Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 14:56
Static task
static1
Behavioral task
behavioral1
Sample
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Resource
win7
Behavioral task
behavioral2
Sample
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
Resource
win10
General
-
Target
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
-
Size
453KB
-
MD5
59f1f5348151b176018bd54b53798ab1
-
SHA1
91d59f9c6cc1d757b58af475f4d51386eff1177d
-
SHA256
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d
-
SHA512
8afbbedc1be5839cc044009eef51d7161d7dc207f9755ae04d83c54b30c14bef810ee002450475dd47bb193772fe4afa61d25cad831ed713e374a624243a1acc
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.exepid process 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe -
Suspicious use of AdjustPrivilegeToken 462 IoCs
Processes:
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.execmd.exedescription pid process Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 1580 cmd.exe Token: SeSecurityPrivilege 1580 cmd.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe Token: SeSecurityPrivilege 3760 ytubidabbel.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.exedescription pid process target process PID 4004 wrote to memory of 3760 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe ytubidabbel.exe PID 4004 wrote to memory of 3760 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe ytubidabbel.exe PID 4004 wrote to memory of 3760 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe ytubidabbel.exe PID 3760 wrote to memory of 2700 3760 ytubidabbel.exe sihost.exe PID 3760 wrote to memory of 2700 3760 ytubidabbel.exe sihost.exe PID 3760 wrote to memory of 2700 3760 ytubidabbel.exe sihost.exe PID 3760 wrote to memory of 2700 3760 ytubidabbel.exe sihost.exe PID 3760 wrote to memory of 2700 3760 ytubidabbel.exe sihost.exe PID 3760 wrote to memory of 2716 3760 ytubidabbel.exe svchost.exe PID 3760 wrote to memory of 2716 3760 ytubidabbel.exe svchost.exe PID 3760 wrote to memory of 2716 3760 ytubidabbel.exe svchost.exe PID 3760 wrote to memory of 2716 3760 ytubidabbel.exe svchost.exe PID 3760 wrote to memory of 2716 3760 ytubidabbel.exe svchost.exe PID 3760 wrote to memory of 2816 3760 ytubidabbel.exe taskhostw.exe PID 3760 wrote to memory of 2816 3760 ytubidabbel.exe taskhostw.exe PID 3760 wrote to memory of 2816 3760 ytubidabbel.exe taskhostw.exe PID 3760 wrote to memory of 2816 3760 ytubidabbel.exe taskhostw.exe PID 3760 wrote to memory of 2816 3760 ytubidabbel.exe taskhostw.exe PID 3760 wrote to memory of 2940 3760 ytubidabbel.exe Explorer.EXE PID 3760 wrote to memory of 2940 3760 ytubidabbel.exe Explorer.EXE PID 3760 wrote to memory of 2940 3760 ytubidabbel.exe Explorer.EXE PID 3760 wrote to memory of 2940 3760 ytubidabbel.exe Explorer.EXE PID 3760 wrote to memory of 2940 3760 ytubidabbel.exe Explorer.EXE PID 3760 wrote to memory of 3104 3760 ytubidabbel.exe ShellExperienceHost.exe PID 3760 wrote to memory of 3104 3760 ytubidabbel.exe ShellExperienceHost.exe PID 3760 wrote to memory of 3104 3760 ytubidabbel.exe ShellExperienceHost.exe PID 3760 wrote to memory of 3104 3760 ytubidabbel.exe ShellExperienceHost.exe PID 3760 wrote to memory of 3104 3760 ytubidabbel.exe ShellExperienceHost.exe PID 3760 wrote to memory of 3124 3760 ytubidabbel.exe SearchUI.exe PID 3760 wrote to memory of 3124 3760 ytubidabbel.exe SearchUI.exe PID 3760 wrote to memory of 3124 3760 ytubidabbel.exe SearchUI.exe PID 3760 wrote to memory of 3124 3760 ytubidabbel.exe SearchUI.exe PID 3760 wrote to memory of 3124 3760 ytubidabbel.exe SearchUI.exe PID 3760 wrote to memory of 3356 3760 ytubidabbel.exe RuntimeBroker.exe PID 3760 wrote to memory of 3356 3760 ytubidabbel.exe RuntimeBroker.exe PID 3760 wrote to memory of 3356 3760 ytubidabbel.exe RuntimeBroker.exe PID 3760 wrote to memory of 3356 3760 ytubidabbel.exe RuntimeBroker.exe PID 3760 wrote to memory of 3356 3760 ytubidabbel.exe RuntimeBroker.exe PID 3760 wrote to memory of 3640 3760 ytubidabbel.exe DllHost.exe PID 3760 wrote to memory of 3640 3760 ytubidabbel.exe DllHost.exe PID 3760 wrote to memory of 3640 3760 ytubidabbel.exe DllHost.exe PID 3760 wrote to memory of 3640 3760 ytubidabbel.exe DllHost.exe PID 3760 wrote to memory of 3640 3760 ytubidabbel.exe DllHost.exe PID 3760 wrote to memory of 4004 3760 ytubidabbel.exe 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe PID 3760 wrote to memory of 4004 3760 ytubidabbel.exe 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe PID 3760 wrote to memory of 4004 3760 ytubidabbel.exe 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe PID 3760 wrote to memory of 4004 3760 ytubidabbel.exe 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe PID 3760 wrote to memory of 4004 3760 ytubidabbel.exe 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 4004 wrote to memory of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe PID 3760 wrote to memory of 1756 3760 ytubidabbel.exe Conhost.exe PID 3760 wrote to memory of 1756 3760 ytubidabbel.exe Conhost.exe PID 3760 wrote to memory of 1756 3760 ytubidabbel.exe Conhost.exe PID 3760 wrote to memory of 1756 3760 ytubidabbel.exe Conhost.exe PID 3760 wrote to memory of 1756 3760 ytubidabbel.exe Conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exedescription pid process target process PID 4004 set thread context of 1580 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe cmd.exe -
Adds Run entry to start application 2 TTPs 3 IoCs
Processes:
ytubidabbel.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\Currentversion\Run ytubidabbel.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Currentversion\Run ytubidabbel.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Itixhahe = "C:\\Users\\Admin\\AppData\\Roaming\\Qurouwcym\\ytubidabbel.exe" ytubidabbel.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exeytubidabbel.exepid process 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe 4004 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe 3760 ytubidabbel.exe -
Executes dropped EXE 1 IoCs
Processes:
ytubidabbel.exepid process 3760 ytubidabbel.exe -
Processes:
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Privacy 2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe"C:\Users\Admin\AppData\Local\Temp\2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe"C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe"3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp392caeb3.bat"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Icwyafbiuslu\ypnumema.exa
-
C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe
-
C:\Users\Admin\AppData\Roaming\Qurouwcym\ytubidabbel.exe
-
\Users\Admin\AppData\Local\Temp\tmp7044.tmp
-
\Users\Admin\AppData\Local\Temp\tmp7064.tmp
-
\Users\Admin\AppData\Local\Temp\tmpB198.tmp
-
\Users\Admin\AppData\Local\Temp\tmpB235.tmp
-
memory/1580-8-0x0000000000720000-0x0000000000767000-memory.dmpFilesize
284KB
-
memory/1580-9-0x000000000074025A-mapping.dmp
-
memory/3760-2-0x0000000000000000-mapping.dmp