256a389de244b8ffcd8dcad2dc138e688439d682c61c5114ce5ef3d31f28145cedb
SHA512a5b826a94bfae596d138a8fead4aadfa0ea7ac029e643c700485a16d014222862049efba8b9e1a4bb6a1694cab6a0c743e9b959763dd8a9d91b6bb7ae36fe670