Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe
Resource
win7-20240903-en
General
-
Target
92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe
-
Size
57KB
-
MD5
bdfd38c1c9211eb0999080aa68619850
-
SHA1
bb380f9dd7f4f0f67f25e98deb38ea42ae16a939
-
SHA256
92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080
-
SHA512
99e7e7bf831eecc9127333659747786f8723c03223af2849769837323f78da92277de2d9370b0a80e08b7232069f8ff4dea9d63475f04df7e81525b3639e656e
-
SSDEEP
1536:amZ+4hcuX5uZ79jmvFQTXnz9yQ/PFBhl1f:amZ+luXwy2f9LDhDf
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2092 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 1148 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exepid process 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exebiudfw.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language biudfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exedescription pid process target process PID 2480 wrote to memory of 1148 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe biudfw.exe PID 2480 wrote to memory of 1148 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe biudfw.exe PID 2480 wrote to memory of 1148 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe biudfw.exe PID 2480 wrote to memory of 1148 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe biudfw.exe PID 2480 wrote to memory of 2092 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe cmd.exe PID 2480 wrote to memory of 2092 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe cmd.exe PID 2480 wrote to memory of 2092 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe cmd.exe PID 2480 wrote to memory of 2092 2480 92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe"C:\Users\Admin\AppData\Local\Temp\92ea1c4a69e8b1f2708691e8a6160e78f74c224d7a498f7f3cecb93a745ce080N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD526625b4ca7658f7ba4dc7d982782323c
SHA1574aa314998c39e683675ccf457b0305341a4aaf
SHA256c494e0ffeee72023dac244366c08072f677ba328ba805f9e480abc2824e99283
SHA5125a9af4c6be10240dec0d33b37bc6f6836f1db5d0a2a9dd158d63848a8a97dad68e2d9217aca2b2d1cf122d9534aba0d23b247f6686c4ff934bd7035a927d9b9d
-
Filesize
340B
MD5676482554c49f761e4f44639b6e96633
SHA14a2ec30252639ab31b09694f49df2b01def0a56c
SHA256be4fdbd3339f0c3f757adb6ffacee9d92a378abbfb9251a1d06ec0dbf3aa200f
SHA512034bed4cc8767d8100cd5c32d63f59b4c7dd4020c58d75600e4e0dd0fd8d4267a6c29e17a6c55357473784c499e92448bf4f0d40a80c7929f62b6e26b412b4e4
-
Filesize
57KB
MD57b5ee2ee3b8598bae2c206e420c12965
SHA1a581439c03b04b1ceb873f78f3a45cda3fc77f44
SHA2562297c18d69b894889751b3fe622cb15ac3530d0297a9f5ae30dd095074a79dc1
SHA51261ef665517216dccf272c0640300006c473d511ed8817eed2e46ad69e1da7970ba0bc7b00d5bd7cce14ed4f607df317297b6c9b785db489568692a1cd3a10691