Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-xekm5swfmj
Target 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N
SHA256 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823

Threat Level: Known bad

The file 4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas family

Urelas

ASPack v2.12-2.42

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 18:46

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 18:45

Reported

2024-10-10 18:48

Platform

win7-20240729-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qoams.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qoams.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qubyfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liduz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\qoams.exe
PID 2084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\qoams.exe
PID 2084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\qoams.exe
PID 2084 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\qoams.exe
PID 2084 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qoams.exe C:\Users\Admin\AppData\Local\Temp\qubyfi.exe
PID 3008 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qoams.exe C:\Users\Admin\AppData\Local\Temp\qubyfi.exe
PID 3008 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qoams.exe C:\Users\Admin\AppData\Local\Temp\qubyfi.exe
PID 3008 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qoams.exe C:\Users\Admin\AppData\Local\Temp\qubyfi.exe
PID 2748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Users\Admin\AppData\Local\Temp\liduz.exe
PID 2748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Users\Admin\AppData\Local\Temp\liduz.exe
PID 2748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Users\Admin\AppData\Local\Temp\liduz.exe
PID 2748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Users\Admin\AppData\Local\Temp\liduz.exe
PID 2748 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\qubyfi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

C:\Users\Admin\AppData\Local\Temp\qoams.exe

"C:\Users\Admin\AppData\Local\Temp\qoams.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qubyfi.exe

"C:\Users\Admin\AppData\Local\Temp\qubyfi.exe" OK

C:\Users\Admin\AppData\Local\Temp\liduz.exe

"C:\Users\Admin\AppData\Local\Temp\liduz.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2084-2-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2084-20-0x0000000002000000-0x0000000002058000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoams.exe

MD5 90e4f0c502a221db1abf0af111e4e719
SHA1 faea87547f69b561166be6a2adca54ec9536527d
SHA256 25489d2ae0ee0e44a277ca0282491bd4b335035b2fd87a04092429870c622aed
SHA512 b5da0e0dddf41a2958754f25f3468b1b1dda2905cecca76d54176929bb0bb6c43d7f17fcabb58f72b8e949889401eb1207ba1d03a3e1601e2715a7f2d3030d45

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d8e884b19c8ed65aeb197039dcd9a63b
SHA1 9096b9945a928465297476cfb1f039c35669fba4
SHA256 c80a28f37f0226a4b392d2892b3e2c806dda1632d31fcda5593dfdacf50aed5f
SHA512 c11c9197abd7103c2b5226a5a8e11d261b9e0ee981006b60b209ffa31e70510801eff4b84e75de638213c3434fbec4f2515f1a560c36c34ec086936983547d46

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 2c36b8dd09dd33992afa62987f881dd2
SHA1 0866e4ce15c59fca4f96bd660252bfe16449a9f5
SHA256 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7
SHA512 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8

memory/3008-22-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2084-21-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3008-34-0x0000000002050000-0x00000000020A8000-memory.dmp

memory/2748-36-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3008-33-0x0000000002050000-0x00000000020A8000-memory.dmp

memory/3008-37-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2748-38-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 4067390887e4aac050e29c1b00c43fd3
SHA1 6e8aa090b163d5e1e0c5c66116c8fcf08a15209e
SHA256 d00291b90b1f8fdbb3b7874159cd4c3437710b516d230d71e3f88b4eafca582f
SHA512 c83ff63c90c3a28de15bc80f1e45f28970c9d0711666bc281d1a8d86cfecf0ec05806616a351623cadb007725e6001569b959106812f2dae2e42178f570e492a

\Users\Admin\AppData\Local\Temp\liduz.exe

MD5 00ccd912b65548fcb962b984f98bd71f
SHA1 952e090e05a9ed502e4c5b17e428f821f1dee663
SHA256 8eedb82eebb6ab5097e1e99a41b48809a537f7b6a08711a45643e563c3bb1659
SHA512 79354fffd4fbfad85105fabb714d3cff53107f1cc590cc0a6c43546008606e07db097ce1c9b594e4cdd59ad740966af76e24125076e38ad51105d4728a6e867d

memory/2820-57-0x00000000009F0000-0x0000000000A7C000-memory.dmp

memory/2820-58-0x00000000009F0000-0x0000000000A7C000-memory.dmp

memory/2820-56-0x00000000009F0000-0x0000000000A7C000-memory.dmp

memory/2820-55-0x00000000009F0000-0x0000000000A7C000-memory.dmp

memory/2748-53-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2820-61-0x00000000009F0000-0x0000000000A7C000-memory.dmp

