b3659905a29e0296b9cdcd40053da2c33c4cd3f8e9520cdc74e898ba2f2ac35d

General

Target

NEAS.d3dd822977238bf22bc4eb54ee251750.exe
Size

410KB
MD5

d3dd822977238bf22bc4eb54ee251750
SHA1

2f327045615db1963eb36651bfbc147be646c6c0
SHA256

b3659905a29e0296b9cdcd40053da2c33c4cd3f8e9520cdc74e898ba2f2ac35d
SHA512

ac140c0d505549f42dfc1d6e42d10edb0b5ff6a8ac17b1161a1e409bbd642a44e09299b7cdd7636ee9ac0bae384829f1a0a6ec402f9674278cd03c3a7e50ece9
SSDEEP

12288:CxIK9V14ImyHYG1YfBAtTpVhynp4r8wri2UHw6i0BiRSn:CJEyYG1YfBATVk4r8wripHw6i0cRSn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	bylxio.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	NEAS.d3dd822977238bf22bc4eb54ee251750.exe
1684	NEAS.d3dd822977238bf22bc4eb54ee251750.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\bylxio.exe"	bylxio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1808	1684	NEAS.d3dd822977238bf22bc4eb54ee251750.exe	28
PID 1684 wrote to memory of 1808	1684	NEAS.d3dd822977238bf22bc4eb54ee251750.exe	28
PID 1684 wrote to memory of 1808	1684	NEAS.d3dd822977238bf22bc4eb54ee251750.exe	28
PID 1684 wrote to memory of 1808	1684	NEAS.d3dd822977238bf22bc4eb54ee251750.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.d3dd822977238bf22bc4eb54ee251750.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d3dd822977238bf22bc4eb54ee251750.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684
- C:\ProgramData\bylxio.exe
  "C:\ProgramData\bylxio.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
410KB

MD5
71ce5b158d7b69d8f4893de9aab2a8d3

SHA1
0e9aa57b9833e924c56f3a28678f6ebeed47dcc9

SHA256
69d209778724c012d8e88d6ff9ee2be0a27dd33ac94b81f30bf7e96884907a9a

SHA512
56ad71c6bdd0b84c9b8b17281f75fe1c569dc4ca23073e8b2cf0a0a8e50d135b349c10c4ca7fd366f32a249574a1b6cbbb504a2b1caaa7d8b978038383961e91

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
150KB

MD5
aef10b9ba25f907727558514f2dfbab0

SHA1
d67383ef1b23d4da72339d66de9541c2e1efaf53

SHA256
f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad

SHA512
5e607a70ca3fa489897f8df0c96570709839364cd8cabd5f76386dfff01ca2986d50c120cf82926dff950c7d7b6ec833ea7558b64ec8f0dfe2e5070abf1da103

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
150KB

MD5
aef10b9ba25f907727558514f2dfbab0

SHA1
d67383ef1b23d4da72339d66de9541c2e1efaf53

SHA256
f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad

SHA512
5e607a70ca3fa489897f8df0c96570709839364cd8cabd5f76386dfff01ca2986d50c120cf82926dff950c7d7b6ec833ea7558b64ec8f0dfe2e5070abf1da103

Download Submit
C:\ProgramData\bylxio.exe

Filesize
259KB

MD5
c5a8699c415dfcaf621b754f04321f39

SHA1
83641657de559a68cb4f8f105574c1cef7346529

SHA256
7baf27c8f2ee69f01a7846b6417c0f04473b72a51bb85a259ae02ad707b05abf

SHA512
de0486459f16ffb8d939a9a4e62322198727b2e73445ea5b4385546e4bf4ccbacd73864c7ff667d559bb881b0c72c2954683ad86cb9e73d1b4eb16a484ee4c13

Download Submit
C:\ProgramData\bylxio.exe

Filesize
259KB

MD5
c5a8699c415dfcaf621b754f04321f39

SHA1
83641657de559a68cb4f8f105574c1cef7346529

SHA256
7baf27c8f2ee69f01a7846b6417c0f04473b72a51bb85a259ae02ad707b05abf

SHA512
de0486459f16ffb8d939a9a4e62322198727b2e73445ea5b4385546e4bf4ccbacd73864c7ff667d559bb881b0c72c2954683ad86cb9e73d1b4eb16a484ee4c13

Download Submit
C:\ProgramData\bylxio.exe

Filesize
259KB

MD5
c5a8699c415dfcaf621b754f04321f39

SHA1
83641657de559a68cb4f8f105574c1cef7346529

SHA256
7baf27c8f2ee69f01a7846b6417c0f04473b72a51bb85a259ae02ad707b05abf

SHA512
de0486459f16ffb8d939a9a4e62322198727b2e73445ea5b4385546e4bf4ccbacd73864c7ff667d559bb881b0c72c2954683ad86cb9e73d1b4eb16a484ee4c13

Download Submit
\ProgramData\bylxio.exe

Filesize
259KB

MD5
c5a8699c415dfcaf621b754f04321f39

SHA1
83641657de559a68cb4f8f105574c1cef7346529

SHA256
7baf27c8f2ee69f01a7846b6417c0f04473b72a51bb85a259ae02ad707b05abf

SHA512
de0486459f16ffb8d939a9a4e62322198727b2e73445ea5b4385546e4bf4ccbacd73864c7ff667d559bb881b0c72c2954683ad86cb9e73d1b4eb16a484ee4c13

Download Submit
\ProgramData\bylxio.exe

Filesize
259KB

MD5
c5a8699c415dfcaf621b754f04321f39

SHA1
83641657de559a68cb4f8f105574c1cef7346529

SHA256
7baf27c8f2ee69f01a7846b6417c0f04473b72a51bb85a259ae02ad707b05abf

SHA512
de0486459f16ffb8d939a9a4e62322198727b2e73445ea5b4385546e4bf4ccbacd73864c7ff667d559bb881b0c72c2954683ad86cb9e73d1b4eb16a484ee4c13

Download Submit
memory/1684-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1684-14-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1684-1-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1808-83-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1808-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads