Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 01:20
Behavioral task
behavioral1
Sample
161db86eb5f9237449a1027c1f63f310.exe
Resource
win7-20240708-en
General
-
Target
161db86eb5f9237449a1027c1f63f310.exe
-
Size
84KB
-
MD5
161db86eb5f9237449a1027c1f63f310
-
SHA1
db84b6c68774555ec724c737798e289818b25eaf
-
SHA256
9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb
-
SHA512
cd369f9b767ce4513e0bb42e365ea7f7c34de683b61dcbda0c51ab0dd76964ecade34d25f1639bf65bbb12bd49ff032601f0cefd6be0318bd34712d739a7391e
-
SSDEEP
1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURF+:JznH976dUCnuniDI
Malware Config
Extracted
urelas
112.175.88.207
112.175.88.208
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
161db86eb5f9237449a1027c1f63f310.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation 161db86eb5f9237449a1027c1f63f310.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 4964 huter.exe -
Processes:
resource yara_rule behavioral2/memory/4552-0-0x0000000000400000-0x0000000000431000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\huter.exe upx behavioral2/memory/4964-15-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4552-18-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4964-21-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4964-23-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4964-29-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
161db86eb5f9237449a1027c1f63f310.exehuter.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 161db86eb5f9237449a1027c1f63f310.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
161db86eb5f9237449a1027c1f63f310.exedescription pid process target process PID 4552 wrote to memory of 4964 4552 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 4552 wrote to memory of 4964 4552 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 4552 wrote to memory of 4964 4552 161db86eb5f9237449a1027c1f63f310.exe huter.exe PID 4552 wrote to memory of 1264 4552 161db86eb5f9237449a1027c1f63f310.exe cmd.exe PID 4552 wrote to memory of 1264 4552 161db86eb5f9237449a1027c1f63f310.exe cmd.exe PID 4552 wrote to memory of 1264 4552 161db86eb5f9237449a1027c1f63f310.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310.exe"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a01dba4c45102fc15292fd5591166536
SHA1d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32
-
Filesize
84KB
MD507e22f632c6ba0c7cdf97d2c3cb9a653
SHA1a2f33b0956db23ac800b3784bd6d5097379b037d
SHA256f39b1ff6295145570cee0d176d42a672a5bb3054ff777b5f5379e9606038fb7d
SHA51212029331b934fb66e5e13d178f527e68fb3f9655584810877f2288b69172dca78a2b075f815d5f8de4a3845ccdc39292e77f42324c08dac21ad1e66626e5154d
-
Filesize
274B
MD5f6ded6959fb77f028c1fc4610cf98ac9
SHA186878df65adbc4fc768d21851ed844e0288f1f0c
SHA256e81200edb8bdeb4f0cf6f7b5ffa97452fe542e17c1667c25ea916f895ad39286
SHA5126a4196bd40fdd61c3e086a7f92186cbc8ee45058263d123889394c2f850f11e60768667f8e365c37cefe0e8fc245de23221fb382d095acbb53ac9d6a7552c892