memory/2820-62-0x00000000009F0000-0x0000000000A7C000-memory.dmp

memory/2820-63-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 18:45

Reported

2024-10-10 18:48

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nyxok.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irmeko.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nyxok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nyxok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irmeko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fajyt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\nyxok.exe
PID 1052 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\nyxok.exe
PID 1052 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Users\Admin\AppData\Local\Temp\nyxok.exe
PID 1052 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\nyxok.exe C:\Users\Admin\AppData\Local\Temp\irmeko.exe
PID 5056 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\nyxok.exe C:\Users\Admin\AppData\Local\Temp\irmeko.exe
PID 5056 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\nyxok.exe C:\Users\Admin\AppData\Local\Temp\irmeko.exe
PID 4128 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe C:\Users\Admin\AppData\Local\Temp\fajyt.exe
PID 4128 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe C:\Users\Admin\AppData\Local\Temp\fajyt.exe
PID 4128 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe C:\Users\Admin\AppData\Local\Temp\fajyt.exe
PID 4128 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\irmeko.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe

"C:\Users\Admin\AppData\Local\Temp\4896ff82cf1f05088078b47ed0ac7a77373017a5fe69eb34857592fc5c255823N.exe"

C:\Users\Admin\AppData\Local\Temp\nyxok.exe

"C:\Users\Admin\AppData\Local\Temp\nyxok.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\irmeko.exe

"C:\Users\Admin\AppData\Local\Temp\irmeko.exe" OK

C:\Users\Admin\AppData\Local\Temp\fajyt.exe

"C:\Users\Admin\AppData\Local\Temp\fajyt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1052-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nyxok.exe

MD5 5dd1ff6353c672a90dff8f8801324880
SHA1 07487cc2bd6516dd61c840eeceee1e869a21e8c9
SHA256 a607d1cd4794bf14c9e74ef6c103153e5e604442487850024af6accdd4c8b7b5
SHA512 df3a8922c284e0c9d53f1049d65b1b67a22ccd41751fa9a5ab6bdc5bb73cca69f8d4d51fcb66d08673012781b863b1532bca997cc40c7c1d3688659cfa2dee6d

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 823e4a32a26083d604be0ed2c2377c70
SHA1 eb54186ce9a05d3ab99e5b5468c5e7b9ac81fe8f
SHA256 6c43f52fae48d7c843fa51397c3cadbd42f4c10d3cb0ae1ff5acd0e060e9ae59
SHA512 7c176b0e31ae1f36706986d9df1235e65036890995f0b4cece93007ed1c5fe759618b439c2df963466760bbde766fbd9709067cd856a861f463c3527b2757f36

memory/1052-15-0x0000000000400000-0x0000000000458000-memory.dmp

memory/5056-24-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 2c36b8dd09dd33992afa62987f881dd2
SHA1 0866e4ce15c59fca4f96bd660252bfe16449a9f5
SHA256 426c3eb9220b8a4e0d42094e935b64af0ddc4d6f787c8b78ecf610a850fcfad7
SHA512 934d3e9f679b04bf243a02761d4840a60c60e4845cdaca4a3f838ab5fbf7585519dd101ea41cc2c6331a1790615601cdc44f68b851ea5c89279631419c49cef8

memory/4128-25-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fajyt.exe

MD5 6f6121fee43f19e0e5606374f12ed6f8
SHA1 b144c06367345a2787bfb9b0d4a256ab94a79096
SHA256 0d2de68578edc0b6c3e28001bd621547eb35821d0bc5a572a14aff9891bd7328
SHA512 90d53c7d1fd074aed742ce03a85d5aa48eb2eb3caaad427403b64a936790e8f6fa638ae7061555cf73a502541437adaa9df259353d03d559a2470c41c49d0101

memory/4448-39-0x0000000000520000-0x00000000005AC000-memory.dmp

memory/4448-38-0x0000000000520000-0x00000000005AC000-memory.dmp

memory/4448-40-0x0000000000520000-0x00000000005AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c8d29bbf6b0adb85e0e239a70013771b
SHA1 ce7329280b9f5cf21d98bd096084e2f41b31e4d5
SHA256 4698c29b5de46e168a2e674b683907bed693949539786bf70c9e816c75d089d3
SHA512 bf22810caaa4aeb61a89146ac8f3b7af9c3112dc49ec02f590c9db6cb32dff971706cdcb007ce0a10e8801106a5d8039fdaa03f6c3b2cc2f57d85c57266349d9

memory/4448-37-0x0000000000520000-0x00000000005AC000-memory.dmp

memory/4128-43-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4448-44-0x0000000000520000-0x00000000005AC000-memory.dmp

memory/4448-45-0x0000000000520000-0x00000000005AC000-memory.dmp

memory/4448-46-0x0000000000520000-0x00000000005AC000-memory.dmp