Analysis
-
max time kernel
90s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 01:00
Behavioral task
behavioral1
Sample
28e3fb0f8918c048ca6a45a9757344f0N.exe
Resource
win7-20240704-en
General
-
Target
28e3fb0f8918c048ca6a45a9757344f0N.exe
-
Size
84KB
-
MD5
28e3fb0f8918c048ca6a45a9757344f0
-
SHA1
09123b83a573b68247bc685ff893eff057059fa8
-
SHA256
4b644a0cbd0addb992f9fe65f22ef27f72e3a3e62e09f4640a02f981a2551c29
-
SHA512
a575aaf011bf413f4d6ba64149f3a82beb933d2d7d96e403b4e269fcd85a1fdea4aed93f25adf55def98e14a26edc5fe02d46892e26c97f2ce8fcc76a5c04288
-
SSDEEP
1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURV:JznH976dUCnuniDJ
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2088 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 548 huter.exe -
Loads dropped DLL 1 IoCs
Processes:
28e3fb0f8918c048ca6a45a9757344f0N.exepid process 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe -
Processes:
resource yara_rule behavioral1/memory/2292-0-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\huter.exe upx behavioral1/memory/2292-18-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/548-10-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/548-21-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/548-23-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/548-29-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
28e3fb0f8918c048ca6a45a9757344f0N.exehuter.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28e3fb0f8918c048ca6a45a9757344f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
28e3fb0f8918c048ca6a45a9757344f0N.exedescription pid process target process PID 2292 wrote to memory of 548 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 2292 wrote to memory of 548 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 2292 wrote to memory of 548 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 2292 wrote to memory of 548 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 2292 wrote to memory of 2088 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe PID 2292 wrote to memory of 2088 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe PID 2292 wrote to memory of 2088 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe PID 2292 wrote to memory of 2088 2292 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28e3fb0f8918c048ca6a45a9757344f0N.exe"C:\Users\Admin\AppData\Local\Temp\28e3fb0f8918c048ca6a45a9757344f0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a01dba4c45102fc15292fd5591166536
SHA1d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32
-
Filesize
84KB
MD562924b2bf0bc53bd636e67d0ba41bed7
SHA1bbb04c61c0170bf662b61fc766ba139eb7e56326
SHA256e2fb6f6184ad65be8efe575cef01b16925a69c551753cd393671eca6ae1ecbf1
SHA512dbb1ea298cff577b21db37e7b3ea98b6cf7765541794e469590ab78d084dd635fe3cd4dc5e35722289089079918343d1f94db975bce0cea91b4aed0380493ea2
-
Filesize
276B
MD5781ea12e9401bfcfe3102c74466e1782
SHA173df23cdb01e1345be2a8ddc1290dab4c0985af6
SHA256e9a894896bc9a820d7759f593cae26dbe3769e21a1cccdbeea95ce826b34db48
SHA5129008c1f2538ef9c38847429255067ee06208fc8de0a144b436a87da68e24576d05865b33017f2893e6a68d3887bd23255774f9d4b19b370a80e2d9770ec09e2d