Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
59f0820e1dba93f32143edd3016243e0N.exe
Resource
win7-20240708-en
General
-
Target
59f0820e1dba93f32143edd3016243e0N.exe
-
Size
53KB
-
MD5
59f0820e1dba93f32143edd3016243e0
-
SHA1
29ca84156e31cf22dff3784e0ea8fe16beacb5ac
-
SHA256
d620b15623bb352588dbe7e71ed15be7018750380cf5670c0acfec5612b28d9c
-
SHA512
5378d3b9a667f59c18d8544269441f5a0f331e1730c6fa6038b8508d58bf74d7a8c33c60822d1621fb932f265070776224c2f1304f8b852df9f7a3acfd28929f
-
SSDEEP
1536:TlnBzGPEdPJpUI4QP4BDK3XmbPfKJ97ifa:JnBGPUMQwBDamb3a7iy
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2984 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2212 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
59f0820e1dba93f32143edd3016243e0N.exepid process 2884 59f0820e1dba93f32143edd3016243e0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe59f0820e1dba93f32143edd3016243e0N.exebiudfw.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 59f0820e1dba93f32143edd3016243e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
59f0820e1dba93f32143edd3016243e0N.exedescription pid process target process PID 2884 wrote to memory of 2212 2884 59f0820e1dba93f32143edd3016243e0N.exe biudfw.exe PID 2884 wrote to memory of 2212 2884 59f0820e1dba93f32143edd3016243e0N.exe biudfw.exe PID 2884 wrote to memory of 2212 2884 59f0820e1dba93f32143edd3016243e0N.exe biudfw.exe PID 2884 wrote to memory of 2212 2884 59f0820e1dba93f32143edd3016243e0N.exe biudfw.exe PID 2884 wrote to memory of 2984 2884 59f0820e1dba93f32143edd3016243e0N.exe cmd.exe PID 2884 wrote to memory of 2984 2884 59f0820e1dba93f32143edd3016243e0N.exe cmd.exe PID 2884 wrote to memory of 2984 2884 59f0820e1dba93f32143edd3016243e0N.exe cmd.exe PID 2884 wrote to memory of 2984 2884 59f0820e1dba93f32143edd3016243e0N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"C:\Users\Admin\AppData\Local\Temp\59f0820e1dba93f32143edd3016243e0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5b4a86880004da8726288d7ec954885a8
SHA11bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA51222758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4
-
Filesize
276B
MD581e05de602affcce0df5ebb80d5cb29d
SHA1ee5f67f6d7fb476030780f50dd92ea78f6871b88
SHA2568e942d9a670d8961bab18fa7ec93182ddaf9fcf31bf306f7268f079cea1a21ad
SHA51243525dd191f61167d10999178edf440966dcf5fc0558043df17cf19f7588d25071231ed76430f57fca0efd4815e994939708a2e57659dd46e3416ac1732d37aa
-
Filesize
53KB
MD5c2cb93e3639a64143083587638c6e338
SHA153c8de35d70106933273c7d9b3f654adc51f9ea4
SHA256b10fcbaf133620dabc22f4b949c7676983090356a0f02cfe856021494722dbfc
SHA5128625873433d792f0c316dfb24f740d961af41212817dac30c18cb7b4681ddf37e4606796ed1be5056649dbe418bdbf94c31fe1b8e4716bd3633f309bef323a30