Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 00:28
Behavioral task
behavioral1
Sample
d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe
Resource
win7-20240221-en
General
-
Target
d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe
-
Size
362KB
-
MD5
7930a0031d2a8d488da00efcee041ec0
-
SHA1
522492d52032a4350248790ce72637646ccd56f7
-
SHA256
d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f
-
SHA512
0b8c7f57af39ece06a226cdf5347f09605ab219bc1b069e4a5fa1ed0049159614bbbec449b7ccbbd3bd4251fecbddcd684fb46cc7005ce5b46aa2d3bb5b80674
-
SSDEEP
6144:PuOogy7brXN3OMxBxWjKq28FvcIR2GQilr0caF9xh:PuOA7b56rq
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.209
112.175.88.207
Signatures
-
Detects executables built or packed with MPress PE compressor 5 IoCs
resource yara_rule behavioral2/memory/2356-0-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0004000000022c47-6.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/2356-16-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4568-19-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/4568-20-0x0000000000400000-0x0000000000437000-memory.dmp INDICATOR_EXE_Packed_MPress -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe -
Executes dropped EXE 1 IoCs
pid Process 4568 huter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2356 wrote to memory of 4568 2356 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 92 PID 2356 wrote to memory of 4568 2356 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 92 PID 2356 wrote to memory of 4568 2356 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 92 PID 2356 wrote to memory of 1632 2356 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 93 PID 2356 wrote to memory of 1632 2356 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 93 PID 2356 wrote to memory of 1632 2356 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:4568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:1632
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD502167b944a214fee3d34f9a7e356dc6a
SHA1ca5b3f38a7151268726401593eb35f9b67bdde97
SHA25677fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817
-
Filesize
362KB
MD5d5e639216e74edd75ba4618b87e9f072
SHA168f07610f910541de7830d13f7b9674ebb7a3810
SHA256e56eb2c8081ba76609fcd2a0c7f77969793c8818b843db01c06d4053e77d59c2
SHA512e8ab9cf930aae4c70e86820e533ebdf0fab0f212cf01d9a37770e35db66ce2b45531763ecbefaf2f54338d5b97573e351dc52661f305479cb178dcca1051c9d2
-
Filesize
338B
MD520cf6fe7f4dc07e81666477c903c3c09
SHA109c8c28016bf5f5d1f211a3dd493d3e006c56fbd
SHA25640d62f674f70fbb3dd457ee4a0684bc3588b23672ca955cf0d089390ebc1bfc7
SHA512a778c816053a6286cd0f8a7b0690b9e439511a998276b3d5b62df2d7c84f5ea73f072a9537655e221baeb5c6c98267e568426e75512c6fbdee7ba5fed9295f02