Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 19:06
Static task
static1
Behavioral task
behavioral1
Sample
44c9bd93e92e7fefccea46323b3a3dd0N.exe
Resource
win7-20240708-en
General
-
Target
44c9bd93e92e7fefccea46323b3a3dd0N.exe
-
Size
51KB
-
MD5
44c9bd93e92e7fefccea46323b3a3dd0
-
SHA1
f3d13dd52e654060570a65f87d1a85ee976a6cb6
-
SHA256
554d184034b79d48995612b49131724bbadbddef3ebc7109aaa92a053dc5fa53
-
SHA512
b95990e28c68c56425851dd9b33123c52f964074abce9ebd1a14fd549ff792d63926601e49293871835693c4d69847c1e4fe48243a6b1043a5507e846cdb57a1
-
SSDEEP
1536:lVeVFl6sRsDnQi1Mek/pFRMfKaP7cFwQkXuJXqmrZ3:v23sD1vSP6cOYXqmB
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
44c9bd93e92e7fefccea46323b3a3dd0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 44c9bd93e92e7fefccea46323b3a3dd0N.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 3660 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
44c9bd93e92e7fefccea46323b3a3dd0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44c9bd93e92e7fefccea46323b3a3dd0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
44c9bd93e92e7fefccea46323b3a3dd0N.exedescription pid process target process PID 4620 wrote to memory of 3660 4620 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 4620 wrote to memory of 3660 4620 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 4620 wrote to memory of 3660 4620 44c9bd93e92e7fefccea46323b3a3dd0N.exe biudfw.exe PID 4620 wrote to memory of 4752 4620 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe PID 4620 wrote to memory of 4752 4620 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe PID 4620 wrote to memory of 4752 4620 44c9bd93e92e7fefccea46323b3a3dd0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe"C:\Users\Admin\AppData\Local\Temp\44c9bd93e92e7fefccea46323b3a3dd0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD591b3c72be0951c4d037ea66243d401e7
SHA1fb07dcf7bf769575520f8f22d0a2d8d952504be6
SHA2569e15fac5d9a779cae065ef72a1ce29ac6f668732a2c4a93b762a67f4314c45c9
SHA5124960ed3142773ddcfa5aa37218fd34009dbfb1f59b514b3658216e29527fe4dcdf10f871c291b822f3f078c569473db979ace57908b940fda7871726712c7f53
-
Filesize
512B
MD57c1d9e0f564b1e893792dcef5f902a27
SHA1f8ff96c98d41f1ce0a31d78f56796284c5e47e3d
SHA256c0b7315aed511cab0685b0bbbcfa2cb7f3e9c36e58f6d7f1576fad807800add7
SHA512ef6a5eccec808909c7317359908b6cb46e8e074aff903114988b00a237180606257545bd36e5cea9521b13ba19923cd768a3d701f7fdf391a4bd41cdec606fba
-
Filesize
276B
MD5bd5a3a3e212c7f7067b6571206fcec22
SHA187362202e8eed65d3dc43375e7b1a7eef11dd138
SHA2561652c2c9de37f08ac0713a49a1adc4ed77436f9f22c5f0205301de98dbbced35
SHA51242e6f022ac8d476359fef93fd6c2fc5b3e68fc177b72c5d156d067781cf2f06c423e9a3bbce619eaa0b88b3a6c818558ef2ab2ad3c7d3b298155caf060d88b98