983d625fcf16f42d3fead61360f885b6990a66364fd8aebe86a9890974626b60

General

Target

YouTube Proxy Viewer v1.0.exe
Size

806KB
MD5

139b38e1b9d62ae812909046d9703481
SHA1

d1b05419556212cb05fcdadeb93eb93f7856454c
SHA256

c1266489d112c62eb4a5f9575cc2331e1f33cd73bdec36a7a6f7a76b598154bc
SHA512

cabb897749ae9c1a8a3b1f6089434217d0906283b81c800d7261f692c17ad21e1fc210efbd0634aa7eeea3571cfe2d0b88c274183333a8d5d95edb2b8d00df15
SSDEEP

24576:nwCwGzxgABEyqY6M3e9lypKb1+YIVXZUTti:nwCwMxgAeyqY6M3e9IqIVJMti

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1648	UserOOBE.exe
1532	winsrvhost.exe

Loads dropped DLL 4 IoCs

pid	Process
932	YouTube Proxy Viewer v1.0.exe
932	YouTube Proxy Viewer v1.0.exe
932	YouTube Proxy Viewer v1.0.exe
932	YouTube Proxy Viewer v1.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	Qt5Core.cfg

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	Qt5Core.cfg
1812	Qt5Core.cfg

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1648	932	YouTube Proxy Viewer v1.0.exe	28
PID 932 wrote to memory of 1648	932	YouTube Proxy Viewer v1.0.exe	28
PID 932 wrote to memory of 1648	932	YouTube Proxy Viewer v1.0.exe	28
PID 932 wrote to memory of 1648	932	YouTube Proxy Viewer v1.0.exe	28
PID 932 wrote to memory of 1812	932	YouTube Proxy Viewer v1.0.exe	29
PID 932 wrote to memory of 1812	932	YouTube Proxy Viewer v1.0.exe	29
PID 932 wrote to memory of 1812	932	YouTube Proxy Viewer v1.0.exe	29
PID 932 wrote to memory of 1812	932	YouTube Proxy Viewer v1.0.exe	29
PID 932 wrote to memory of 1532	932	YouTube Proxy Viewer v1.0.exe	30
PID 932 wrote to memory of 1532	932	YouTube Proxy Viewer v1.0.exe	30
PID 932 wrote to memory of 1532	932	YouTube Proxy Viewer v1.0.exe	30
PID 932 wrote to memory of 1532	932	YouTube Proxy Viewer v1.0.exe	30

C:\Users\Admin\AppData\Local\Temp\YouTube Proxy Viewer v1.0.exe
"C:\Users\Admin\AppData\Local\Temp\YouTube Proxy Viewer v1.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932
- C:\ProgramData\UserOOBE\UserOOBE.exe
  C:\ProgramData\\UserOOBE\\UserOOBE.exe ,.
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\Qt5Core.cfg
  Qt5Core.cfg
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\ProgramData\winsrvhost\winsrvhost.exe
  C:\ProgramData\\winsrvhost\\winsrvhost.exe
  2⤵
  - Executes dropped EXE
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UserOOBE\UserOOBE.exe

Filesize
251KB

MD5
bc6f4d046400dfdb6d778fb1926766b6

SHA1
ce51637b97296bc4427bffcbc30273532fc2a212

SHA256
29615fb0394b6ca88d8982d5c005292de3b96e2096b3b6994a55eaf1fdd5c847

SHA512
b15a0f2111a485b65a5490f874646dd12c2f62a19912a1cb2d95a9c40fb42cdd659ca2acaab80d3268d570ea09ae46225721aab28567f718860bed0a71258555

Download Submit
C:\ProgramData\winsrvhost\winsrvhost.exe

Filesize
284KB

MD5
a317a0cc1f48e6529d5e87f4212a518b

SHA1
a15b80d2427f47a3efc963630132534146734547

SHA256
30ecbcec13191cd883eb65634af367c4c69cb82ddc3d7a79d40b7786a9547b27

SHA512
d923e2e7624ba764052ce72d27d20aadbade84cfc39ce8ed2d20c9bf9045a70b533cb8a6d05db0ffff3f66595d40273c02d2bf9a36e6baf4cf52b4700905cc4f

Download Submit
\ProgramData\UserOOBE\UserOOBE.exe

Filesize
251KB

MD5
bc6f4d046400dfdb6d778fb1926766b6

SHA1
ce51637b97296bc4427bffcbc30273532fc2a212

SHA256
29615fb0394b6ca88d8982d5c005292de3b96e2096b3b6994a55eaf1fdd5c847

SHA512
b15a0f2111a485b65a5490f874646dd12c2f62a19912a1cb2d95a9c40fb42cdd659ca2acaab80d3268d570ea09ae46225721aab28567f718860bed0a71258555

Download Submit
\ProgramData\UserOOBE\UserOOBE.exe

Filesize
251KB

MD5
bc6f4d046400dfdb6d778fb1926766b6

SHA1
ce51637b97296bc4427bffcbc30273532fc2a212

SHA256
29615fb0394b6ca88d8982d5c005292de3b96e2096b3b6994a55eaf1fdd5c847

SHA512
b15a0f2111a485b65a5490f874646dd12c2f62a19912a1cb2d95a9c40fb42cdd659ca2acaab80d3268d570ea09ae46225721aab28567f718860bed0a71258555

Download Submit
\ProgramData\winsrvhost\winsrvhost.exe

Filesize
284KB

MD5
a317a0cc1f48e6529d5e87f4212a518b

SHA1
a15b80d2427f47a3efc963630132534146734547

SHA256
30ecbcec13191cd883eb65634af367c4c69cb82ddc3d7a79d40b7786a9547b27

SHA512
d923e2e7624ba764052ce72d27d20aadbade84cfc39ce8ed2d20c9bf9045a70b533cb8a6d05db0ffff3f66595d40273c02d2bf9a36e6baf4cf52b4700905cc4f

Download Submit
\ProgramData\winsrvhost\winsrvhost.exe

Filesize
284KB

MD5
a317a0cc1f48e6529d5e87f4212a518b

SHA1
a15b80d2427f47a3efc963630132534146734547

SHA256
30ecbcec13191cd883eb65634af367c4c69cb82ddc3d7a79d40b7786a9547b27

SHA512
d923e2e7624ba764052ce72d27d20aadbade84cfc39ce8ed2d20c9bf9045a70b533cb8a6d05db0ffff3f66595d40273c02d2bf9a36e6baf4cf52b4700905cc4f

Download Submit
memory/932-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1812-64-0x0000000000970000-0x00000000009BC000-memory.dmp

Filesize
304KB

Download
memory/1812-65-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1812-66-0x0000000004B3D000-0x0000000004B4E000-memory.dmp

Filesize
68KB

Download
memory/1812-68-0x000000000B6A0000-0x000000000BE46000-memory.dmp

Filesize
7.6MB

Download
memory/1812-69-0x0000000004B3D000-0x0000000004B4E000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing