Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
0d917d4356e49ad582f390894a45bdc0N.exe
Resource
win7-20240708-en
General
-
Target
0d917d4356e49ad582f390894a45bdc0N.exe
-
Size
55KB
-
MD5
0d917d4356e49ad582f390894a45bdc0
-
SHA1
3a3372a923573fcee7b87e493ba6d0a32000a379
-
SHA256
a142637f6eacebb4de2997f61d82d2f14d1ff4b6e125f3c1b49806d13d3bc739
-
SHA512
8f2ef9c8c30b2419214d0704482d1d041bf481f402cdfa3c68aa92d1d6325449c084776c6e648732fba6a2cea8bb4efeb5cff827bf0bea44457dca5fcad26283
-
SSDEEP
1536:MQPzemdaNqAPG17k74qlmbbVgYyvxcd5jnGWqN7kS8Ac:MOemdTd1o74qlmbbJ+x+IkSc
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d917d4356e49ad582f390894a45bdc0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation 0d917d4356e49ad582f390894a45bdc0N.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 1704 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe0d917d4356e49ad582f390894a45bdc0N.exebiudfw.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d917d4356e49ad582f390894a45bdc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0d917d4356e49ad582f390894a45bdc0N.exedescription pid process target process PID 676 wrote to memory of 1704 676 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 676 wrote to memory of 1704 676 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 676 wrote to memory of 1704 676 0d917d4356e49ad582f390894a45bdc0N.exe biudfw.exe PID 676 wrote to memory of 3528 676 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe PID 676 wrote to memory of 3528 676 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe PID 676 wrote to memory of 3528 676 0d917d4356e49ad582f390894a45bdc0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"C:\Users\Admin\AppData\Local\Temp\0d917d4356e49ad582f390894a45bdc0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD50fc631fc024c40dc7e10c0ba9acebb93
SHA1f4cb7871ff72c81c79e462b2b2c6795c12287447
SHA256cc7f61e529d61e6506953d9bda6cd7798f3b5846c493f24095a111c5b4518ad3
SHA5121ea20833016dee35b5cea742bbea81c623582237917e32409646a6da0dec6f4c4cbbb6d0fcdb34dbd73cd48c461196ff0f459e58ce7b5689b0a54e2e817ce6e8
-
Filesize
512B
MD57cdc8777d33db85bc19aefb64879a7f7
SHA1f2d494d4dfe93a05eb58513935196e8578648adf
SHA2569af382db716e39144dda99d3d9afbd5df9b65e6a36af229e715c00539bce6336
SHA51234b075db80bf3704f76f9dd28eedffe88c9b3b5f730c79c27b9908fe2865847ae925487de2dcc1a8566bd3836d3b770ca3831d0b110312376684a92e42c6b48f
-
Filesize
276B
MD5fbca1a090a554b4c8bd3cd0003d8d48b
SHA16bd217c7aaafe8e437e7dfc79a820b43d194a529
SHA25615649ac2cf024c3f84ea48f22e8fe3f2488baa5078f7d14e7fa0c6705d1cc27a
SHA5120a00ea714a5d3d9c7fc33eb639b957b3142484c315438fcc9a746adef8398eef5ee7635d003cf9e838bde1cf89388123b66b8841221facee69f4ab90a47f1570