Analysis
-
max time kernel
105s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
6914ce5eb27b92b5ce458c06eac964b0N.exe
Resource
win7-20240705-en
General
-
Target
6914ce5eb27b92b5ce458c06eac964b0N.exe
-
Size
69KB
-
MD5
6914ce5eb27b92b5ce458c06eac964b0
-
SHA1
15c16d67e68b6000511a9436957b9e392d562cf5
-
SHA256
4fcf1ad0f4dbe5bc30c644767e49e3eeb459636963d22778f83cb346b8e05577
-
SHA512
9f549ffc2bccff68367372e3ce7ca39fab7ac1e3b8b4a312af29a4fd55eb40ab6f6ca41626fea31c45da21111a6cbd8d62936689335d548c6be6dc6855d8cfa8
-
SSDEEP
1536:v6fqsAPQYGmPzmZDDZrV8sMQXGkfn33n7z5WeIuhCarawi:yLAYUzmdD0sMQl7d7IuhCae1
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6914ce5eb27b92b5ce458c06eac964b0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 6914ce5eb27b92b5ce458c06eac964b0N.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 4400 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6914ce5eb27b92b5ce458c06eac964b0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6914ce5eb27b92b5ce458c06eac964b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6914ce5eb27b92b5ce458c06eac964b0N.exedescription pid process target process PID 2532 wrote to memory of 4400 2532 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2532 wrote to memory of 4400 2532 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2532 wrote to memory of 4400 2532 6914ce5eb27b92b5ce458c06eac964b0N.exe biudfw.exe PID 2532 wrote to memory of 3128 2532 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe PID 2532 wrote to memory of 3128 2532 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe PID 2532 wrote to memory of 3128 2532 6914ce5eb27b92b5ce458c06eac964b0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"C:\Users\Admin\AppData\Local\Temp\6914ce5eb27b92b5ce458c06eac964b0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5e28336858b9393da2039bf3b375ffc7d
SHA1d34db99937b9906f09d61d35d19e91100307100e
SHA256c37513850fb763929806007d76d070b4670e46d961ca9f67949a8c9514603514
SHA512a4f95346b70e1957e7a9c4e74e80e04a13bad93430e3bf7a50f80714fcb92e8cbfffc7956a7024e0cdcbd12c1530013a83dcaab8693244fcd2883517da8d6048
-
Filesize
512B
MD51c9b2720af0ca9528b47898d9c7f4799
SHA180495f16e333f54ecc700252323c2a7cb7d751e1
SHA256d1ea9a17b5a635a121e82e7963d3b134f74050da9debcd40c9622f50c5d38fe5
SHA5125afe876f2cd887458656b1747bce08d03f26ef286bcc83efa93e0111be856d0564bee4d6ef5637c167626bac121f7371b69c7952502d47784ac9ad568bf53eac
-
Filesize
276B
MD555cceab02cdd862011c08a2718d97bf0
SHA152d86666f6684acab0bacafbf4c97cdc4e500019
SHA256184375989cfb2b460331312fad8f72037fc45e3c9d7df9738ed497114229808d
SHA512f330bcd3a607e4e1275dadea380e74e693f62e2da13b245e91eef54e851504df9260da555ab6f50bdf17d26ee6b28699f4d72c2c6bc264b44be38be92472e0bb