Analysis
-
max time kernel
103s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
28-07-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
68d69faf6220c50a95de6b54815474f0N.exe
Resource
win7-20240704-en
General
-
Target
68d69faf6220c50a95de6b54815474f0N.exe
-
Size
91KB
-
MD5
68d69faf6220c50a95de6b54815474f0
-
SHA1
f5913e186c2b40d230149ae9b77beb0be3514036
-
SHA256
01f890783b8750e10b5c62cc087e5fbeb7b924bca6ecb2e522351831a919bcc1
-
SHA512
e6f14fb6c54f0a36e3a53ed545523bc5309c61af5a6415b5ab62e043924d41bd0fd3b0bf4f98295ace4cdc1daf9c2bd8bd16af535284474e35b224280bcc5ed2
-
SSDEEP
768:2geZ5QeklJQ35pPRuIkUD1sYAQ/TN71N1adOZSHj9jaSCpOzIi7D8kUUUNUE0:heZqP25TuIfmS7Fv1aUZSD9yiIHq
Malware Config
Extracted
urelas
218.54.28.139
121.88.5.183
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
68d69faf6220c50a95de6b54815474f0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 68d69faf6220c50a95de6b54815474f0N.exe -
Executes dropped EXE 1 IoCs
Processes:
poldge.exepid process 828 poldge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
68d69faf6220c50a95de6b54815474f0N.exepoldge.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68d69faf6220c50a95de6b54815474f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poldge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
68d69faf6220c50a95de6b54815474f0N.exedescription pid process target process PID 1224 wrote to memory of 828 1224 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1224 wrote to memory of 828 1224 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1224 wrote to memory of 828 1224 68d69faf6220c50a95de6b54815474f0N.exe poldge.exe PID 1224 wrote to memory of 2140 1224 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe PID 1224 wrote to memory of 2140 1224 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe PID 1224 wrote to memory of 2140 1224 68d69faf6220c50a95de6b54815474f0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"C:\Users\Admin\AppData\Local\Temp\68d69faf6220c50a95de6b54815474f0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\poldge.exe"C:\Users\Admin\AppData\Local\Temp\poldge.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD53f372385bf24b44385f4b1251d3aca4d
SHA183546de6ba8f20bd08a15896d34f6242ed64352f
SHA256b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27
SHA512d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7
-
Filesize
91KB
MD54bdde19067b5e16fa93dca96bdb7b84e
SHA1f3d9aaa8246a6d3347b5b53d7ef1c48be136540c
SHA2568c5bb96551cd756a6e8fbcd0d1f46ac1816b6d571f8dc73472063f686f95be7a
SHA512c3f009d3f5d1bdf42e3be580ee6e23a6d9fcc1f0722df17814a58e4e4f4e7714f3ceca9fa196eeb656434dbe4fcca89dd6f05de29e86a766e7b573acb5a205a2
-
Filesize
276B
MD5dff8e39ed48c596107b0527450202ab2
SHA1f5442f78bf9926ecfa56152e4ebbc1e1af041f8e
SHA256174bac57d3f72e76634e3babdc911b9742e05fb62810425075aef9e0944d1768
SHA512dd9d73e9a020dbd3b081a6665078a1e68e68e5d1041c52a51ce1f326f0b9e0694a488d11c91554cad4861e008c16d9a8a6ad6f961af5788729572f0078f05b09