2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d

General

Target

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Size

453KB
MD5

59f1f5348151b176018bd54b53798ab1
SHA1

91d59f9c6cc1d757b58af475f4d51386eff1177d
SHA256

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d
SHA512

8afbbedc1be5839cc044009eef51d7161d7dc207f9755ae04d83c54b30c14bef810ee002450475dd47bb193772fe4afa61d25cad831ed713e374a624243a1acc

Score

8^/10

spyware persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.exe

pid	process
4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe

Suspicious use of AdjustPrivilegeToken 462 IoCs

Processes:

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	1580	cmd.exe
Token: SeSecurityPrivilege	1580	cmd.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe
Token: SeSecurityPrivilege	3760	ytubidabbel.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.exe

description	pid	process	target process
PID 4004 wrote to memory of 3760	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	ytubidabbel.exe
PID 4004 wrote to memory of 3760	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	ytubidabbel.exe
PID 4004 wrote to memory of 3760	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	ytubidabbel.exe
PID 3760 wrote to memory of 2700	3760	ytubidabbel.exe	sihost.exe
PID 3760 wrote to memory of 2700	3760	ytubidabbel.exe	sihost.exe
PID 3760 wrote to memory of 2700	3760	ytubidabbel.exe	sihost.exe
PID 3760 wrote to memory of 2700	3760	ytubidabbel.exe	sihost.exe
PID 3760 wrote to memory of 2700	3760	ytubidabbel.exe	sihost.exe
PID 3760 wrote to memory of 2716	3760	ytubidabbel.exe	svchost.exe
PID 3760 wrote to memory of 2716	3760	ytubidabbel.exe	svchost.exe
PID 3760 wrote to memory of 2716	3760	ytubidabbel.exe	svchost.exe
PID 3760 wrote to memory of 2716	3760	ytubidabbel.exe	svchost.exe
PID 3760 wrote to memory of 2716	3760	ytubidabbel.exe	svchost.exe
PID 3760 wrote to memory of 2816	3760	ytubidabbel.exe	taskhostw.exe
PID 3760 wrote to memory of 2816	3760	ytubidabbel.exe	taskhostw.exe
PID 3760 wrote to memory of 2816	3760	ytubidabbel.exe	taskhostw.exe
PID 3760 wrote to memory of 2816	3760	ytubidabbel.exe	taskhostw.exe
PID 3760 wrote to memory of 2816	3760	ytubidabbel.exe	taskhostw.exe
PID 3760 wrote to memory of 2940	3760	ytubidabbel.exe	Explorer.EXE
PID 3760 wrote to memory of 2940	3760	ytubidabbel.exe	Explorer.EXE
PID 3760 wrote to memory of 2940	3760	ytubidabbel.exe	Explorer.EXE
PID 3760 wrote to memory of 2940	3760	ytubidabbel.exe	Explorer.EXE
PID 3760 wrote to memory of 2940	3760	ytubidabbel.exe	Explorer.EXE
PID 3760 wrote to memory of 3104	3760	ytubidabbel.exe	ShellExperienceHost.exe
PID 3760 wrote to memory of 3104	3760	ytubidabbel.exe	ShellExperienceHost.exe
PID 3760 wrote to memory of 3104	3760	ytubidabbel.exe	ShellExperienceHost.exe
PID 3760 wrote to memory of 3104	3760	ytubidabbel.exe	ShellExperienceHost.exe
PID 3760 wrote to memory of 3104	3760	ytubidabbel.exe	ShellExperienceHost.exe
PID 3760 wrote to memory of 3124	3760	ytubidabbel.exe	SearchUI.exe
PID 3760 wrote to memory of 3124	3760	ytubidabbel.exe	SearchUI.exe
PID 3760 wrote to memory of 3124	3760	ytubidabbel.exe	SearchUI.exe
PID 3760 wrote to memory of 3124	3760	ytubidabbel.exe	SearchUI.exe
PID 3760 wrote to memory of 3124	3760	ytubidabbel.exe	SearchUI.exe
PID 3760 wrote to memory of 3356	3760	ytubidabbel.exe	RuntimeBroker.exe
PID 3760 wrote to memory of 3356	3760	ytubidabbel.exe	RuntimeBroker.exe
PID 3760 wrote to memory of 3356	3760	ytubidabbel.exe	RuntimeBroker.exe
PID 3760 wrote to memory of 3356	3760	ytubidabbel.exe	RuntimeBroker.exe
PID 3760 wrote to memory of 3356	3760	ytubidabbel.exe	RuntimeBroker.exe
PID 3760 wrote to memory of 3640	3760	ytubidabbel.exe	DllHost.exe
PID 3760 wrote to memory of 3640	3760	ytubidabbel.exe	DllHost.exe
PID 3760 wrote to memory of 3640	3760	ytubidabbel.exe	DllHost.exe
PID 3760 wrote to memory of 3640	3760	ytubidabbel.exe	DllHost.exe
PID 3760 wrote to memory of 3640	3760	ytubidabbel.exe	DllHost.exe
PID 3760 wrote to memory of 4004	3760	ytubidabbel.exe	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
PID 3760 wrote to memory of 4004	3760	ytubidabbel.exe	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
PID 3760 wrote to memory of 4004	3760	ytubidabbel.exe	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
PID 3760 wrote to memory of 4004	3760	ytubidabbel.exe	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
PID 3760 wrote to memory of 4004	3760	ytubidabbel.exe	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 4004 wrote to memory of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe
PID 3760 wrote to memory of 1756	3760	ytubidabbel.exe	Conhost.exe
PID 3760 wrote to memory of 1756	3760	ytubidabbel.exe	Conhost.exe
PID 3760 wrote to memory of 1756	3760	ytubidabbel.exe	Conhost.exe
PID 3760 wrote to memory of 1756	3760	ytubidabbel.exe	Conhost.exe
PID 3760 wrote to memory of 1756	3760	ytubidabbel.exe	Conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe

description	pid	process	target process
PID 4004 set thread context of 1580	4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe	cmd.exe

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ytubidabbel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run	ytubidabbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run	ytubidabbel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Itixhahe = "C:\\Users\\Admin\\AppData\\Roaming\\Qurouwcym\\ytubidabbel.exe"	ytubidabbel.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.exe

pid	process
4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
4004	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe
3760	ytubidabbel.exe

Executes dropped EXE 1 IoCs

Processes:

ytubidabbel.exe

pid process

3760 ytubidabbel.exe

pid	process
3760	ytubidabbel.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy	2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2716

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2816

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
"C:\Users\Admin\AppData\Local\Temp\2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
PID:4004

C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe
"C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp392caeb3.bat"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1756

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3104

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3640

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:1220

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Icwyafbiuslu\ypnumema.exa

Download Submit
C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7044.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7064.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB198.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB235.tmp

Download Submit
memory/1580-8-0x0000000000720000-0x0000000000767000-memory.dmp

Filesize
284KB

Download
memory/1580-9-0x000000000074025A-mapping.dmp

Download
memory/3760-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads