Resubmissions
10-08-2023 17:03
230810-vktf5ahb8w 810-08-2023 16:18
230810-tsd6qseh75 512-10-2021 18:50
211012-xg8gzschfq 1012-10-2021 18:01
211012-wl6zaacffq 1006-10-2021 20:46
211006-zkl49sbhbq 1005-10-2021 18:43
211005-xde19sacb2 1004-10-2021 21:53
211004-1rxd9ahae5 1Analysis
-
max time kernel
1789s -
max time network
1799s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
06-10-2021 20:46
Static task
static1
General
-
Target
ycof.exe.dll
-
Size
1.1MB
-
MD5
54a3bcca6b1eb92adb299a46df941826
-
SHA1
6988e010056d88985b8e8f8de06706327779d3ca
-
SHA256
c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d
-
SHA512
4e4f10abf8a97f649060cb3eaa125a487141a42b87d2dc1449d87531d927031279bd7b48a3859ffa8f5d4400deea77022ecb00c61de8511756dc9c0d27e3f150
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2636 set thread context of 3988 2636 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 2636 rundll32.exe Token: SeCreatePagefilePrivilege 2636 rundll32.exe Token: SeShutdownPrivilege 2636 rundll32.exe Token: SeCreatePagefilePrivilege 2636 rundll32.exe Token: SeShutdownPrivilege 2636 rundll32.exe Token: SeCreatePagefilePrivilege 2636 rundll32.exe Token: SeShutdownPrivilege 2636 rundll32.exe Token: SeCreatePagefilePrivilege 2636 rundll32.exe Token: SeShutdownPrivilege 2636 rundll32.exe Token: SeCreatePagefilePrivilege 2636 rundll32.exe Token: SeShutdownPrivilege 2636 rundll32.exe Token: SeCreatePagefilePrivilege 2636 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2484 wrote to memory of 2636 2484 rundll32.exe rundll32.exe PID 2484 wrote to memory of 2636 2484 rundll32.exe rundll32.exe PID 2484 wrote to memory of 2636 2484 rundll32.exe rundll32.exe PID 2636 wrote to memory of 3988 2636 rundll32.exe msiexec.exe PID 2636 wrote to memory of 3988 2636 rundll32.exe msiexec.exe PID 2636 wrote to memory of 3988 2636 rundll32.exe msiexec.exe PID 2636 wrote to memory of 3988 2636 rundll32.exe msiexec.exe PID 2636 wrote to memory of 3988 2636 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ycof.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ycof.exe.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2636-115-0x0000000000000000-mapping.dmp
-
memory/2636-116-0x0000000072E70000-0x0000000072E9A000-memory.dmpFilesize
168KB
-
memory/2636-117-0x0000000072E70000-0x00000000738A6000-memory.dmpFilesize
10.2MB
-
memory/2636-118-0x00000000033E0000-0x00000000033E1000-memory.dmpFilesize
4KB
-
memory/3988-119-0x0000000000000000-mapping.dmp
-
memory/3988-122-0x0000000000740000-0x000000000076A000-memory.dmpFilesize
168KB