Analysis
-
max time kernel
67s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:19
Static task
static1
Behavioral task
behavioral1
Sample
YPeBi8FRoTIc8md.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
YPeBi8FRoTIc8md.exe
Resource
win10v2004-20220414-en
General
-
Target
YPeBi8FRoTIc8md.exe
-
Size
729KB
-
MD5
a3c32145cd008844ed15f214b02e35e4
-
SHA1
e082d807d559e2440438a533974eb568191001e6
-
SHA256
604a2f99191e372f62b11a4a1009e8adc41f43a8bbf3f26735549889914f0fc7
-
SHA512
a094cd2bd1112ba2c858f495c297b03180ce16f7166d264e4793fc52a4786f01f358ed8938c4c0d00b555ebf5527d469e4dd7519db2c42d55096ff7fbefc0c4b
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
YPeBi8FRoTIc8md.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion YPeBi8FRoTIc8md.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion YPeBi8FRoTIc8md.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
YPeBi8FRoTIc8md.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum YPeBi8FRoTIc8md.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 YPeBi8FRoTIc8md.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
YPeBi8FRoTIc8md.exepid process 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe 1224 YPeBi8FRoTIc8md.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YPeBi8FRoTIc8md.exedescription pid process Token: SeDebugPrivilege 1224 YPeBi8FRoTIc8md.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
YPeBi8FRoTIc8md.exedescription pid process target process PID 1224 wrote to memory of 472 1224 YPeBi8FRoTIc8md.exe schtasks.exe PID 1224 wrote to memory of 472 1224 YPeBi8FRoTIc8md.exe schtasks.exe PID 1224 wrote to memory of 472 1224 YPeBi8FRoTIc8md.exe schtasks.exe PID 1224 wrote to memory of 472 1224 YPeBi8FRoTIc8md.exe schtasks.exe PID 1224 wrote to memory of 1936 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1936 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1936 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1936 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1836 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1836 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1836 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1836 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 608 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 608 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 608 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 608 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1108 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1108 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1108 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 1108 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 984 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 984 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 984 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe PID 1224 wrote to memory of 984 1224 YPeBi8FRoTIc8md.exe YPeBi8FRoTIc8md.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KKglLIkyG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\YPeBi8FRoTIc8md.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB5C9.tmpFilesize
1KB
MD598b916a12f0bc9455fd3bac50486eca5
SHA1fe1499a800b8cd5e3ead0658973db08aad155531
SHA25672a40847f335606757e49901fbba851907c45c6865f6a73b121446c2c08f62b0
SHA51225cfc44b0209b1ad293bd0a5db93c2fd1fdba56ab674242f1845db6d515ff54672772b28f39828d3e0bf5cd882ca6f66431fb0b1a3ced74d2849e633f180f89c
-
memory/472-59-0x0000000000000000-mapping.dmp
-
memory/1224-54-0x0000000000160000-0x000000000021C000-memory.dmpFilesize
752KB
-
memory/1224-55-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1224-56-0x0000000000330000-0x000000000033A000-memory.dmpFilesize
40KB
-
memory/1224-57-0x0000000005CE0000-0x0000000005D88000-memory.dmpFilesize
672KB
-
memory/1224-58-0x0000000005E80000-0x0000000005F12000-memory.dmpFilesize
584KB