Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 06:27
Static task
static1
Behavioral task
behavioral1
Sample
328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe
Resource
win10v2004-20220414-en
General
-
Target
328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe
-
Size
1.9MB
-
MD5
82ec6b7ef5830a1bbf2e0339f58d588c
-
SHA1
9141f592a1571d5f88850b46aa8a8219a57c42fd
-
SHA256
328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265
-
SHA512
c84a2bdc1c2ec085b2f15a92e1959829aff0229217c00ca658ddab057736a81eb998a4cb76addddbc62f22df964a1d37696c7bed0b302d5c3f65d9812ce401c9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 908 RyexhoIubem.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RyexhoIubem.exe -
Loads dropped DLL 9 IoCs
pid Process 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 908 RyexhoIubem.exe 908 RyexhoIubem.exe 908 RyexhoIubem.exe 908 RyexhoIubem.exe 908 RyexhoIubem.exe 908 RyexhoIubem.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\fir\raj\mubik.dat RyexhoIubem.exe File opened for modification C:\Windows\System32\dnsapi.dll RyexhoIubem.exe File opened for modification C:\Windows\SysWOW64\dnsapi.dll RyexhoIubem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RyexhoIubem.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName RyexhoIubem.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RyexhoIubem.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 908 RyexhoIubem.exe Token: SeTakeOwnershipPrivilege 908 RyexhoIubem.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1596 wrote to memory of 908 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 27 PID 1596 wrote to memory of 908 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 27 PID 1596 wrote to memory of 908 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 27 PID 1596 wrote to memory of 908 1596 328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe"C:\Users\Admin\AppData\Local\Temp\328252b9e55775ba66c44b45974d1e2e4f18540d31ac7d06054e42c0f1c56265.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Tempfolder\GekqobBujlub\RyexhoIubem.exe"C:\Users\Admin\AppData\Local\Tempfolder\GekqobBujlub\RyexhoIubem.exe" spa="C:\Users\Admin\AppData\Roaming\RewdTup\Jikiilu.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:908
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD52db7b52bfb4ff9d0067672f77e3996c3
SHA183589469e2eaa884c1740916569fabd91f49819e
SHA256430c6b84be972cb04b0e91f739c8e47e7ff2508017de0cebd1fe28b0a05581eb
SHA512db04b44f472f74fb98b4dec3b3db79c941f961c1afcea500becfddfae855ba34689cbc878b30e7963c5ff31472309d9d41dab5be0a872808a4bb158693856516
-
Filesize
288KB
MD574485152d7f2c06fe413f48c7da4ff33
SHA1a07c30fedc80e5f4c2cc0be5202d64f51b015b44
SHA2563c019cb209ba4f01015ffbb628d988735d2c5d9805abd7dd4dab441ea82eb688
SHA51243b3b3bd5d5f3afd845cc79d68e942836f95f708eac96cd84d09b774d8f92f772b2353a273185b6be336603b5b283a486756e95ff26bb1ecd4fe84667cbe6f52
-
Filesize
47KB
MD508bacf2967fd8ea468c69f6e8d31b914
SHA1eec97e847be6303013e468979b861ff74d4279ed
SHA2562f143cac2efdc21b98620338c6f0404dfce812ee5741960ff68671ed0b0f3a9a
SHA5122550e9481d2604b9c62b97ede184af4a8b2db1333b6707e01bc67b3699f72b0b764a238c86801d4457007e31977a181007f67c300f7c47899d4a771d05c2e97a
-
Filesize
45KB
MD556c1c79274ef5728b1f50986a5a8f22e
SHA132f67170194ce27736e564b5328dbab6c4be33b3
SHA2568720171993fc29c517a8124b8235c2c5d71b0ae4c236685ba202088326d780de
SHA5126198edad58ffbb9109c827de704a6d67be44300e7bf11d5af427e568388a9a746ce58e6c09babd65f6cf7dbec9520be6c9d92c7a4724c0892e044c38a9e2ce3a
-
Filesize
834KB
