Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 19:06
Static task
static1
Behavioral task
behavioral1
Sample
44c9bd93e92e7fefccea46323b3a3dd0N.exe
Resource
win7-20240708-en
General
-
Target
44c9bd93e92e7fefccea46323b3a3dd0N.exe
-
Size
51KB
-
MD5
44c9bd93e92e7fefccea46323b3a3dd0
-
SHA1
f3d13dd52e654060570a65f87d1a85ee976a6cb6
-
SHA256
554d184034b79d48995612b49131724bbadbddef3ebc7109aaa92a053dc5fa53
-
SHA512
b95990e28c68c56425851dd9b33123c52f964074abce9ebd1a14fd549ff792d63926601e49293871835693c4d69847c1e4fe48243a6b1043a5507e846cdb57a1
-
SSDEEP
1536:lVeVFl6sRsDnQi1Mek/pFRMfKaP7cFwQkXuJXqmrZ3:v23sD1vSP6cOYXqmB
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2832 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2808 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
44c9bd93e92e7fefccea46323b3a3dd0N.exepid process 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
44c9bd93e92e7fefccea46323b3a3dd0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44c9bd93e92e7fefccea46323b3a3dd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
44c9bd93e92e7fefccea46323b3a3dd0N.exedescription pid process target process PID 2996 wrote to memory of 2808 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 2996 wrote to memory of 2808 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 2996 wrote to memory of 2808 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 2996 wrote to memory of 2808 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 2996 wrote to memory of 2832 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe PID 2996 wrote to memory of 2832 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe PID 2996 wrote to memory of 2832 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe PID 2996 wrote to memory of 2832 2996 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe"C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57c1d9e0f564b1e893792dcef5f902a27
SHA1f8ff96c98d41f1ce0a31d78f56796284c5e47e3d
SHA256c0b7315aed511cab0685b0bbbcfa2cb7f3e9c36e58f6d7f1576fad807800add7
SHA512ef6a5eccec808909c7317359908b6cb46e8e074aff903114988b00a237180606257545bd36e5cea9521b13ba19923cd768a3d701f7fdf391a4bd41cdec606fba
-
Filesize
276B
MD5bd5a3a3e212c7f7067b6571206fcec22
SHA187362202e8eed65d3dc43375e7b1a7eef11dd138
SHA2561652c2c9de37f08ac0713a49a1adc4ed77436f9f22c5f0205301de98dbbced35
SHA51242e6f022ac8d476359fef93fd6c2fc5b3e68fc177b72c5d156d067781cf2f06c423e9a3bbce619eaa0b88b3a6c818558ef2ab2ad3c7d3b298155caf060d88b98
-
Filesize
51KB
MD532ebc69ac1d8ef61ac2b8cdbf7036421
SHA134595f5d012b44a5d66b6006fbc19b33f1b01c23
SHA25655dddc487d1674623c196b667bbd3d99b543da11c1121f98890b0915c598ba55
SHA512e7e89509bba17fe64d589ddc4710c895460574a974f6ab4c3b7419c76986afc983a8dae7ce35d69ae741ccc7d243345c0fdb95e8dd96f5126653c4e0421e3fb3