Analysis
-
max time kernel
89s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 06:26
Static task
static1
Behavioral task
behavioral1
Sample
62047ff726957cde33910db4cdabccc0N.exe
Resource
win7-20240708-en
General
-
Target
62047ff726957cde33910db4cdabccc0N.exe
-
Size
63KB
-
MD5
62047ff726957cde33910db4cdabccc0
-
SHA1
c3a79aa47a19c6c0a9a023a72cbec50b03f8e1f5
-
SHA256
2a61b9a53eab4f3367910d640a56f91efed198375bd01e2a66f0c3dc303f268d
-
SHA512
6b07ce1a9c1a7f8afea4f0d6c4bc102abfd68d83621f12f97c2994b2c35cf05f0ba7efe9df2237aac8f05901b69cb060cb20d0d5da6c50c7eb0e08bcb317b139
-
SSDEEP
1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTmx:6bQRSHpAvzyf7MzeTO
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2148 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2776 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
62047ff726957cde33910db4cdabccc0N.exepid process 2252 62047ff726957cde33910db4cdabccc0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe62047ff726957cde33910db4cdabccc0N.exebiudfw.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62047ff726957cde33910db4cdabccc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
62047ff726957cde33910db4cdabccc0N.exedescription pid process target process PID 2252 wrote to memory of 2776 2252 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 2252 wrote to memory of 2776 2252 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 2252 wrote to memory of 2776 2252 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 2252 wrote to memory of 2776 2252 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 2252 wrote to memory of 2148 2252 62047ff726957cde33910db4cdabccc0N.exe cmd.exe PID 2252 wrote to memory of 2148 2252 62047ff726957cde33910db4cdabccc0N.exe cmd.exe PID 2252 wrote to memory of 2148 2252 62047ff726957cde33910db4cdabccc0N.exe cmd.exe PID 2252 wrote to memory of 2148 2252 62047ff726957cde33910db4cdabccc0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62047ff726957cde33910db4cdabccc0N.exe"C:\Users\Admin\AppData\Local\Temp\62047ff726957cde33910db4cdabccc0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5efd90b3ac908d5482af367de3a82184a
SHA1de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA25644f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA5126e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02
-
Filesize
276B
MD5331d9128048d683331e5fcedf7a312b5
SHA1e7933eefb989b83d24228475bfd485bd580e7671
SHA256cf37066b11b4d00b6679168810bde72c9c4893e94203549585aef55521a80b17
SHA512096e541dfdee719747defe325dbd5486b313b94e7e63fa2b6ef1ba799f7d85ecbed8528a71839c4c98b92300cb163984674ed30967dc6e9e55c276c4430b26c3
-
Filesize
63KB
MD5fe3216fc538ad5f682b44e82570df674
SHA1ad2e7edc4e315541f0a4a9184b03c6662711d3e8
SHA256e9a8a78da442040322e8d4a30720671a431b85f859876e9c4770f008c2918117
SHA512d638af478917f59d036786682f96eecfd7fee322b2b1aece6925a420ad97eeba6bbad5ca74230ecfd47ea5acc60c7607609d198f6df379701c60c6148438b149