Analysis
-
max time kernel
103s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 18:01
Static task
static1
Behavioral task
behavioral1
Sample
3be6c4b2317679ba8ade29058dc762c0N.exe
Resource
win7-20240705-en
General
-
Target
3be6c4b2317679ba8ade29058dc762c0N.exe
-
Size
67KB
-
MD5
3be6c4b2317679ba8ade29058dc762c0
-
SHA1
4876576e4efcf4404fa0c10b02c4711c6d0b909d
-
SHA256
9c05422800be0f885587377ea887fe550f2f7d43663e33159c3f2e361a7fa866
-
SHA512
bee8e39ca0ff56f9df8ea1ae85cdb44cc537a006190c02f707293a923d77b3b55c065909609007f102ffde92133350e6c917aa7a9d3964125fa46ef6fba7d343
-
SSDEEP
1536:04/WgLAjdZsp+uChoLnDeoqYAJjvLFymnHsPet:l//AjMp+u2onejH2Pet
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3be6c4b2317679ba8ade29058dc762c0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 3be6c4b2317679ba8ade29058dc762c0N.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 116 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3be6c4b2317679ba8ade29058dc762c0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3be6c4b2317679ba8ade29058dc762c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3be6c4b2317679ba8ade29058dc762c0N.exedescription pid process target process PID 2300 wrote to memory of 116 2300 3be6c4b2317679ba8ade29058dc762c0N.exe biudfw.exe PID 2300 wrote to memory of 116 2300 3be6c4b2317679ba8ade29058dc762c0N.exe biudfw.exe PID 2300 wrote to memory of 116 2300 3be6c4b2317679ba8ade29058dc762c0N.exe biudfw.exe PID 2300 wrote to memory of 1212 2300 3be6c4b2317679ba8ade29058dc762c0N.exe cmd.exe PID 2300 wrote to memory of 1212 2300 3be6c4b2317679ba8ade29058dc762c0N.exe cmd.exe PID 2300 wrote to memory of 1212 2300 3be6c4b2317679ba8ade29058dc762c0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"C:\Users\Admin\AppData\Local\Temp\3be6c4b2317679ba8ade29058dc762c0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD590785e4edb0844867180bc02911f3b7f
SHA1fb372b8a7986e91df7850156267958f89bd39a72
SHA256008e97f01091ecedf6964214f9f12f932ecf37648d26c7027eea8e66ab15c2a0
SHA512a02d6d1166784a915e7ecd5096afa28769e7838a9350c8da34921eb71e7dd06893b7326e0512192e4a264801a2b8e509faf23a10a5d26e93a99b1a363884c3ec
-
Filesize
512B
MD5a250860c0687ed9dda488805c025a2d2
SHA10c181ed3b46463d35631ca169f0928c33a1da389
SHA2563947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37
SHA5120286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a
-
Filesize
276B
MD5050997d3b3978bb95bdd70bf032bf9bb
SHA11db435b51cc35c8871fafbbc3a7d767ab4a6d03e
SHA2561a3f968a6d5fa16c460cc6f1a6f9bba6f79b42c3af4cc4be055761712add4b26
SHA512508eedc4398f5b0c301439f2e7fcd529da60c75369898691ea73a49db999c5e02064e15e4bef752975d9f9578cce507a88c2b30134b7e9555191007a78ecc6be