4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

General

Target

qYyARs.bin.exe
Size

15KB
MD5

56b2c3810dba2e939a8bb9fa36d3cf96
SHA1

99ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA256

4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA512

27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

Processes:

qYyARs.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM1CBD.tmp\GoogleUpdateSetup.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxAccounts.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	qYyARs.bin.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	qYyARs.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

qYyARs.bin.exe

description	pid	process	target process
PID 3892 wrote to memory of 2420	3892	qYyARs.bin.exe	cmd.exe
PID 3892 wrote to memory of 2420	3892	qYyARs.bin.exe	cmd.exe
PID 3892 wrote to memory of 2420	3892	qYyARs.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\qYyARs.bin.exe
"C:\Users\Admin\AppData\Local\Temp\qYyARs.bin.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2c891b80.bat" "
2⤵
PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c891b80.bat
MD5
d11c771b863668efe544dc7a9896b0ee

SHA1
17ff3c8bd239e804e76033af3ce41c639e555c9c

SHA256
3aea473de2526b09fd9437731daa942b80e96120dd90b938aad42c7482714699

SHA512
ce369e42860b54736fd534787e4d9e34052cf2522da1ec6ff720e115aa8e280497a08cecf36c39c9bf20f93f35e8dff352aed2bde362878e808652a2a922d3d2

Download Submit
memory/2420-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing