Analysis
-
max time kernel
89s -
max time network
77s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
0d917d4356e49ad582f390894a45bdc0N.exe
Resource
win7-20240708-en
General
-
Target
0d917d4356e49ad582f390894a45bdc0N.exe
-
Size
55KB
-
MD5
0d917d4356e49ad582f390894a45bdc0
-
SHA1
3a3372a923573fcee7b87e493ba6d0a32000a379
-
SHA256
a142637f6eacebb4de2997f61d82d2f14d1ff4b6e125f3c1b49806d13d3bc739
-
SHA512
8f2ef9c8c30b2419214d0704482d1d041bf481f402cdfa3c68aa92d1d6325449c084776c6e648732fba6a2cea8bb4efeb5cff827bf0bea44457dca5fcad26283
-
SSDEEP
1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8Ac:MOemdTd1o74qlmbbJ+x+IkSc
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2248 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 1724 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
0d917d4356e49ad582f390894a45bdc0N.exepid process 2292 0d917d4356e49ad582f390894a45bdc0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0d917d4356e49ad582f390894a45bdc0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d917d4356e49ad582f390894a45bdc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0d917d4356e49ad582f390894a45bdc0N.exedescription pid process target process PID 2292 wrote to memory of 1724 2292 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 2292 wrote to memory of 1724 2292 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 2292 wrote to memory of 1724 2292 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 2292 wrote to memory of 1724 2292 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 2292 wrote to memory of 2248 2292 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe PID 2292 wrote to memory of 2248 2292 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe PID 2292 wrote to memory of 2248 2292 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe PID 2292 wrote to memory of 2248 2292 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD57cdc8777d33db85bc19aefb64879a7f7
SHA1f2d494d4dfe93a05eb58513935196e8578648adf
SHA2569af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA51234b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f
-
Filesize
276B
MD5fbca1a090a554b4c8bd3cd0003d8d48b
SHA16bd217c7aaafe8e437e7dfc79a820b43d194a529
SHA25615649ac2cf024c3f84ea48f22e8fe3f2488baa5078f7d14e7fa0c6705d1cc27a
SHA5120a00ea714a5d3d9c7fc33eb639b957b3142484c315438fcc9a746adef8398eef5ee7635d003cf9e838bde1cf89388123b66b8841221facee69f4ab90a47f1570
-
Filesize
55KB
MD59d8d0baecbcf02412ae80cd489fc5072
SHA17697a60c1c08c832569e4379c5c171529dabf586
SHA256807568e80037f87a3268fa283307267763e41ecbf42dd40f8b5b9200b0fa94e9
SHA51259461bace6941c19545218a0b953289ffd069de2214197494fd46526edd8c93c7e734438e022a0e8a7a5250aac42954097caef29540588a19eedee41d464318a