Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 10:34
Behavioral task
behavioral1
Sample
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
Resource
win7-20240903-en
General
-
Target
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
-
Size
331KB
-
MD5
bf8ae2db32725e0025a55c1eddd84c70
-
SHA1
1f7fa30f1207dfba715c0c1ddbb5a557e1753087
-
SHA256
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc
-
SHA512
9959eb75a59623d7bd9a9f9aa6b442244c94bd752a28cd6b3fa8dcddf9bbf7a4ff1296550f2e3df1b9d6ad8c2ff63d9b2c437d948b08064e3bc502df7c66393a
-
SSDEEP
3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisO:Nd7rpL43btmQ58Z27zw39gY2FeZhmzZ
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\riynh.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2308 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
iryhc.execumofu.exeriynh.exepid process 1732 iryhc.exe 2824 cumofu.exe 2956 riynh.exe -
Loads dropped DLL 5 IoCs
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exeiryhc.execumofu.exepid process 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe 1732 iryhc.exe 1732 iryhc.exe 2824 cumofu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeb8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exeiryhc.execmd.execumofu.exeriynh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iryhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cumofu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language riynh.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
riynh.exepid process 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe 2956 riynh.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exeiryhc.execumofu.exedescription pid process target process PID 2072 wrote to memory of 1732 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe iryhc.exe PID 2072 wrote to memory of 1732 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe iryhc.exe PID 2072 wrote to memory of 1732 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe iryhc.exe PID 2072 wrote to memory of 1732 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe iryhc.exe PID 2072 wrote to memory of 2308 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2072 wrote to memory of 2308 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2072 wrote to memory of 2308 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2072 wrote to memory of 2308 2072 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 1732 wrote to memory of 2824 1732 iryhc.exe cumofu.exe PID 1732 wrote to memory of 2824 1732 iryhc.exe cumofu.exe PID 1732 wrote to memory of 2824 1732 iryhc.exe cumofu.exe PID 1732 wrote to memory of 2824 1732 iryhc.exe cumofu.exe PID 2824 wrote to memory of 2956 2824 cumofu.exe riynh.exe PID 2824 wrote to memory of 2956 2824 cumofu.exe riynh.exe PID 2824 wrote to memory of 2956 2824 cumofu.exe riynh.exe PID 2824 wrote to memory of 2956 2824 cumofu.exe riynh.exe PID 2824 wrote to memory of 2932 2824 cumofu.exe cmd.exe PID 2824 wrote to memory of 2932 2824 cumofu.exe cmd.exe PID 2824 wrote to memory of 2932 2824 cumofu.exe cmd.exe PID 2824 wrote to memory of 2932 2824 cumofu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\iryhc.exe"C:\Users\Admin\AppData\Local\Temp\iryhc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\cumofu.exe"C:\Users\Admin\AppData\Local\Temp\cumofu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\riynh.exe"C:\Users\Admin\AppData\Local\Temp\riynh.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD53e9bdcf230aa6e2bf9c7e9022d12840c
SHA161a96b367dccc480c3837e44ad81880483199500
SHA256ed5b36f1d0599768c02291a0576b0c2c540098a9965a32138b6f62503067dbfa
SHA5124ebbb3a74ec2243086e0c2b081d30f83944a906779205ba79d6a49ee4db1539c42e5a9a45642fd35640f7c1e7a94b30217a4395fab57411cb5c4fdfebbe9b30e
-
Filesize
342B
MD5db530785ddab2262c4b5581640b46cb2
SHA1663b49c33e19a146389ca6d2e693c0408d764954
SHA256dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827
SHA5125eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd
-
Filesize
512B
MD5fa649011c7c129d5e61a6f5be829707b
SHA1c7d75eb625844f05414fec651a0f73e7107fa791
SHA2567157c01a114c378a2742456d0f698037249528d97ed3d7de597d08c880d2ee39
SHA51204b77b25a3010e4444d0dd7f7e50cd713959c1f2d29ba69872f685256748a8e21d4997dc442c1baf9c51d7a16d227e2e600b62d070218b66481d066342e22f97
-
Filesize
331KB
MD546f413075c84c55a39d66d938c4ba9cb
SHA14b374a6de0f61bc8c8a27f2f8ad267adc552b77b
SHA256fb13c894edcbc253abcdfd9d38f4fe74bd909d82a2b1826aee965e8bdb36917d
SHA512720978a7e629dca5f24381aae98f6778f564815d340d0f2cb52052a2431e83445c95753ccaf66d14e00dbb0634d09d1ab2c9c8d4b26c3c56618ef636a7c6c71a
-
Filesize
136KB
MD59421367ae9462fd6407cfe2cd484a0c4
SHA12ff547346280ca952e28fdd1314f9a0958b93b66
SHA2561e854aac28b9f2f26a28d0fdf5f41527c9216560577d45f157c0f0b0094fcd61
SHA5121c77c04b7ac602bd0b326118dae3c64eac02872fa530a8a7d15ec68b52dff0799e37a9993a1eb0a401159a1486feecaaf4a1b3d8e160e6bb1a3b00af246aaab0