Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/03/2024, 23:47
Behavioral task
behavioral1
Sample
c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe
Resource
win7-20240221-en
General
-
Target
c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe
-
Size
147KB
-
MD5
03658b946ac0a9c0df49f1b5e7c87206
-
SHA1
c4f83d6791833462add5f90e34a8318c08cbb660
-
SHA256
c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e
-
SHA512
82a7a1655d88394d018ff334831df458afa73835e943c9b32340d3c232da11d6acaaa632b73084a21c86d7e8b8d7345568474e605c432ccfeda130f5fe64f875
-
SSDEEP
3072:L/5FqCxiXEcO3XfGf2tMUW6o5gRwdllDzXv:L/5FqCxUElfQDR5gRC3f
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 2564 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1748 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1764 wrote to memory of 1748 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 28 PID 1764 wrote to memory of 1748 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 28 PID 1764 wrote to memory of 1748 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 28 PID 1764 wrote to memory of 1748 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 28 PID 1764 wrote to memory of 2564 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 29 PID 1764 wrote to memory of 2564 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 29 PID 1764 wrote to memory of 2564 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 29 PID 1764 wrote to memory of 2564 1764 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:1748
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5e2d9c84d22710b94f88db5e136efd92e
SHA15636678dda45ea10068357a9b17878399804aea3
SHA25691377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25
SHA51211159ba71474c0fc20139e27d71e10349b486d17cdd60a1df93babf9d8f40d8ab0764a881b93472e03036a50735b2b3defc790da5519d8cf723c6de46b008f3d
-
Filesize
338B
MD5d732eaa281de751ba31a94485d3ec3ba
SHA10fa7f872ef8cef20902ddbf368e1675e8e6bf3de
SHA256346a210530638d2ad77b850382def437e7667c212ec9c864ce5f092c0783a60b
SHA512383396611aaec52532bd022e998c397814fbcfa5953c390aeafd5e4a99c71a9a4dcd622a2b53f1cd7d936f7a3093a0d97e6306cb5e36d534fee2e0798e87f02f
-
Filesize
147KB
MD52748a90c81fa5adfbc5c40c2c996e607
SHA13190da332d1ebb8cb699f7f09b42a4bc0033f43f
SHA2565c77dd975ef53413f868a0e92a70eb20711a19ae70a6f3e47cf9dddcd5958e94
SHA51293d99186d7fae6b25a4a7cd29d4ed5910745e37ec394a24fa3442c47008bc0ccbae934bd32f3e4f7fd91e6c6b83597fc6c098a838fca2dfeb4576bd085e66dfa