119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe
Size

155KB
MD5

af6e4b86ea8efb711d5d298600d21550
SHA1

a7e111767b2f7acdd1cc4c4239f3ef5b9dc74e1e
SHA256

119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594
SHA512

59aaee6129df1a809a06b0de6cbb54a050cc8a8fb42c8925e53a837616b61190ec28e9dc373db2fd67f67fa964bc967538b3d5fa39c56389257e29c035c666c7
SSDEEP

3072:Ntbqvi9nMKxQbZ5x66EfACsxfcYvQd2Oe:Nt2vsx+AV4LfLO

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe

Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

2936 biudfw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2936	biudfw.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exebiudfw.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biudfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe

description	pid	process	target process
PID 2380 wrote to memory of 2936	2380	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe	biudfw.exe
PID 2380 wrote to memory of 2936	2380	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe	biudfw.exe
PID 2380 wrote to memory of 2936	2380	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe	biudfw.exe
PID 2380 wrote to memory of 4084	2380	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe	cmd.exe
PID 2380 wrote to memory of 4084	2380	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe	cmd.exe
PID 2380 wrote to memory of 4084	2380	119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe
"C:\Users\Admin\AppData\Local\Temp\119ce6d9f4af2738ead78efc190413291fdabe445d7d54d1dbdfec498dab0594N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
155KB

MD5
bfa00093b2c1116376aecbadd9c62b9a

SHA1
d63d311454950d20f9de93b162f1bcc5330611d9

SHA256
7b3469feafe84b2aa56fd037eb0d7c1799e04c24eb348928bf8097ad0c369730

SHA512
edfa64d02c9152afa402fe828fdcf53eaca6be2cf29193e963a925de9cab52ebecf41f87b62494bdb1c2a346fa9a6d59544b415c2bdc38291a093138baf8bf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2930c042c9ee5e07f321f2134a0c7edc

SHA1
ee39f41eaf6ce3c8d917a89e65959414ae0088e6

SHA256
a328475bbb730da292b83ed6cabbdbfc0616f042296f0c6fa356c5368ffc1309

SHA512
2da91d5effc116d8c8661c2a99f1d9c2aaffda0f776551dc7ad1911fdb2765591e5b441b9a1fe0090bcda8ed24d180b563ed2c127676cf1de40001e4b15b5506

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
adf7c8df135434efdced5c3f888eabab

SHA1
5aa2ae3eab9903adc7c76b45250629d943d68972

SHA256
5e6c7ee8b41c005da91f8fcabcc3d732e2f901d1a3aa45e4860e0eca7bc6ef37

SHA512
021d2dff58febc157fbfdcd9e2ec86ce0c37d87a508020a1fe671938ac33858d0231428a1e99066d12a4ffa4b3bc4b7cd60ede9488cdbc974a1459920607d621

Download Submit