Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 00:28
Behavioral task
behavioral1
Sample
d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe
Resource
win7-20240221-en
General
-
Target
d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe
-
Size
362KB
-
MD5
7930a0031d2a8d488da00efcee041ec0
-
SHA1
522492d52032a4350248790ce72637646ccd56f7
-
SHA256
d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f
-
SHA512
0b8c7f57af39ece06a226cdf5347f09605ab219bc1b069e4a5fa1ed0049159614bbbec449b7ccbbd3bd4251fecbddcd684fb46cc7005ce5b46aa2d3bb5b80674
-
SSDEEP
6144:PuOogy7brXN3OMxBxWjKq28FvcIR2GQilr0caF9xh:PuOA7b56rq
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.209
112.175.88.207
Signatures
-
Detects executables built or packed with MPress PE compressor 6 IoCs
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0033000000013f21-4.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1584-11-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2236-18-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1584-21-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1584-22-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress -
Deletes itself 1 IoCs
pid Process 2596 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1584 huter.exe -
Loads dropped DLL 1 IoCs
pid Process 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1584 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 28 PID 2236 wrote to memory of 1584 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 28 PID 2236 wrote to memory of 1584 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 28 PID 2236 wrote to memory of 1584 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 28 PID 2236 wrote to memory of 2596 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 29 PID 2236 wrote to memory of 2596 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 29 PID 2236 wrote to memory of 2596 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 29 PID 2236 wrote to memory of 2596 2236 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD502167b944a214fee3d34f9a7e356dc6a
SHA1ca5b3f38a7151268726401593eb35f9b67bdde97
SHA25677fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817
-
Filesize
338B
MD520cf6fe7f4dc07e81666477c903c3c09
SHA109c8c28016bf5f5d1f211a3dd493d3e006c56fbd
SHA25640d62f674f70fbb3dd457ee4a0684bc3588b23672ca955cf0d089390ebc1bfc7
SHA512a778c816053a6286cd0f8a7b0690b9e439511a998276b3d5b62df2d7c84f5ea73f072a9537655e221baeb5c6c98267e568426e75512c6fbdee7ba5fed9295f02
-
Filesize
362KB
MD5472e3caef3bbbcfb3c5557ad0ab7712b
SHA1f4014dd25726d000ccddc384ecebeb29e725fa96
SHA25674a38c32d59b8410348a59a67f385ae7f69be591776c9bc1db551b7aadb8bb8f
SHA5126bd3ff8cf3962e955b5610a48f6f8c9360b9949ba9678fe554bd536d53aa735420d15baa83e0ce74407cb2d9cc93a0dca12d28533b626790dc657f614855b3cb