Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 10:44
Behavioral task
behavioral1
Sample
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
Resource
win7-20240903-en
General
-
Target
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
-
Size
331KB
-
MD5
bf8ae2db32725e0025a55c1eddd84c70
-
SHA1
1f7fa30f1207dfba715c0c1ddbb5a557e1753087
-
SHA256
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc
-
SHA512
9959eb75a59623d7bd9a9f9aa6b442244c94bd752a28cd6b3fa8dcddf9bbf7a4ff1296550f2e3df1b9d6ad8c2ff63d9b2c437d948b08064e3bc502df7c66393a
-
SSDEEP
3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisO:Nd7rpL43btmQ58Z27zw39gY2FeZhmzZ
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\qybec.exe aspack_v212_v242 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
ryhog.exedupuyq.exeqybec.exepid process 1844 ryhog.exe 2448 dupuyq.exe 1400 qybec.exe -
Loads dropped DLL 5 IoCs
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exeryhog.exedupuyq.exepid process 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe 1844 ryhog.exe 1844 ryhog.exe 2448 dupuyq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exeryhog.exedupuyq.execmd.exeqybec.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ryhog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dupuyq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qybec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
qybec.exepid process 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe 1400 qybec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exeryhog.exedupuyq.exedescription pid process target process PID 1992 wrote to memory of 1844 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe ryhog.exe PID 1992 wrote to memory of 1844 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe ryhog.exe PID 1992 wrote to memory of 1844 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe ryhog.exe PID 1992 wrote to memory of 1844 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe ryhog.exe PID 1992 wrote to memory of 1796 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 1992 wrote to memory of 1796 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 1992 wrote to memory of 1796 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 1992 wrote to memory of 1796 1992 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 1844 wrote to memory of 2448 1844 ryhog.exe dupuyq.exe PID 1844 wrote to memory of 2448 1844 ryhog.exe dupuyq.exe PID 1844 wrote to memory of 2448 1844 ryhog.exe dupuyq.exe PID 1844 wrote to memory of 2448 1844 ryhog.exe dupuyq.exe PID 2448 wrote to memory of 1400 2448 dupuyq.exe qybec.exe PID 2448 wrote to memory of 1400 2448 dupuyq.exe qybec.exe PID 2448 wrote to memory of 1400 2448 dupuyq.exe qybec.exe PID 2448 wrote to memory of 1400 2448 dupuyq.exe qybec.exe PID 2448 wrote to memory of 1476 2448 dupuyq.exe cmd.exe PID 2448 wrote to memory of 1476 2448 dupuyq.exe cmd.exe PID 2448 wrote to memory of 1476 2448 dupuyq.exe cmd.exe PID 2448 wrote to memory of 1476 2448 dupuyq.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\ryhog.exe"C:\Users\Admin\AppData\Local\Temp\ryhog.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\dupuyq.exe"C:\Users\Admin\AppData\Local\Temp\dupuyq.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\qybec.exe"C:\Users\Admin\AppData\Local\Temp\qybec.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1400
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1476
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5db530785ddab2262c4b5581640b46cb2
SHA1663b49c33e19a146389ca6d2e693c0408d764954
SHA256dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827
SHA5125eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd
-
Filesize
224B
MD510e5901aceb22831a0d6c0425a463e7f
SHA1cea80cfe5700f84b0048d077396da7defdd78aee
SHA2561d7cf65f75cefb45e35681ec3627234f8fcf60aa6a5d57adde1eb2da9498300b
SHA5127a25605fe4b09917e6555eb8250e1a172f129fb2383be04d38b64588c180a9576da113d5c2c7b0f6639ebaf0f9ee478357c5315d93a729f9f0d46c3459b00a0e
-
Filesize
512B
MD57ccc8edf53e39b65926c3c6c78b3517a
SHA1b5803bae8be4a17fd39b666ccd03df0a51b94b0b
SHA2567f91aaf26c84c9aa9403911a2771d9397866034736740bd76bca52872d40e852
SHA5120778074f5ac2c223d1114c5f83dcb9776194015429ae49ec5e743f461ecb4cbdeeac160cfdfd37290caf61d698a597389850daf87bdda816214122e176c5dc92
-
Filesize
136KB
MD5ec22cb2b2d53b33d73c670c5d6f06ad1
SHA1e0311a487cf70bedd02fb80ce799024c1a0e0091
SHA256dc1cdb8fc1d89d2c33cd754c15fe9ca73e007d9e0f6b78dfa1997c0f11c0bd43
SHA51298f8c30da1f525af4a3ce94d9d5ae520f5aa6f69d06db1a67f1ca2b58f451d13acc820c98943d843c2a908893206084db2fa3dc39e13682fb06c4f2a64511431
-
Filesize
331KB
MD58d776cd3bf879803190dfac6c1257fbb
SHA1b769f14f60d75fd1551bf4b73d51bd071e44b66d
SHA2565d674a4a4fb06080918d8e6c090e3817a140bcf275449cd6bfba3119049db851
SHA512d72e6dba6f73f8e71b4025b70f22913b796e4274f23f85cecfee8ec3a4b0b5bff2fc81eaa3b5c03f8787ea8e9d23558faef1a5927e85d69e6d9092af40392c4a