Analysis
-
max time kernel
119s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 03:40
Behavioral task
behavioral1
Sample
5d40681dee8a5eaa2ee76ab80f59fec0N.exe
Resource
win7-20240704-en
General
-
Target
5d40681dee8a5eaa2ee76ab80f59fec0N.exe
-
Size
58KB
-
MD5
5d40681dee8a5eaa2ee76ab80f59fec0
-
SHA1
ae24217335d72a9d693f590ae00a9d092848c156
-
SHA256
183efc32d12f7d89426755f1650f72e06399e2c81b934c9bcb6b6e9305de9849
-
SHA512
8373d90311e0f085c810ae6472db98327bfef641c303f7ab4bddd730e24607f68ac7e83400e79d65e836a87195888cad5275ff10454056e495546327259d5615
-
SSDEEP
1536:6W82C0Db1edMckBI1kmJAhTPY6pnouy8t:6n25DbaMySmJAhbvoutt
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1880 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 992 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
5d40681dee8a5eaa2ee76ab80f59fec0N.exepid process 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe -
Processes:
resource yara_rule behavioral1/memory/1580-0-0x0000000000050000-0x000000000007C000-memory.dmp upx \Users\Admin\AppData\Local\Temp\biudfw.exe upx behavioral1/memory/992-11-0x0000000000800000-0x000000000082C000-memory.dmp upx behavioral1/memory/1580-19-0x0000000000050000-0x000000000007C000-memory.dmp upx behavioral1/memory/992-22-0x0000000000800000-0x000000000082C000-memory.dmp upx behavioral1/memory/992-24-0x0000000000800000-0x000000000082C000-memory.dmp upx behavioral1/memory/992-31-0x0000000000800000-0x000000000082C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe5d40681dee8a5eaa2ee76ab80f59fec0N.exebiudfw.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d40681dee8a5eaa2ee76ab80f59fec0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5d40681dee8a5eaa2ee76ab80f59fec0N.exedescription pid process target process PID 1580 wrote to memory of 992 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 1580 wrote to memory of 992 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 1580 wrote to memory of 992 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 1580 wrote to memory of 992 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 1580 wrote to memory of 1880 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe PID 1580 wrote to memory of 1880 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe PID 1580 wrote to memory of 1880 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe PID 1580 wrote to memory of 1880 1580 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5b4a86880004da8726288d7ec954885a8
SHA11bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA51222758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4
-
Filesize
276B
MD5819362708bc5eee198a15582daab8e7d
SHA1564d69a5cb20a00734ea49cef078f16b582988e3
SHA2569e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b
SHA512d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485
-
Filesize
58KB
MD55410c36b26b0518622068c704b1566dd
SHA10d5a5e3c5f8cdbdb219745bf0fb2a81fe5825029
SHA256cc1682cde36824b29ab18716a2363a0aac74be4489dc96ad14e489b3d6800283
SHA512f318937e07dbe9a544505ad2c16bbddabbe70b47153ce81a41625130e87adcb263e2963d1139edef44e512b4293042b625045c862931a1c185ff5d7808d9e831