Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 03:40
Behavioral task
behavioral1
Sample
5d40681dee8a5eaa2ee76ab80f59fec0N.exe
Resource
win7-20240704-en
General
-
Target
5d40681dee8a5eaa2ee76ab80f59fec0N.exe
-
Size
58KB
-
MD5
5d40681dee8a5eaa2ee76ab80f59fec0
-
SHA1
ae24217335d72a9d693f590ae00a9d092848c156
-
SHA256
183efc32d12f7d89426755f1650f72e06399e2c81b934c9bcb6b6e9305de9849
-
SHA512
8373d90311e0f085c810ae6472db98327bfef641c303f7ab4bddd730e24607f68ac7e83400e79d65e836a87195888cad5275ff10454056e495546327259d5615
-
SSDEEP
1536:6W82C0Db1edMckBI1kmJAhTPY6pnouy8t:6n25DbaMySmJAhbvoutt
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5d40681dee8a5eaa2ee76ab80f59fec0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation 5d40681dee8a5eaa2ee76ab80f59fec0N.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 1724 biudfw.exe -
Processes:
resource yara_rule behavioral2/memory/3248-0-0x0000000000090000-0x00000000000BC000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\biudfw.exe upx behavioral2/memory/1724-10-0x0000000000700000-0x000000000072C000-memory.dmp upx behavioral2/memory/3248-15-0x0000000000090000-0x00000000000BC000-memory.dmp upx behavioral2/memory/1724-18-0x0000000000700000-0x000000000072C000-memory.dmp upx behavioral2/memory/1724-20-0x0000000000700000-0x000000000072C000-memory.dmp upx behavioral2/memory/1724-27-0x0000000000700000-0x000000000072C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5d40681dee8a5eaa2ee76ab80f59fec0N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d40681dee8a5eaa2ee76ab80f59fec0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5d40681dee8a5eaa2ee76ab80f59fec0N.exedescription pid process target process PID 3248 wrote to memory of 1724 3248 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 3248 wrote to memory of 1724 3248 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 3248 wrote to memory of 1724 3248 5d40681dee8a5eaa2ee76ab80f59fec0N.exe biudfw.exe PID 3248 wrote to memory of 892 3248 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe PID 3248 wrote to memory of 892 3248 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe PID 3248 wrote to memory of 892 3248 5d40681dee8a5eaa2ee76ab80f59fec0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"C:\Users\Admin\AppData\Local\Temp\5d40681dee8a5eaa2ee76ab80f59fec0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD55a5f202cf2b7cf395cc7edfa0c3abbaf
SHA11eb3a41b48edb5d5dd56259c11c41cf5ac661c55
SHA256aac373365b0484475a6f1b224fadc130d9d8c2082dfe141bf87f7b4a27ecbea2
SHA5128a1a7b47dd49a28c4425db1bab1a275166d54a78f2f656dc63d9622627740dd1121f1e3f35cc4321969c9a18b3e5edd1884528ac285c2613a546a3d3cf816bbd
-
Filesize
512B
MD5b4a86880004da8726288d7ec954885a8
SHA11bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA51222758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4
-
Filesize
276B
MD5819362708bc5eee198a15582daab8e7d
SHA1564d69a5cb20a00734ea49cef078f16b582988e3
SHA2569e4c8e74ec0ed2ed3fe8888d2227f4bbb0c94134d3cd75b52c7553bec616305b
SHA512d30d35f26473eeab5308a61fee132387e459df63365e431e3a09a48ad7194b812efd4ca4eaf7f1424e24c00da7608098f74947b031d1c8296aba49ef6daad485