MD59721a913f9a997a62c532d72ed3e7b8d
SHA12e1f33ec48938eab775f6775e4de93150b39b46d
SHA2564515d073983b96bd48d2601fb22646d72aa56aec163cb172e6d06dd55b8a9e80
SHA5127363b2192a3b0b5f946c14983b197315632907790871dd795b2d995d8cf924d9d3ad7af2c3b465b70f5bb110ba8aaef1412d2cc33bedaeca8c64e2a523678ad7
-
Filesize
132KB
MD508b59a1793e8cd6fb085271650f8b5d0
SHA13182956535052ab496bc92f59167a7e114752b1e
SHA256f0c14914986be4dc13a72fbe509db10a4c24c55e545471d1e4dde2c1d4ca03a1
SHA512e2526879a4904f9e96b5f9422a088bfc4811f5ed3567fd0ad4021c10e6b796df10c61734cf59a2b2b36151fb1451660283284f97d7ff95eb3b78d6340f1cd136
-
Filesize
129KB
MD588f553be556ae62c59b3a3fbea81987e
SHA1166abd59cdf04380b939c3d216b514cbe09735f8
SHA256741bf85f9011be7f57df51a409b9b43b45bed0329d14cedc05d0f84e60c66006
SHA512d27e0ea06245782960bcffd41f9afbd9a7fe3bbb43f15eddbfa083568b21cc6dd15c86686fb597a0bf05d2bb4e76332eb7f28aba82e6a3695423f1458fb924c4
-
Filesize
1.2MB
MD56b2424cc8c5bcbcc43a530731d109898
SHA1ff22a1152ae0ab80bf9fb115c1a124529aa2ac4b
SHA256c7a43ea8266fee04d0624efa4439d0b0fe2ce9b997951090a4490ec8d37162ae
SHA5124c3300326e7b1954712d83331d110a78de51c2209ee02fda873f01bc57a95b3718363eb29df9baf4d96bb1e04f3840c3c9e1b35683430056fd2dcb91a61483ff
-
Filesize
14KB
MD521010df9bc37daffcc0b5ae190381d85
SHA1a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA2560ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA51295d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
97KB
MD52db7b52bfb4ff9d0067672f77e3996c3
SHA183589469e2eaa884c1740916569fabd91f49819e
SHA256430c6b84be972cb04b0e91f739c8e47e7ff2508017de0cebd1fe28b0a05581eb
SHA512db04b44f472f74fb98b4dec3b3db79c941f961c1afcea500becfddfae855ba34689cbc878b30e7963c5ff31472309d9d41dab5be0a872808a4bb158693856516
-
Filesize
288KB
MD574485152d7f2c06fe413f48c7da4ff33
SHA1a07c30fedc80e5f4c2cc0be5202d64f51b015b44
SHA2563c019cb209ba4f01015ffbb628d988735d2c5d9805abd7dd4dab441ea82eb688
SHA51243b3b3bd5d5f3afd845cc79d68e942836f95f708eac96cd84d09b774d8f92f772b2353a273185b6be336603b5b283a486756e95ff26bb1ecd4fe84667cbe6f52
-
Filesize
47KB
MD508bacf2967fd8ea468c69f6e8d31b914
SHA1eec97e847be6303013e468979b861ff74d4279ed
SHA2562f143cac2efdc21b98620338c6f0404dfce812ee5741960ff68671ed0b0f3a9a
SHA5122550e9481d2604b9c62b97ede184af4a8b2db1333b6707e01bc67b3699f72b0b764a238c86801d4457007e31977a181007f67c300f7c47899d4a771d05c2e97a
-
Filesize
45KB
MD556c1c79274ef5728b1f50986a5a8f22e
SHA132f67170194ce27736e564b5328dbab6c4be33b3
SHA2568720171993fc29c517a8124b8235c2c5d71b0ae4c236685ba202088326d780de
SHA5126198edad58ffbb9109c827de704a6d67be44300e7bf11d5af427e568388a9a746ce58e6c09babd65f6cf7dbec9520be6c9d92c7a4724c0892e044c38a9e2ce3a
-
Filesize
834KB
MD59721a913f9a997a62c532d72ed3e7b8d
SHA12e1f33ec48938eab775f6775e4de93150b39b46d
SHA2564515d073983b96bd48d2601fb22646d72aa56aec163cb172e6d06dd55b8a9e80
SHA5127363b2192a3b0b5f946c14983b197315632907790871dd795b2d995d8cf924d9d3ad7af2c3b465b70f5bb110ba8aaef1412d2cc33bedaeca8c64e2a523678ad7
-
Filesize
132KB
MD508b59a1793e8cd6fb085271650f8b5d0
SHA13182956535052ab496bc92f59167a7e114752b1e
SHA256f0c14914986be4dc13a72fbe509db10a4c24c55e545471d1e4dde2c1d4ca03a1
SHA512e2526879a4904f9e96b5f9422a088bfc4811f5ed3567fd0ad4021c10e6b796df10c61734cf59a2b2b36151fb1451660283284f97d7ff95eb3b78d6340f1cd136
-
Filesize
129KB
MD588f553be556ae62c59b3a3fbea81987e
SHA1166abd59cdf04380b939c3d216b514cbe09735f8
SHA256741bf85f9011be7f57df51a409b9b43b45bed0329d14cedc05d0f84e60c66006
SHA512d27e0ea06245782960bcffd41f9afbd9a7fe3bbb43f15eddbfa083568b21cc6dd15c86686fb597a0bf05d2bb4e76332eb7f28aba82e6a3695423f1458fb924c4