Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
Resource
win7-20240903-en
General
-
Target
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe
-
Size
334KB
-
MD5
bb5fc5011c9188671ce2e87259ed4060
-
SHA1
5cab1ee050c2ae18e1a0202652ae221a5c0a7865
-
SHA256
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06
-
SHA512
f77c4f71916b43a5b6fb38e129cfd8d7873a9dea0bd602dd3e5a3326deb0d0f2910529dca42fbfcee4ed802d738e650ba6eb50b46aba60251bb3428e06de67b1
-
SSDEEP
6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY4:vHW138/iXWlK885rKlGSekcj66cip
Malware Config
Extracted
urelas
218.54.31.226
218.54.31.165
218.54.31.166
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exerykyb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation rykyb.exe -
Executes dropped EXE 2 IoCs
Processes:
rykyb.exewyfop.exepid process 536 rykyb.exe 4784 wyfop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rykyb.execmd.exewyfop.exe39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rykyb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
wyfop.exepid process 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe 4784 wyfop.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exerykyb.exedescription pid process target process PID 3452 wrote to memory of 536 3452 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe rykyb.exe PID 3452 wrote to memory of 536 3452 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe rykyb.exe PID 3452 wrote to memory of 536 3452 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe rykyb.exe PID 3452 wrote to memory of 3184 3452 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 3452 wrote to memory of 3184 3452 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 3452 wrote to memory of 3184 3452 39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe cmd.exe PID 536 wrote to memory of 4784 536 rykyb.exe wyfop.exe PID 536 wrote to memory of 4784 536 rykyb.exe wyfop.exe PID 536 wrote to memory of 4784 536 rykyb.exe wyfop.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"C:\Users\Admin\AppData\Local\Temp\39c807b93561ee190aa8e74a62a866f4a7c4a4923278c7babb3620c55b793f06N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\rykyb.exe"C:\Users\Admin\AppData\Local\Temp\rykyb.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\wyfop.exe"C:\Users\Admin\AppData\Local\Temp\wyfop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:3184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5430e98dab996ed2cb464865e806b08a3
SHA1e00ca96407b820ffd7c622ecd23ee9da27c20a4a
SHA2562fe43b6833cdbee5978204411cb477658513bb1a7db9f043bb19d1e2036ebc40
SHA512537057245f4f43db2089a90bf63f4fd2e4ddf759c8efc6b6c942e55892dcde284904a39abfef55b2353cc22079f1d8791f305cf55a445d55f28e442b20fac5f3
-
Filesize
512B
MD5e989d87a66ef2a69056d1c9a32df0040
SHA1cfb965201c6847f87c63805f0c6f4e9a5d025985
SHA256f88fe34c6a7036fe244d8e0650f7c2e6c8791586a305fb61982dbbe8c575e66c
SHA5127394b6b1c4ab496c79be754bd018f31ca9baf233d87ac0cdfee1e5d650732ea0a902290bf30ffb5228f1ce7187dcbaee2e46511d03edd6da33270df34c5e6dda
-
Filesize
334KB
MD5d509bd65b98a43019139f2d2d2b7de3c
SHA18644b9208b1602bc5d59f4c90fe9fff436b0451f
SHA256468a8282ec4d2bcf6ee2c8507a8eb5d99fad11211752faee9a07585f79572893
SHA5128f958d2bdb34b04fb05530de4743c12f7bb7e1e4c76bda9bff240c9b6bbca5fc8b6cc9956e65413f8c971d08c74955ffab1e6b6a70e22f990eb0859206c06ac6
-
Filesize
172KB
MD5d69ab04fa2d8f73775c360ac3fb70848
SHA115a5850ff9b9b75f7f13c3a5ba0142aeb36bee7b
SHA256da35bc28f55dda903ed40260006a0781ff078e00e638cdb2ba0d256ecb8dfe35
SHA5128dfb2838e0cdba6ec3497c415885d144ec61f035f400cd8e14e44be3bc143eb48c1aa17d3a3e96fb10e7522d48350f9e61053d214eb8fe57ec248b081f5f7742