Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 09:05
Behavioral task
behavioral1
Sample
d07ae5eb7a8e9c65fd0be420c14a0bb2.exe
Resource
win7-20240220-en
General
-
Target
d07ae5eb7a8e9c65fd0be420c14a0bb2.exe
-
Size
187KB
-
MD5
d07ae5eb7a8e9c65fd0be420c14a0bb2
-
SHA1
ebe8e5114b9fe1f8599b69f4de189676d6624301
-
SHA256
ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d
-
SHA512
3bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095
-
SSDEEP
3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad:2mvqeP33AYFIN9treHy
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation d07ae5eb7a8e9c65fd0be420c14a0bb2.exe -
Executes dropped EXE 1 IoCs
pid Process 4220 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2352 wrote to memory of 4220 2352 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 93 PID 2352 wrote to memory of 4220 2352 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 93 PID 2352 wrote to memory of 4220 2352 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 93 PID 2352 wrote to memory of 2844 2352 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 94 PID 2352 wrote to memory of 2844 2352 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 94 PID 2352 wrote to memory of 2844 2352 d07ae5eb7a8e9c65fd0be420c14a0bb2.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:4220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD5f44af430d6ad8e3c542b3acd781a3139
SHA1a03a6632a2d1aad44487ad19b38adb514c5287d8
SHA25671b5fad460ac5290dbbe3672f5dc54cf458d9eba2199f1fccff81c9915263e39
SHA51291f6254a0f968d55f43700888704f108e079d51d7f67d1948b0e955b471ee9bf62ab957c1d1c3b72716dc3b660b27b1d4da6059d5b0f447c60a2926afd98643a
-
Filesize
512B
MD51e75a7e32613b9d0b73f13b66c2c2f58
SHA1035e2d6ab4ac34190f0e684681098188409e978c
SHA2569f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3
SHA512e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf
-
Filesize
274B
MD5bc1d434dffa395a95abd4d58f4d2fbdf
SHA1f634dbbd5cd486ce545b80fcb03cdfee27f6d61f
SHA2563399bedd7600583509c2abba117b9430dde2c884a9cb6bf86ea01a37b6b8ced5
SHA5121a1f9d9274bb7da1287b0bf1b1cf4db1823a5ad2247644583e4e31e45307fce1ef503140f59ba11d9043701ad035c6e83ab2568b5ff0cd9fc92a7b27d76c5d1f