Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 23:47
Behavioral task
behavioral1
Sample
c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe
Resource
win7-20240221-en
General
-
Target
c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe
-
Size
147KB
-
MD5
03658b946ac0a9c0df49f1b5e7c87206
-
SHA1
c4f83d6791833462add5f90e34a8318c08cbb660
-
SHA256
c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e
-
SHA512
82a7a1655d88394d018ff334831df458afa73835e943c9b32340d3c232da11d6acaaa632b73084a21c86d7e8b8d7345568474e605c432ccfeda130f5fe64f875
-
SSDEEP
3072:L/5FqCxiXEcO3XfGf2tMUW6o5gRwdllDzXv:L/5FqCxUElfQDR5gRC3f
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe -
Executes dropped EXE 1 IoCs
pid Process 804 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3472 wrote to memory of 804 3472 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 89 PID 3472 wrote to memory of 804 3472 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 89 PID 3472 wrote to memory of 804 3472 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 89 PID 3472 wrote to memory of 4860 3472 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 90 PID 3472 wrote to memory of 4860 3472 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 90 PID 3472 wrote to memory of 4860 3472 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:4860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD57f2e47a3e13d0de1d873024a6615453b
SHA1922b437c6e166b6e29c3afa3e98b85880ecaef8f
SHA2563955b655862b5ebbdfb835a4f1d50c624a0db93b3d9d96747ddf23b889af54f7
SHA512ad9e047738cb9a913082da15291592a2c699bfbedfcaa036f4c6c898d865e202fe07e4797f0f9906a4c6a0cc7754680e4ef8851c3cb45aa2c84d25875f1fe01c
-
Filesize
512B
MD5e2d9c84d22710b94f88db5e136efd92e
SHA15636678dda45ea10068357a9b17878399804aea3
SHA25691377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25
SHA51211159ba71474c0fc20139e27d71e10349b486d17cdd60a1df93babf9d8f40d8ab0764a881b93472e03036a50735b2b3defc790da5519d8cf723c6de46b008f3d
-
Filesize
338B
MD5d732eaa281de751ba31a94485d3ec3ba
SHA10fa7f872ef8cef20902ddbf368e1675e8e6bf3de
SHA256346a210530638d2ad77b850382def437e7667c212ec9c864ce5f092c0783a60b
SHA512383396611aaec52532bd022e998c397814fbcfa5953c390aeafd5e4a99c71a9a4dcd622a2b53f1cd7d936f7a3093a0d97e6306cb5e36d534fee2e0798e87f02f