Analysis
-
max time kernel
100s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 04:31
Static task
static1
Behavioral task
behavioral1
Sample
33a0d35356cb29cc100814c509666060N.exe
Resource
win7-20240708-en
General
-
Target
33a0d35356cb29cc100814c509666060N.exe
-
Size
61KB
-
MD5
33a0d35356cb29cc100814c509666060
-
SHA1
004f841827eb1977ee1c9a8027b497ef4645f978
-
SHA256
9fb2d1aa8a690de100629d4029dcb40bb9c1a8a19bf783ff4d29c8e211546167
-
SHA512
74701d39f4e0c004ffd1785ca9b912dac1490b2e366122b60c7726c1c2ac4a4a9f47879889794cae9e5451c2d3581d2f20d19d6535299db41ee25f024bbe20e8
-
SSDEEP
1536:saTkcl2v/z0thjkh6+uYLo31d0JuPrROVz:Jo0cAthu6+FQ0JuPkz
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 33a0d35356cb29cc100814c509666060N.exe -
Executes dropped EXE 1 IoCs
pid Process 4772 biudfw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33a0d35356cb29cc100814c509666060N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2416 wrote to memory of 4772 2416 33a0d35356cb29cc100814c509666060N.exe 88 PID 2416 wrote to memory of 4772 2416 33a0d35356cb29cc100814c509666060N.exe 88 PID 2416 wrote to memory of 4772 2416 33a0d35356cb29cc100814c509666060N.exe 88 PID 2416 wrote to memory of 720 2416 33a0d35356cb29cc100814c509666060N.exe 89 PID 2416 wrote to memory of 720 2416 33a0d35356cb29cc100814c509666060N.exe 89 PID 2416 wrote to memory of 720 2416 33a0d35356cb29cc100814c509666060N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"C:\Users\Admin\AppData\Local\Temp\33a0d35356cb29cc100814c509666060N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5b6a93393a126b159c5d8eb9651635363
SHA17724cd0320ef44b2d0a993043f48e137bb5dea12
SHA256156269dc6a875f8d63c261e556a81875ef00f45b6531e2ae9ca8855bd23b8868
SHA51285c176cfc5f0ae3a4038bc07163c4dab15786bf491f7f0fc66d3c0a0b30d40b2aad0f0955f70abc4099ea2f32fa8b743cd70fb3378d51c0d6ea94abcbe9d270a
-
Filesize
512B
MD5657ce9e5dd337971e44dfb9cb3fbf7dd
SHA1026734083afaa4b7d298781b26a72ac9b67ac831
SHA2563138d6a5526aaa3cb120adb309f2a27d5fec03c8aa088268a1c7f378dd722472
SHA51279aab9648bb19ebe5946dd9edd7e11a70ea7b340a1c7539ccff3d3d13de2932bf5ea9077c079208e09bf5d632f00541e52d4926c5c80f86741effb8d86acd26d
-
Filesize
276B
MD540b712c61ed3bfc861e5f3c1811b6281
SHA1626b4b934ec6890740776d273d76080418526ce9
SHA256023cd5235b4f06e6108752833b439df76e755ef596bfb12fd669e8bff28868de
SHA51206ef7a0ff65b2219fbc0b99a5aa9cfd6bf6bc9b1e19d2b30322435b5b0205369b46b3d1dcbe8ec9bd5b99dc31a99a219f5e24fae2ad4e5bd62c698b4c0f57a96