Analysis
-
max time kernel
69s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
68d69faf6220c50a95de6b54815474f0N.exe
Resource
win7-20240704-en
General
-
Target
68d69faf6220c50a95de6b54815474f0N.exe
-
Size
91KB
-
MD5
68d69faf6220c50a95de6b54815474f0
-
SHA1
f5913e186c2b40d230149ae9b77beb0be3514036
-
SHA256
01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1
-
SHA512
e6f14fb6c54f0a36e3a53ed545523bc5309c61af5a6415b5ab62e043924d41bd0fd3b0bf4f98295ace4cdc1daf9c2bd8bd16af535284474e35b224280bcc5ed2
-
SSDEEP
768:2geZ5QeklJQ35pPRuIkUD1sYAQ/TN71N1adOZSHj9jaSCpOzIi7D8kUUUNUE0:heZqP25TuIfmS7Fv1aUZSD9yiIHq
Malware Config
Extracted
urelas
218.54.28.139
121.88.5.183
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2228 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
poldge.exepid process 2440 poldge.exe -
Loads dropped DLL 1 IoCs
Processes:
68d69faf6220c50a95de6b54815474f0N.exepid process 1624 68d69faf6220c50a95de6b54815474f0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
poldge.execmd.exe68d69faf6220c50a95de6b54815474f0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poldge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68d69faf6220c50a95de6b54815474f0N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
68d69faf6220c50a95de6b54815474f0N.exedescription pid process target process PID 1624 wrote to memory of 2440 1624 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1624 wrote to memory of 2440 1624 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1624 wrote to memory of 2440 1624 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1624 wrote to memory of 2440 1624 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1624 wrote to memory of 2228 1624 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe PID 1624 wrote to memory of 2228 1624 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe PID 1624 wrote to memory of 2228 1624 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe PID 1624 wrote to memory of 2228 1624 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\poldge.exe"C:\Users\Admin\AppData\Local\Temp\poldge.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD53f372385bf24b44385f4b1251d3aca4d
SHA183546de6ba8f20bd08a15896d34f6242ed64352f
SHA256b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7
-
Filesize
276B
MD5dff8e39ed48c596107b0527450202ab2
SHA1f5442f78bf9926ecfa56152e4ebbc1e1af041f8e
SHA256174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768
SHA512dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09
-
Filesize
91KB
MD53083e7bd8495296f665b4764a22f4df6
SHA13c3d49e1090e3cf53c5cd4c181c318a08092c139
SHA25609eced2ce52e1af674c0a8637a5f9924050fc22e77da83b229bae5df9bbdb715
SHA5123fc96c81d4d5f9b2182f72ecd5b244e3268fbdb4ec9076c7ddaf2c04abf3587e3ac6ec57eb75a359b10698cb19ed2cc31353ab276d102b04a86abb0f626741a2