d3251e8e030bc09c1cbc4ede2a32e7502dbb5779aab30f0719c73f8ba26c06e6

General

Target

YPeBi8FRoTIc8md.exe
Size

729KB
MD5

a3c32145cd008844ed15f214b02e35e4
SHA1

e082d807d559e2440438a533974eb568191001e6
SHA256

604a2f99191e372f62b11a4a1009e8adc41f43a8bbf3f26735549889914f0fc7
SHA512

a094cd2bd1112ba2c858f495c297b03180ce16f7166d264e4793fc52a4786f01f358ed8938c4c0d00b555ebf5527d469e4dd7519db2c42d55096ff7fbefc0c4b

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YPeBi8FRoTIc8md.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	YPeBi8FRoTIc8md.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	YPeBi8FRoTIc8md.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

YPeBi8FRoTIc8md.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	YPeBi8FRoTIc8md.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	YPeBi8FRoTIc8md.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

472 schtasks.exe

pid	process
472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

YPeBi8FRoTIc8md.exe

pid	process
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe
1224	YPeBi8FRoTIc8md.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

YPeBi8FRoTIc8md.exe

description pid process

Token: SeDebugPrivilege 1224 YPeBi8FRoTIc8md.exe

description	pid	process
Token: SeDebugPrivilege	1224	YPeBi8FRoTIc8md.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

YPeBi8FRoTIc8md.exe

description	pid	process	target process
PID 1224 wrote to memory of 472	1224	YPeBi8FRoTIc8md.exe	schtasks.exe
PID 1224 wrote to memory of 472	1224	YPeBi8FRoTIc8md.exe	schtasks.exe
PID 1224 wrote to memory of 472	1224	YPeBi8FRoTIc8md.exe	schtasks.exe
PID 1224 wrote to memory of 472	1224	YPeBi8FRoTIc8md.exe	schtasks.exe
PID 1224 wrote to memory of 1936	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1936	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1936	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1936	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1836	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1836	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1836	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1836	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 608	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 608	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 608	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 608	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1108	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1108	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1108	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 1108	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 984	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 984	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 984	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe
PID 1224 wrote to memory of 984	1224	YPeBi8FRoTIc8md.exe	YPeBi8FRoTIc8md.exe

C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe
"C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KKglLIkyG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmp"
2⤵
- Creates scheduled task(s)
PID:472

C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe
"{path}"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe
"{path}"
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe
"{path}"
2⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe
"{path}"
2⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe
"{path}"
2⤵
PID:984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmp
Filesize
1KB

MD5
98b916a12f0bc9455fd3bac50486eca5

SHA1
fe1499a800b8cd5e3ead0658973db08aad155531

SHA256
72a40847f335606757e49901fbba851907c45c6865f6a73b121446c2c08f62b0

SHA512
25cfc44b0209b1ad293bd0a5db93c2fd1fdba56ab674242f1845db6d515ff54672772b28f39828d3e0bf5cd882ca6f66431fb0b1a3ced74d2849e633f180f89c

Download Submit
memory/472-59-0x0000000000000000-mapping.dmp

Download
memory/1224-54-0x0000000000160000-0x000000000021C000-memory.dmp

Filesize
752KB

Download
memory/1224-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1224-56-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/1224-57-0x0000000005CE0000-0x0000000005D88000-memory.dmp

Filesize
672KB

Download
memory/1224-58-0x0000000005E80000-0x0000000005F12000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads