Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
01-09-2024 23:52
General
-
Target
nex.exe
-
Size
367KB
-
MD5
5111c960148d9847a4b4fb25f0b6f1e6
-
SHA1
21c954d9ec208c169630983970f6a59cbe25ab2e
-
SHA256
598857ebe87e67db25ccf5a543cd553b77fe4be93e9808e236f90068432788a8
-
SHA512
e86cd82864f2daa6dbbed8d13f9cbe4c27dacfcd74fcaea43bd1e0c6dc2aaacfe96c1659513b9f4cfd5f7a7b6cf380db7441f5f491b3ef5d17e32e0aa38afab5
-
SSDEEP
6144:kfeWTE1rkt826L4xd1EiftWt6empEVZlVISrt5AuK+Fwk4/lqIN9P8GzgUy:kfbTE1rkt826L4xd1EiEt6empQ+uK+a4
Malware Config
Extracted
mylobot
onthestage.ru:6521
krebson.ru:4685
stanislasarnoud.ru:5739
Signatures
-
Mylobot
Botnet which first appeared in 2017 written in C++.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\nex.exe"C:\Users\Admin\AppData\Local\Temp\nex.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nex.exe"C:\Users\Admin\AppData\Local\Temp\nex.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\reuydubf\utrugquc.exe"C:\Users\Admin\AppData\Roaming\reuydubf\utrugquc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\reuydubf\utrugquc.exe"C:\Users\Admin\AppData\Roaming\reuydubf\utrugquc.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD55111c960148d9847a4b4fb25f0b6f1e6
SHA121c954d9ec208c169630983970f6a59cbe25ab2e
SHA256598857ebe87e67db25ccf5a543cd553b77fe4be93e9808e236f90068432788a8
SHA512e86cd82864f2daa6dbbed8d13f9cbe4c27dacfcd74fcaea43bd1e0c6dc2aaacfe96c1659513b9f4cfd5f7a7b6cf380db7441f5f491b3ef5d17e32e0aa38afab5
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB