7782918de66454c18112d62adba35e71fcfa0fe360676a5bac52453d5e05e17e

General

Target

unnamed 2_3.9.8.53.vir.exe
Size

116KB
MD5

7a86f267a4b481b4c8c46536c2e8dfc7
SHA1

deb9946fdc2dc1ed2ae48c1492e0b26a0bfdf54c
SHA256

7782918de66454c18112d62adba35e71fcfa0fe360676a5bac52453d5e05e17e
SHA512

ceab1ce6b13b3c779d98e02196039cf25a56824fded70514db34116d8aa40c9c1e34266a7cf0ca67e90f5c7b8a5c796d2eebc775d8177ee6a658c9504ba86244

Score

8^/10

spyware persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

unnamed 2_3.9.8.53.vir.exe

description	pid	process
Token: SeSecurityPrivilege	676	unnamed 2_3.9.8.53.vir.exe
Token: SeSecurityPrivilege	676	unnamed 2_3.9.8.53.vir.exe
Token: SeSecurityPrivilege	676	unnamed 2_3.9.8.53.vir.exe
Token: SeSecurityPrivilege	676	unnamed 2_3.9.8.53.vir.exe

Loads dropped DLL 2 IoCs

Processes:

unnamed 2_3.9.8.53.vir.exe

pid process

676 unnamed 2_3.9.8.53.vir.exe
676 unnamed 2_3.9.8.53.vir.exe

pid	process
676	unnamed 2_3.9.8.53.vir.exe
676	unnamed 2_3.9.8.53.vir.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

unnamed 2_3.9.8.53.vir.exeykok.exe

description	pid	process	target process
PID 676 wrote to memory of 288	676	unnamed 2_3.9.8.53.vir.exe	ykok.exe
PID 676 wrote to memory of 288	676	unnamed 2_3.9.8.53.vir.exe	ykok.exe
PID 676 wrote to memory of 288	676	unnamed 2_3.9.8.53.vir.exe	ykok.exe
PID 676 wrote to memory of 288	676	unnamed 2_3.9.8.53.vir.exe	ykok.exe
PID 288 wrote to memory of 1072	288	ykok.exe	taskhost.exe
PID 288 wrote to memory of 1072	288	ykok.exe	taskhost.exe
PID 288 wrote to memory of 1072	288	ykok.exe	taskhost.exe
PID 288 wrote to memory of 1072	288	ykok.exe	taskhost.exe
PID 288 wrote to memory of 1072	288	ykok.exe	taskhost.exe
PID 288 wrote to memory of 1128	288	ykok.exe	Dwm.exe
PID 288 wrote to memory of 1128	288	ykok.exe	Dwm.exe
PID 288 wrote to memory of 1128	288	ykok.exe	Dwm.exe
PID 288 wrote to memory of 1128	288	ykok.exe	Dwm.exe
PID 288 wrote to memory of 1128	288	ykok.exe	Dwm.exe
PID 288 wrote to memory of 1184	288	ykok.exe	Explorer.EXE
PID 288 wrote to memory of 1184	288	ykok.exe	Explorer.EXE
PID 288 wrote to memory of 1184	288	ykok.exe	Explorer.EXE
PID 288 wrote to memory of 1184	288	ykok.exe	Explorer.EXE
PID 288 wrote to memory of 1184	288	ykok.exe	Explorer.EXE
PID 288 wrote to memory of 676	288	ykok.exe	unnamed 2_3.9.8.53.vir.exe
PID 288 wrote to memory of 676	288	ykok.exe	unnamed 2_3.9.8.53.vir.exe
PID 288 wrote to memory of 676	288	ykok.exe	unnamed 2_3.9.8.53.vir.exe
PID 288 wrote to memory of 676	288	ykok.exe	unnamed 2_3.9.8.53.vir.exe
PID 288 wrote to memory of 676	288	ykok.exe	unnamed 2_3.9.8.53.vir.exe

Executes dropped EXE 1 IoCs

Processes:

ykok.exe

pid process

288 ykok.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ykok.exeunnamed 2_3.9.8.53.vir.exe

pid process

288 ykok.exe
676 unnamed 2_3.9.8.53.vir.exe
288 ykok.exe

pid	process
288	ykok.exe

pid	process
288	ykok.exe
676	unnamed 2_3.9.8.53.vir.exe
288	ykok.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

unnamed 2_3.9.8.53.vir.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy	unnamed 2_3.9.8.53.vir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	unnamed 2_3.9.8.53.vir.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ykok.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\Currentversion\Run	ykok.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E0FE4BA2-1D79-A9BA-7E07-AB0F4BF2ED78} = "C:\\Users\\Admin\\Anud\\ykok.exe"	ykok.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\unnamed 2_3.9.8.53.vir.exe
"C:\Users\Admin\AppData\Local\Temp\unnamed 2_3.9.8.53.vir.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
PID:676

C:\Users\Admin\Anud\ykok.exe
"C:\Users\Admin\Anud\ykok.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Anud\ykok.exe

Download Submit
C:\Users\Admin\Anud\ykok.exe

Download Submit
C:\Users\Admin\Begi\ehlii.qea

Download Submit
\Users\Admin\Anud\ykok.exe

Download Submit
\Users\Admin\Anud\ykok.exe

Download Submit
memory/288-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads