Analysis
-
max time kernel
89s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
33a0d35356cb29cc100814c509666060N.exe
Resource
win7-20240708-en
General
-
Target
33a0d35356cb29cc100814c509666060N.exe
-
Size
61KB
-
MD5
33a0d35356cb29cc100814c509666060
-
SHA1
004f841827eb1977ee1c9a8027b497ef4645f978
-
SHA256
9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167
-
SHA512
74701d39f4e0c004ffd1785ca9b912dac1490b2e366122b60c7726c1c2ac4a4a9f47879889794cae9e5451c2d3581d2f20d19d6535299db41ee25f024bbe20e8
-
SSDEEP
1536:saTkcl2v/z0thjkh6+uYLo31d0JuPrROVz:Jo0cAthu6+FQ0JuPkz
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
pid Process 2128 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2080 biudfw.exe -
Loads dropped DLL 1 IoCs
pid Process 2220 33a0d35356cb29cc100814c509666060N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33a0d35356cb29cc100814c509666060N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2080 2220 33a0d35356cb29cc100814c509666060N.exe 31 PID 2220 wrote to memory of 2080 2220 33a0d35356cb29cc100814c509666060N.exe 31 PID 2220 wrote to memory of 2080 2220 33a0d35356cb29cc100814c509666060N.exe 31 PID 2220 wrote to memory of 2080 2220 33a0d35356cb29cc100814c509666060N.exe 31 PID 2220 wrote to memory of 2128 2220 33a0d35356cb29cc100814c509666060N.exe 32 PID 2220 wrote to memory of 2128 2220 33a0d35356cb29cc100814c509666060N.exe 32 PID 2220 wrote to memory of 2128 2220 33a0d35356cb29cc100814c509666060N.exe 32 PID 2220 wrote to memory of 2128 2220 33a0d35356cb29cc100814c509666060N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5657ce9e5dd337971e44dfb9cb3fbf7dd
SHA1026734083afaa4b7d298781b26a72ac9b67ac831
SHA2563138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472
SHA51279aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d
-
Filesize
276B
MD540b712c61ed3bfc861e5f3c1811b6281
SHA1626b4b934ec6890740776d273d76080418526ce9
SHA256023cd5235b4f06e6108752833b439df76e755ef596bfb12fd669e8bff28868de
SHA51206ef7a0ff65b2219fbc0b99a5aa9cfd6bf6bc9b1e19d2b30322435b5b0205369b46b3d1dcbe8ec9bd5b99dc31a99a219f5e24fae2ad4e5bd62c698b4c0f57a96
-
Filesize
61KB
MD557616525df70bf86a4d4e3583d654205
SHA15ee971ae494ecf9773ac207eb8e23129e4135555
SHA2567a3dcca25341a16f40773fc47b5bf78b0d554ea95b793560fd4cb5f533e60742
SHA512a39f68d788ba1ee93dbc63b475913509a9216711c51175eabd76bcceaca830997b70e41232f9f785fecd1c3e87e4d01f8b11ac69ddb27c47821579cc28416546