Analysis
-
max time kernel
105s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 01:00
Behavioral task
behavioral1
Sample
28e3fb0f8918c048ca6a45a9757344f0N.exe
Resource
win7-20240704-en
General
-
Target
28e3fb0f8918c048ca6a45a9757344f0N.exe
-
Size
84KB
-
MD5
28e3fb0f8918c048ca6a45a9757344f0
-
SHA1
09123b83a573b68247bc685ff893eff057059fa8
-
SHA256
4b644a0cbd0addb992f9fe65f22ef27f72e3a3e62e09f4640a02f981a2551c29
-
SHA512
a575aaf011bf413f4d6ba64149f3a82beb933d2d7d96e403b4e269fcd85a1fdea4aed93f25adf55def98e14a26edc5fe02d46892e26c97f2ce8fcc76a5c04288
-
SSDEEP
1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURV:JznH976dUCnuniDJ
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28e3fb0f8918c048ca6a45a9757344f0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 28e3fb0f8918c048ca6a45a9757344f0N.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 5020 huter.exe -
Processes:
resource yara_rule behavioral2/memory/5056-0-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\huter.exe upx behavioral2/memory/5020-14-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/5056-17-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/5020-20-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/5020-22-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/5020-28-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
28e3fb0f8918c048ca6a45a9757344f0N.exehuter.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28e3fb0f8918c048ca6a45a9757344f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
28e3fb0f8918c048ca6a45a9757344f0N.exedescription pid process target process PID 5056 wrote to memory of 5020 5056 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 5056 wrote to memory of 5020 5056 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 5056 wrote to memory of 5020 5056 28e3fb0f8918c048ca6a45a9757344f0N.exe huter.exe PID 5056 wrote to memory of 1456 5056 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe PID 5056 wrote to memory of 1456 5056 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe PID 5056 wrote to memory of 1456 5056 28e3fb0f8918c048ca6a45a9757344f0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28e3fb0f8918c048ca6a45a9757344f0N.exe"C:\Users\Admin\AppData\Local\Temp\28e3fb0f8918c048ca6a45a9757344f0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a01dba4c45102fc15292fd5591166536
SHA1d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32
-
Filesize
84KB
MD58d2b763cb996b36665ba69fd9f28a66c
SHA17a577fb2264a1828acadc8adf2a44b181b55357d
SHA256bd30916c5612618253882aa9a26dccbb0fe583f360e1b4cfd5f9cd36deb3a541
SHA51222cdf8ea438e3fee7598ff947940286a2f2da759e796ce62759f1a06a9bcbcf7ccbc5570866533fa363c110359347d44e98c5a6a15d62b3bef7ce8552f7ed116
-
Filesize
276B
MD5781ea12e9401bfcfe3102c74466e1782
SHA173df23cdb01e1345be2a8ddc1290dab4c0985af6
SHA256e9a894896bc9a820d7759f593cae26dbe3769e21a1cccdbeea95ce826b34db48
SHA5129008c1f2538ef9c38847429255067ee06208fc8de0a144b436a87da68e24576d05865b33017f2893e6a68d3887bd23255774f9d4b19b370a80e2d9770ec09e2d