Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 22:35
Behavioral task
behavioral1
Sample
9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe
Resource
win10v2004-20240226-en
General
-
Target
9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe
-
Size
158KB
-
MD5
49b3eb1ff407bfcb643629dc760aec7d
-
SHA1
a5fcc5d88070f44bb5e390caa85a21fa575c60db
-
SHA256
9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08
-
SHA512
e28c82755131c7d5a496b18ec0a5457f25589a5a570b102d8d12a3d633ebce9853a260f3a811b56412d110ced486cb9abba96a5cdf5701a6b23ebc3d8c416587
-
SSDEEP
1536:8iVlUPlfHeARjOsOAe2zBN7lE4U1sgzAom8JsuPIclSXsWjcdd6YGJYwYcl:nVlUPZRxfxE9Vs5cfdd6YGGIl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe -
Executes dropped EXE 1 IoCs
pid Process 2856 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3080 wrote to memory of 2856 3080 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe 88 PID 3080 wrote to memory of 2856 3080 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe 88 PID 3080 wrote to memory of 2856 3080 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe 88 PID 3080 wrote to memory of 448 3080 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe 89 PID 3080 wrote to memory of 448 3080 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe 89 PID 3080 wrote to memory of 448 3080 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:2856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158KB
MD53cbb37662c0688e8869a6e3102ba30f9
SHA1272a4482a7f9c9263249037363722fc29b112539
SHA256eee755f3a379b0ca03a0850b7722fe2dd4057c7345a58ffccec0ef94c43d05d9
SHA5125cd5087a46a69c65e3f5db97e62fedf78925af21f460620be43730bc3a0f059e411defcc985565f74fb3f061bdccebb15ae97276157cc890efc0b687e3570330
-
Filesize
512B
MD5a250860c0687ed9dda488805c025a2d2
SHA10c181ed3b46463d35631ca169f0928c33a1da389
SHA2563947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37
SHA5120286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a
-
Filesize
338B
MD5868e95bbc0c9998d8dfe3e1f80431636
SHA106cf6850d8448eb5b2ef1333a724881813322165
SHA256e46e57c26b2079a85858b9e44b98e4efb6d3bfcea2c54f7e912aa8346ee9de4c
SHA512209468d8fb982a21b02da9dadfadc2406b247aee2998de57f0e3ed7a3520936683f1a880cd38b749404750298b74cc3efb53ba4c3f3ffe881156924c9ad495e3