Analysis
-
max time kernel
100s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 06:26
Static task
static1
Behavioral task
behavioral1
Sample
62047ff726957cde33910db4cdabccc0N.exe
Resource
win7-20240708-en
General
-
Target
62047ff726957cde33910db4cdabccc0N.exe
-
Size
63KB
-
MD5
62047ff726957cde33910db4cdabccc0
-
SHA1
c3a79aa47a19c6c0a9a023a72cbec50b03f8e1f5
-
SHA256
2a61b9a53eab4f3367910d640a56f91efed198375bd01e2a66f0c3dc303f268d
-
SHA512
6b07ce1a9c1a7f8afea4f0d6c4bc102abfd68d83621f12f97c2994b2c35cf05f0ba7efe9df2237aac8f05901b69cb060cb20d0d5da6c50c7eb0e08bcb317b139
-
SSDEEP
1536:6bQx5oPsr2vFxDPhAvzgAQzFZ77MzeTmx:6bQRSHpAvzyf7MzeTO
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
62047ff726957cde33910db4cdabccc0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation 62047ff726957cde33910db4cdabccc0N.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2456 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe62047ff726957cde33910db4cdabccc0N.exebiudfw.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62047ff726957cde33910db4cdabccc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
62047ff726957cde33910db4cdabccc0N.exedescription pid process target process PID 4068 wrote to memory of 2456 4068 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 4068 wrote to memory of 2456 4068 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 4068 wrote to memory of 2456 4068 62047ff726957cde33910db4cdabccc0N.exe biudfw.exe PID 4068 wrote to memory of 1428 4068 62047ff726957cde33910db4cdabccc0N.exe cmd.exe PID 4068 wrote to memory of 1428 4068 62047ff726957cde33910db4cdabccc0N.exe cmd.exe PID 4068 wrote to memory of 1428 4068 62047ff726957cde33910db4cdabccc0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62047ff726957cde33910db4cdabccc0N.exe"C:\Users\Admin\AppData\Local\Temp\62047ff726957cde33910db4cdabccc0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5f74a4d615920e474e1107553d221c62f
SHA10d973e6d3dddced91cb55b4a4f1bc6e53cb2bd07
SHA256292cc6eeaa01be68d0126e400756b70ca4355e6baa2f1588839b4397bee9337d
SHA512eb7dde1df8478fbac8b9eb43b84d6f440b0d2ff57fe6ed2e30fe2933414a479a7f26ec03ea15c1bfe5f104adfb0862ff8f86e3d7150497007c9c239a27c6bb39
-
Filesize
512B
MD5efd90b3ac908d5482af367de3a82184a
SHA1de9f01d2ed0247b7b347e55c5a09721a60147fb9
SHA25644f3db1bb73bb207a88008ae28d0399f888b5714ccccb2056f4148b4455e693d
SHA5126e3355f895af1d81887d5750033c5a139e4a0e1c2c928aeef1fd37f9c191e754b1f524d252c229ea5e744dbef4dd0a8240d9d3443651d42de198e82a197afb02
-
Filesize
276B
MD5331d9128048d683331e5fcedf7a312b5
SHA1e7933eefb989b83d24228475bfd485bd580e7671
SHA256cf37066b11b4d00b6679168810bde72c9c4893e94203549585aef55521a80b17
SHA512096e541dfdee719747defe325dbd5486b313b94e7e63fa2b6ef1ba799f7d85ecbed8528a71839c4c98b92300cb163984674ed30967dc6e9e55c276c4430b26c3