Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/03/2024, 17:14
Behavioral task
behavioral1
Sample
d16d445722fcebd5b2c37bfe3ff79036.exe
Resource
win7-20240221-en
General
-
Target
d16d445722fcebd5b2c37bfe3ff79036.exe
-
Size
180KB
-
MD5
d16d445722fcebd5b2c37bfe3ff79036
-
SHA1
ecace6bb09004314df7aea2bf9ea254c0d4f4f9c
-
SHA256
fee37357fdf781f827d0c1231eadf4a30b66f6081ee04ca57cbc9a5100c7540a
-
SHA512
ddac6af01f310aa62f1468992909693956d98ace8507086cb1542781976d9ee29ac35cef2797809afa6871bfe795c73cec6e396382223127a60da35e5c68007a
-
SSDEEP
3072:z/5KFl81i04l2Fv2f9tMUr6of9MRNwda7KVr0cHneunw1oN:z/5KFl81jDv72RFMReGir0cHneMwqN
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 2676 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2172 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 1556 d16d445722fcebd5b2c37bfe3ff79036.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1556 wrote to memory of 2172 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 28 PID 1556 wrote to memory of 2172 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 28 PID 1556 wrote to memory of 2172 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 28 PID 1556 wrote to memory of 2172 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 28 PID 1556 wrote to memory of 2676 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 29 PID 1556 wrote to memory of 2676 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 29 PID 1556 wrote to memory of 2676 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 29 PID 1556 wrote to memory of 2676 1556 d16d445722fcebd5b2c37bfe3ff79036.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:2172
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD50750e4580a3e9076e82bdc6ad33ba927
SHA1b1e526b3833feda0e3b0738c6865fdac6360bf07
SHA25674428e568204ea0d1c31570864cb96b1c2b672880f7575220957bf5fc2b24d89
SHA512303b2cb8e644b336d7bf0892eadc84b414afdc41216719721aa0cf27fc18ecea1a2e943f07813c41d55c4166e489f89ec61a4fcead679ed3de8b323ecb42a8d9
-
Filesize
274B
MD584f7ac848c93111d2cf12ba7c7c87c36
SHA18bfb3409486b626307c09badd688c726ca3c5b76
SHA2563fa668132b33f643e67a76f05ab51582276d55ee5d108a1762798587aa6193c0
SHA5127a11b6cf78abd2b10f54e17af4fa6a1746792d1ca44277a98108ae7e1dfa32923fba818dc18504e7b644f90b849c9f970a8fdd960a10bd5f32f8fa641688ce78
-
Filesize
180KB
MD53a34d8f9b601456c000ca2655b553c76
SHA1ca18fb77803e0e27f212d483b1f07f8dabd5abfd
SHA256b48ba6dc5422a03534b2b0c3b5938f1abe8cd3ca815be69627b19154fabce5aa
SHA51268c31ca487a43773301b2272b0fbe628d6b5be62f1ccf4b6340b107023e396c436ca0d55c1ed0949e0ce43be546c677e0bc492c88c2566af601574374072e168