Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2024, 17:14
Behavioral task
behavioral1
Sample
d16d445722fcebd5b2c37bfe3ff79036.exe
Resource
win7-20240221-en
General
-
Target
d16d445722fcebd5b2c37bfe3ff79036.exe
-
Size
180KB
-
MD5
d16d445722fcebd5b2c37bfe3ff79036
-
SHA1
ecace6bb09004314df7aea2bf9ea254c0d4f4f9c
-
SHA256
fee37357fdf781f827d0c1231eadf4a30b66f6081ee04ca57cbc9a5100c7540a
-
SHA512
ddac6af01f310aa62f1468992909693956d98ace8507086cb1542781976d9ee29ac35cef2797809afa6871bfe795c73cec6e396382223127a60da35e5c68007a
-
SSDEEP
3072:z/5KFl81i04l2Fv2f9tMUr6of9MRNwda7KVr0cHneunw1oN:z/5KFl81jDv72RFMReGir0cHneMwqN
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation d16d445722fcebd5b2c37bfe3ff79036.exe -
Executes dropped EXE 1 IoCs
pid Process 2404 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2404 2064 d16d445722fcebd5b2c37bfe3ff79036.exe 90 PID 2064 wrote to memory of 2404 2064 d16d445722fcebd5b2c37bfe3ff79036.exe 90 PID 2064 wrote to memory of 2404 2064 d16d445722fcebd5b2c37bfe3ff79036.exe 90 PID 2064 wrote to memory of 4680 2064 d16d445722fcebd5b2c37bfe3ff79036.exe 91 PID 2064 wrote to memory of 4680 2064 d16d445722fcebd5b2c37bfe3ff79036.exe 91 PID 2064 wrote to memory of 4680 2064 d16d445722fcebd5b2c37bfe3ff79036.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:4680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD5ca9e53442e22e11b6959830a52e3818d
SHA16ef53e0eda45eb13735f5b350e876f743f6db36b
SHA256f58dbc21e606cadcc6a3f3565547cd8b5a24bbd42459e0d20d115b6012a5dd58
SHA51229ff405ddc9e2c52b212937b52c19ce0b6b4a94648a462dbf8fe947bd2078001799e73142c5e5c92a0ff18fc152eedb707fb40192223e09abcd0704d3bc5677a
-
Filesize
512B
MD50750e4580a3e9076e82bdc6ad33ba927
SHA1b1e526b3833feda0e3b0738c6865fdac6360bf07
SHA25674428e568204ea0d1c31570864cb96b1c2b672880f7575220957bf5fc2b24d89
SHA512303b2cb8e644b336d7bf0892eadc84b414afdc41216719721aa0cf27fc18ecea1a2e943f07813c41d55c4166e489f89ec61a4fcead679ed3de8b323ecb42a8d9
-
Filesize
274B
MD584f7ac848c93111d2cf12ba7c7c87c36
SHA18bfb3409486b626307c09badd688c726ca3c5b76
SHA2563fa668132b33f643e67a76f05ab51582276d55ee5d108a1762798587aa6193c0
SHA5127a11b6cf78abd2b10f54e17af4fa6a1746792d1ca44277a98108ae7e1dfa32923fba818dc18504e7b644f90b849c9f970a8fdd960a10bd5f32f8fa641688ce78