f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

[email protected]
Size

396KB
MD5

13f4b868603cf0dd6c32702d1bd858c9
SHA1

a595ab75e134f5616679be5f11deefdfaae1de15
SHA256

cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512

e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 15 IoCs

pid	Process
3220	Free YouTube Downloader.exe
1620	Box.exe
3608	Box.exe
2280	Box.exe
1764	Box.exe
3196	Box.exe
1484	Box.exe
3984	Box.exe
2128	Box.exe
3860	Box.exe
556	Box.exe
2044	Box.exe
1236	Box.exe
3224	Box.exe
3148	Box.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	[email protected]
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	[email protected]

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3220	Free YouTube Downloader.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3220	Free YouTube Downloader.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3220	2432	[email protected]	74
PID 2432 wrote to memory of 3220	2432	[email protected]	74
PID 3220 wrote to memory of 1620	3220	Free YouTube Downloader.exe	80
PID 3220 wrote to memory of 1620	3220	Free YouTube Downloader.exe	80
PID 3220 wrote to memory of 1620	3220	Free YouTube Downloader.exe	80
PID 3220 wrote to memory of 3608	3220	Free YouTube Downloader.exe	81
PID 3220 wrote to memory of 3608	3220	Free YouTube Downloader.exe	81
PID 3220 wrote to memory of 3608	3220	Free YouTube Downloader.exe	81
PID 3220 wrote to memory of 2280	3220	Free YouTube Downloader.exe	82
PID 3220 wrote to memory of 2280	3220	Free YouTube Downloader.exe	82
PID 3220 wrote to memory of 2280	3220	Free YouTube Downloader.exe	82
PID 3220 wrote to memory of 1764	3220	Free YouTube Downloader.exe	83
PID 3220 wrote to memory of 1764	3220	Free YouTube Downloader.exe	83
PID 3220 wrote to memory of 1764	3220	Free YouTube Downloader.exe	83
PID 3220 wrote to memory of 3196	3220	Free YouTube Downloader.exe	84
PID 3220 wrote to memory of 3196	3220	Free YouTube Downloader.exe	84
PID 3220 wrote to memory of 3196	3220	Free YouTube Downloader.exe	84
PID 3220 wrote to memory of 1484	3220	Free YouTube Downloader.exe	85
PID 3220 wrote to memory of 1484	3220	Free YouTube Downloader.exe	85
PID 3220 wrote to memory of 1484	3220	Free YouTube Downloader.exe	85
PID 3220 wrote to memory of 3984	3220	Free YouTube Downloader.exe	86
PID 3220 wrote to memory of 3984	3220	Free YouTube Downloader.exe	86
PID 3220 wrote to memory of 3984	3220	Free YouTube Downloader.exe	86
PID 3220 wrote to memory of 2128	3220	Free YouTube Downloader.exe	87
PID 3220 wrote to memory of 2128	3220	Free YouTube Downloader.exe	87
PID 3220 wrote to memory of 2128	3220	Free YouTube Downloader.exe	87
PID 3220 wrote to memory of 3860	3220	Free YouTube Downloader.exe	88
PID 3220 wrote to memory of 3860	3220	Free YouTube Downloader.exe	88
PID 3220 wrote to memory of 3860	3220	Free YouTube Downloader.exe	88
PID 3220 wrote to memory of 556	3220	Free YouTube Downloader.exe	89
PID 3220 wrote to memory of 556	3220	Free YouTube Downloader.exe	89
PID 3220 wrote to memory of 556	3220	Free YouTube Downloader.exe	89
PID 3220 wrote to memory of 2044	3220	Free YouTube Downloader.exe	90
PID 3220 wrote to memory of 2044	3220	Free YouTube Downloader.exe	90
PID 3220 wrote to memory of 2044	3220	Free YouTube Downloader.exe	90
PID 3220 wrote to memory of 1236	3220	Free YouTube Downloader.exe	91
PID 3220 wrote to memory of 1236	3220	Free YouTube Downloader.exe	91
PID 3220 wrote to memory of 1236	3220	Free YouTube Downloader.exe	91
PID 3220 wrote to memory of 3224	3220	Free YouTube Downloader.exe	92
PID 3220 wrote to memory of 3224	3220	Free YouTube Downloader.exe	92
PID 3220 wrote to memory of 3224	3220	Free YouTube Downloader.exe	92
PID 3220 wrote to memory of 3148	3220	Free YouTube Downloader.exe	93
PID 3220 wrote to memory of 3148	3220	Free YouTube Downloader.exe	93
PID 3220 wrote to memory of 3148	3220	Free YouTube Downloader.exe	93

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:3196
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:3984
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:3860
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:556
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:1236
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:3224
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    PID:3148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-81-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/1236-97-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/1484-49-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-12-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1620-13-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/1620-14-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1620-9-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/1620-10-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1764-33-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-89-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-65-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-25-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3148-113-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3196-41-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3220-4-0x0000019A32FB0000-0x0000019A32FB1000-memory.dmp

Filesize
4KB

Download
memory/3220-3-0x00007FFD88EE0000-0x00007FFD898CC000-memory.dmp

Filesize
9.9MB

Download
memory/3224-105-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3608-17-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3860-73-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download
memory/3984-57-0x0000000073970000-0x000000007405E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

General