Analysis
-
max time kernel
91s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
acf28e718581966b6f116d765656eb30N.exe
Resource
win7-20240704-en
General
-
Target
acf28e718581966b6f116d765656eb30N.exe
-
Size
56KB
-
MD5
acf28e718581966b6f116d765656eb30
-
SHA1
ff3aadbe4a294cafb424e7a06df54dab563d2639
-
SHA256
ab523b44bb896976cbd004767f37aaf5475fdb212156c61276dce81c8b9a77d4
-
SHA512
2b034f9f2a218fdcb4bd2e88bc5a2f21dac4793bab2076cef730e41a1c4be934f4f4676032f3107e86d914483757be73a258244a7ce67f931feb623186d9ad74
-
SSDEEP
1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8Ha:MOemdTd1o74qlmbbJ+x+IkJa
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2432 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2084 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
acf28e718581966b6f116d765656eb30N.exepid process 2064 acf28e718581966b6f116d765656eb30N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
acf28e718581966b6f116d765656eb30N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acf28e718581966b6f116d765656eb30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
acf28e718581966b6f116d765656eb30N.exedescription pid process target process PID 2064 wrote to memory of 2084 2064 acf28e718581966b6f116d765656eb30N.exe biudfw.exe PID 2064 wrote to memory of 2084 2064 acf28e718581966b6f116d765656eb30N.exe biudfw.exe PID 2064 wrote to memory of 2084 2064 acf28e718581966b6f116d765656eb30N.exe biudfw.exe PID 2064 wrote to memory of 2084 2064 acf28e718581966b6f116d765656eb30N.exe biudfw.exe PID 2064 wrote to memory of 2432 2064 acf28e718581966b6f116d765656eb30N.exe cmd.exe PID 2064 wrote to memory of 2432 2064 acf28e718581966b6f116d765656eb30N.exe cmd.exe PID 2064 wrote to memory of 2432 2064 acf28e718581966b6f116d765656eb30N.exe cmd.exe PID 2064 wrote to memory of 2432 2064 acf28e718581966b6f116d765656eb30N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe"C:\Users\Admin\AppData\Local\Temp\acf28e718581966b6f116d765656eb30N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57cdc8777d33db85bc19aefb64879a7f7
SHA1f2d494d4dfe93a05eb58513935196e8578648adf
SHA2569af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA51234b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f
-
Filesize
276B
MD51c644509f50a95e09933bf8ed8b1dedb
SHA162c73d2fa1960469d7fb4680c2bc735f1d56ce71
SHA256d94ff3c021f239a0e3726aca73472a472afdb1cf6d004347cb2d9f53914b8525
SHA512bcddf3479074caf029c6f46369fabbedac2b5c56d1728980c4a77c2db113cfd615cc2a2ff4a183b58534caa0d7fe522279b24b6f840d04c1a3236923cac64ddf
-
Filesize
56KB
MD5a2a81ccaa4d0ae43969ccd5b7ed24c05
SHA1cf2f95fe73d2e740b4cd1a8a663e834d2293adde
SHA256de93351a17cc372daec90f4aa3bfbe084b5d9bf19572550c30141367b05aebd6
SHA512fb7860ac9942a2448588e29eccf16d23cbb2e67da17eb0d805b66c6d533fe73b6e638361d6233db6babc49c3385554019ff060234921c252270c195a5d9cb2ed