Analysis
-
max time kernel
89s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
6914ce5eb27b92b5ce458c06eac964b0N.exe
Resource
win7-20240705-en
General
-
Target
6914ce5eb27b92b5ce458c06eac964b0N.exe
-
Size
69KB
-
MD5
6914ce5eb27b92b5ce458c06eac964b0
-
SHA1
15c16d67e68b6000511a9436957b9e392d562cf5
-
SHA256
4fcf1ad0f4dbe5bc30c644767e49e3eeb459636963d22778f83cb346b8e05577
-
SHA512
9f549ffc2bccff68367372e3ce7ca39fab7ac1e3b8b4a312af29a4fd55eb40ab6f6ca41626fea31c45da21111a6cbd8d62936689335d548c6be6dc6855d8cfa8
-
SSDEEP
1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarawi:yLAYUzmdD0sMQl7d7IuhCae1
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1936 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2536 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
6914ce5eb27b92b5ce458c06eac964b0N.exepid process 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6914ce5eb27b92b5ce458c06eac964b0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6914ce5eb27b92b5ce458c06eac964b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6914ce5eb27b92b5ce458c06eac964b0N.exedescription pid process target process PID 2412 wrote to memory of 2536 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2412 wrote to memory of 2536 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2412 wrote to memory of 2536 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2412 wrote to memory of 2536 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2412 wrote to memory of 1936 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe PID 2412 wrote to memory of 1936 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe PID 2412 wrote to memory of 1936 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe PID 2412 wrote to memory of 1936 2412 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD51c9b2720af0ca9528b47898d9c7f4799
SHA180495f16e333f54ecc700252323c2a7cb7d751e1
SHA256d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5
SHA5125afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac
-
Filesize
276B
MD555cceab02cdd862011c08a2718d97bf0
SHA152d86666f6684acab0bacafbf4c97cdc4e500019
SHA256184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d
SHA512f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb
-
Filesize
69KB
MD500989879661bf8eed1d769b7f672f29f
SHA1d54ada255aafd9e1c92fb7205b79c248cf4d8d31
SHA2562175a4627de5fef0306944bf686f707068639f9a2593160340db6404202f7df7
SHA5122d0a5cb5dc8e6e42d3b159e95842a12b20caa27ff6123b606c991396172251c62542fe1fa62f7df337dced59766695163c66f9a8ede29891a09e8f8a47ac7c8c