Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 09:05
Behavioral task
behavioral1
Sample
d07ae5eb7a8e9c65fd0be420c14a0bb2.exe
Resource
win7-20240220-en
General
-
Target
d07ae5eb7a8e9c65fd0be420c14a0bb2.exe
-
Size
187KB
-
MD5
d07ae5eb7a8e9c65fd0be420c14a0bb2
-
SHA1
ebe8e5114b9fe1f8599b69f4de189676d6624301
-
SHA256
ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d
-
SHA512
3bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095
-
SSDEEP
3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad:2mvqeP33AYFIN9treHy
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 2728 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2880 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2880 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 28 PID 2172 wrote to memory of 2880 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 28 PID 2172 wrote to memory of 2880 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 28 PID 2172 wrote to memory of 2880 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 28 PID 2172 wrote to memory of 2728 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 29 PID 2172 wrote to memory of 2728 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 29 PID 2172 wrote to memory of 2728 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 29 PID 2172 wrote to memory of 2728 2172 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD51e75a7e32613b9d0b73f13b66c2c2f58
SHA1035e2d6ab4ac34190f0e684681098188409e978c
SHA2569f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3
SHA512e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf
-
Filesize
274B
MD5bc1d434dffa395a95abd4d58f4d2fbdf
SHA1f634dbbd5cd486ce545b80fcb03cdfee27f6d61f
SHA2563399bedd7600583509c2abba117b9430dde2c884a9cb6bf86ea01a37b6b8ced5
SHA5121a1f9d9274bb7da1287b0bf1b1cf4db1823a5ad2247644583e4e31e45307fce1ef503140f59ba11d9043701ad035c6e83ab2568b5ff0cd9fc92a7b27d76c5d1f
-
Filesize
187KB
MD5d07ae5eb7a8e9c65fd0be420c14a0bb2
SHA1ebe8e5114b9fe1f8599b69f4de189676d6624301
SHA256ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d
SHA5123bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095