Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2024 06:29
Static task
static1
Behavioral task
behavioral1
Sample
815c519c72a50051d4cebaff3f4d2810N.exe
Resource
win7-20240708-en
General
-
Target
815c519c72a50051d4cebaff3f4d2810N.exe
-
Size
56KB
-
MD5
815c519c72a50051d4cebaff3f4d2810
-
SHA1
bdb780f001c05599f825776d62e54d5c6c38fd91
-
SHA256
5eab0cfa0f6c916740515e4ea6389ca0a55c1108c993532143e962d1f289c122
-
SHA512
eb72003d8ee4fbc469a8a735af81317721dfe96a4dc67f2b5c6f1b4c1c24870d2581aaee3c2641495969ad699a66b8235dcb1a356099e5c39ef5a8c7c158b86d
-
SSDEEP
1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS88k:MOemdTd1o74qlmbbJ+x+Ik6k
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 815c519c72a50051d4cebaff3f4d2810N.exe -
Executes dropped EXE 1 IoCs
pid Process 1376 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 536 wrote to memory of 1376 536 815c519c72a50051d4cebaff3f4d2810N.exe 86 PID 536 wrote to memory of 1376 536 815c519c72a50051d4cebaff3f4d2810N.exe 86 PID 536 wrote to memory of 1376 536 815c519c72a50051d4cebaff3f4d2810N.exe 86 PID 536 wrote to memory of 4168 536 815c519c72a50051d4cebaff3f4d2810N.exe 87 PID 536 wrote to memory of 4168 536 815c519c72a50051d4cebaff3f4d2810N.exe 87 PID 536 wrote to memory of 4168 536 815c519c72a50051d4cebaff3f4d2810N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\815c519c72a50051d4cebaff3f4d2810N.exe"C:\Users\Admin\AppData\Local\Temp\815c519c72a50051d4cebaff3f4d2810N.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵PID:4168
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD5d01e044199a78c5a0e694a9d6d00939a
SHA1d1ad46e2affc5f49efe9a7286aca29fba5ebe244
SHA256838efc26193998a2c55653f6e9c4a73d799863d502cc2ae324341ef32dbfcf10
SHA5128f9917d0473dcf5c3e7c5f568f81a4a35045616fed908a699ea3914ab468bd123034c717d80beaa1fbfe9a96dbdec08d38983b83700afaca8e64c524e33dd09a
-
Filesize
512B
MD57cdc8777d33db85bc19aefb64879a7f7
SHA1f2d494d4dfe93a05eb58513935196e8578648adf
SHA2569af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA51234b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f
-
Filesize
276B
MD520b1348571562bbb719adce0f53c43ed
SHA1a1fe8a193779dc356c90cc83bc978f6eebfd2a29
SHA2567d4b8fa2e4deff14dfd4ed3be2497311350d8b32622d11164521b1994301f8d9
SHA512101adf1a271656ada5d9651092cfa2009c603ebefc7a981e63b1dc776122a0b57ce5beef396721120ec10f3e620c937c38c4daeeb79c04daa306986fe4925e71