Analysis
-
max time kernel
143s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
19-07-2020 19:36
Static task
static1
Behavioral task
behavioral1
Sample
unnamed 2_3.9.8.53.vir.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
unnamed 2_3.9.8.53.vir.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
unnamed 2_3.9.8.53.vir.exe
-
Size
116KB
-
MD5
7a86f267a4b481b4c8c46536c2e8dfc7
-
SHA1
deb9946fdc2dc1ed2ae48c1492e0b26a0bfdf54c
-
SHA256
7782918de66454c18112d62adba35e71fcfa0fe360676a5bac52453d5e05e17e
-
SHA512
ceab1ce6b13b3c779d98e02196039cf25a56824fded70514db34116d8aa40c9c1e34266a7cf0ca67e90f5c7b8a5c796d2eebc775d8177ee6a658c9504ba86244
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
unnamed 2_3.9.8.53.vir.exedescription pid process Token: SeSecurityPrivilege 676 unnamed 2_3.9.8.53.vir.exe Token: SeSecurityPrivilege 676 unnamed 2_3.9.8.53.vir.exe Token: SeSecurityPrivilege 676 unnamed 2_3.9.8.53.vir.exe Token: SeSecurityPrivilege 676 unnamed 2_3.9.8.53.vir.exe -
Loads dropped DLL 2 IoCs
Processes:
unnamed 2_3.9.8.53.vir.exepid process 676 unnamed 2_3.9.8.53.vir.exe 676 unnamed 2_3.9.8.53.vir.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
unnamed 2_3.9.8.53.vir.exeykok.exedescription pid process target process PID 676 wrote to memory of 288 676 unnamed 2_3.9.8.53.vir.exe ykok.exe PID 676 wrote to memory of 288 676 unnamed 2_3.9.8.53.vir.exe ykok.exe PID 676 wrote to memory of 288 676 unnamed 2_3.9.8.53.vir.exe ykok.exe PID 676 wrote to memory of 288 676 unnamed 2_3.9.8.53.vir.exe ykok.exe PID 288 wrote to memory of 1072 288 ykok.exe taskhost.exe PID 288 wrote to memory of 1072 288 ykok.exe taskhost.exe PID 288 wrote to memory of 1072 288 ykok.exe taskhost.exe PID 288 wrote to memory of 1072 288 ykok.exe taskhost.exe PID 288 wrote to memory of 1072 288 ykok.exe taskhost.exe PID 288 wrote to memory of 1128 288 ykok.exe Dwm.exe PID 288 wrote to memory of 1128 288 ykok.exe Dwm.exe PID 288 wrote to memory of 1128 288 ykok.exe Dwm.exe PID 288 wrote to memory of 1128 288 ykok.exe Dwm.exe PID 288 wrote to memory of 1128 288 ykok.exe Dwm.exe PID 288 wrote to memory of 1184 288 ykok.exe Explorer.EXE PID 288 wrote to memory of 1184 288 ykok.exe Explorer.EXE PID 288 wrote to memory of 1184 288 ykok.exe Explorer.EXE PID 288 wrote to memory of 1184 288 ykok.exe Explorer.EXE PID 288 wrote to memory of 1184 288 ykok.exe Explorer.EXE PID 288 wrote to memory of 676 288 ykok.exe unnamed 2_3.9.8.53.vir.exe PID 288 wrote to memory of 676 288 ykok.exe unnamed 2_3.9.8.53.vir.exe PID 288 wrote to memory of 676 288 ykok.exe unnamed 2_3.9.8.53.vir.exe PID 288 wrote to memory of 676 288 ykok.exe unnamed 2_3.9.8.53.vir.exe PID 288 wrote to memory of 676 288 ykok.exe unnamed 2_3.9.8.53.vir.exe -
Executes dropped EXE 1 IoCs
Processes:
ykok.exepid process 288 ykok.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ykok.exeunnamed 2_3.9.8.53.vir.exepid process 288 ykok.exe 676 unnamed 2_3.9.8.53.vir.exe 288 ykok.exe -
Processes:
unnamed 2_3.9.8.53.vir.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy unnamed 2_3.9.8.53.vir.exe Set value (int) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" unnamed 2_3.9.8.53.vir.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ykok.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run ykok.exe Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E0FE4BA2-1D79-A9BA-7E07-AB0F4BF2ED78} = "C:\\Users\\Admin\\Anud\\ykok.exe" ykok.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\unnamed 2_3.9.8.53.vir.exe"C:\Users\Admin\AppData\Local\Temp\unnamed 2_3.9.8.53.vir.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
-
C:\Users\Admin\Anud\ykok.exe"C:\Users\Admin\Anud\ykok.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application