Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 10:44
Behavioral task
behavioral1
Sample
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
Resource
win7-20240903-en
General
-
Target
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe
-
Size
331KB
-
MD5
bf8ae2db32725e0025a55c1eddd84c70
-
SHA1
1f7fa30f1207dfba715c0c1ddbb5a557e1753087
-
SHA256
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfc
-
SHA512
9959eb75a59623d7bd9a9f9aa6b442244c94bd752a28cd6b3fa8dcddf9bbf7a4ff1296550f2e3df1b9d6ad8c2ff63d9b2c437d948b08064e3bc502df7c66393a
-
SSDEEP
3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisO:Nd7rpL43btmQ58Z27zw39gY2FeZhmzZ
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\mymij.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exebyipt.exemefyro.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation byipt.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation mefyro.exe -
Executes dropped EXE 3 IoCs
Processes:
byipt.exemefyro.exemymij.exepid process 2944 byipt.exe 2448 mefyro.exe 4236 mymij.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
byipt.execmd.exemefyro.exemymij.execmd.exeb8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language byipt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mefyro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mymij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mymij.exepid process 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe 4236 mymij.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exebyipt.exemefyro.exedescription pid process target process PID 5032 wrote to memory of 2944 5032 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe byipt.exe PID 5032 wrote to memory of 2944 5032 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe byipt.exe PID 5032 wrote to memory of 2944 5032 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe byipt.exe PID 5032 wrote to memory of 1072 5032 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 5032 wrote to memory of 1072 5032 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 5032 wrote to memory of 1072 5032 b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe cmd.exe PID 2944 wrote to memory of 2448 2944 byipt.exe mefyro.exe PID 2944 wrote to memory of 2448 2944 byipt.exe mefyro.exe PID 2944 wrote to memory of 2448 2944 byipt.exe mefyro.exe PID 2448 wrote to memory of 4236 2448 mefyro.exe mymij.exe PID 2448 wrote to memory of 4236 2448 mefyro.exe mymij.exe PID 2448 wrote to memory of 4236 2448 mefyro.exe mymij.exe PID 2448 wrote to memory of 3348 2448 mefyro.exe cmd.exe PID 2448 wrote to memory of 3348 2448 mefyro.exe cmd.exe PID 2448 wrote to memory of 3348 2448 mefyro.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"C:\Users\Admin\AppData\Local\Temp\b8b08b9cd13255e894306d949b7f2cd6b73d95cbc855901987804b7829e8dcfcN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\byipt.exe"C:\Users\Admin\AppData\Local\Temp\byipt.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\mefyro.exe"C:\Users\Admin\AppData\Local\Temp\mefyro.exe" OK3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\mymij.exe"C:\Users\Admin\AppData\Local\Temp\mymij.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3348
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:1072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5db530785ddab2262c4b5581640b46cb2
SHA1663b49c33e19a146389ca6d2e693c0408d764954
SHA256dc4caff8b354ad6a56b0a8f9198240022c7113f18187cc4fb502645c920c5827
SHA5125eb24c783f8890eba38164aed7c54ac2affc27cd766a016e45baec1e10e5f4f6f5751d430ab1e3b3120d46d2245e53e8ddc951c0d0222624b7f1ef47c0229edd
-
Filesize
224B
MD5430011d7369ed65c8fc59216e757c56b
SHA1b75a4cae517a222b4b849d848c716f9b7a7e1e6e
SHA2566ede09b00585a266d82a416ee3592aa9a8dfbc101ca768657cfd3fea574c4901
SHA51291c6c99a41833cca170f85fc12e9cdb29630be89e7448ce50f614ae3077015d515e5c3d20623d85d87b41c4fbd3d5a5bea4996756a4c46b9d8aee0fdb5575d4b
-
Filesize
331KB
MD56f732454c643063f9ee619ab0061c01f
SHA12fbaa15064c15cff0e522445bc0822ad2508f5f3
SHA256cf223a1fb37dcacdec47b2c42cb7bf640d34372cf7fc1262547e84640b35c432
SHA512204f2c2f6bbc0bcfd398f5a70f97c69e68f4c591f534c54a0c1420256350d19cd45e1471a6d2dc2c768b139116c31eb934272c67be51442a6614946c12d3f95e
-
Filesize
512B
MD5eaf71668f015a91f23c2ba9059644553
SHA14fdd7794ae9a58cab82a61543a92bdd722eea385
SHA25645e60e9a7f9d29ecae3e0b5b9819e8571e5105ed05aacc6e4091610cf5e4950b
SHA5124bc93c0764968a0fcb04b90ac04dc700d4149297f0a39b4d63cecf14525bf1e844adfe724bf2cedf66744ae4785158319fea609b4d3591c726b8946f1eb8555d
-
Filesize
136KB
MD54380b7f758d66ec62cac8792f64293aa
SHA14375170b2c2229b15a61bbe47bc70db8a64ac597
SHA256ec727787f9e08de4b524b5393c69186988c6791e9a07ce493cdb8cecfdfadd03
SHA51239753f609505b5d6e4e6ab535f417c28a90116392cc23a13fc743eaab9d1e03ac65d4f04935a465e00fdb91f67a2982939a9bee6bcaedacc2e28caf21ccd2d44