Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 01:20
Behavioral task
behavioral1
Sample
161db86eb5f9237449a1027c1f63f310.exe
Resource
win7-20240708-en
General
-
Target
161db86eb5f9237449a1027c1f63f310.exe
-
Size
84KB
-
MD5
161db86eb5f9237449a1027c1f63f310
-
SHA1
db84b6c68774555ec724c737798e289818b25eaf
-
SHA256
9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb
-
SHA512
cd369f9b767ce4513e0bb42e365ea7f7c34de683b61dcbda0c51ab0dd76964ecade34d25f1639bf65bbb12bd49ff032601f0cefd6be0318bd34712d739a7391e
-
SSDEEP
1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURF+:JznH976dUCnuniDI
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2904 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 2756 huter.exe -
Loads dropped DLL 1 IoCs
Processes:
161db86eb5f9237449a1027c1f63f310.exepid process 2252 161db86eb5f9237449a1027c1f63f310.exe -
Processes:
resource yara_rule behavioral1/memory/2252-0-0x0000000000400000-0x0000000000431000-memory.dmp upx \Users\Admin\AppData\Local\Temp\huter.exe upx behavioral1/memory/2252-17-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/2756-20-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/2756-22-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/2756-29-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
161db86eb5f9237449a1027c1f63f310.exehuter.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 161db86eb5f9237449a1027c1f63f310.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
161db86eb5f9237449a1027c1f63f310.exedescription pid process target process PID 2252 wrote to memory of 2756 2252 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 2252 wrote to memory of 2756 2252 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 2252 wrote to memory of 2756 2252 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 2252 wrote to memory of 2756 2252 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 2252 wrote to memory of 2904 2252 161db86eb5f9237449a1027c1f63f310.exe cmd.exe PID 2252 wrote to memory of 2904 2252 161db86eb5f9237449a1027c1f63f310.exe cmd.exe PID 2252 wrote to memory of 2904 2252 161db86eb5f9237449a1027c1f63f310.exe cmd.exe PID 2252 wrote to memory of 2904 2252 161db86eb5f9237449a1027c1f63f310.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310.exe"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a01dba4c45102fc15292fd5591166536
SHA1d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32
-
Filesize
274B
MD5f6ded6959fb77f028c1fc4610cf98ac9
SHA186878df65adbc4fc768d21851ed844e0288f1f0c
SHA256e81200edb8bdeb4f0cf6f7b5ffa97452fe542e17c1667c25ea916f895ad39286
SHA5126a4196bd40fdd61c3e086a7f92186cbc8ee45058263d123889394c2f850f11e60768667f8e365c37cefe0e8fc245de23221fb382d095acbb53ac9d6a7552c892
-
Filesize
84KB
MD55e451f4b66e856c36af3d88aea99c7fa
SHA171e31eac499fb7c05ae6d181defd3cc5beafeda6
SHA2565e6b86ce13f80e83b9599e1f462bd141e69cd953281239e7185bcd690cfa6f80
SHA512464d13447f39e0df92c425ca1e283d0a9b5a7b7a59643fea795815a458becba6e920809dd7b9c4f0eaa73591805ba5c5e53f10ed3a6baeb561e8e4998962b25c