Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 03:15
Static task
static1
Behavioral task
behavioral1
Sample
ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe
-
Size
292KB
-
MD5
4ff2266e19dbf37f97093c3147c51e40
-
SHA1
421159800e4f4cae83eee1fbc2433bab734ba988
-
SHA256
ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7
-
SHA512
8013cdfa86dbd6ac53649fd70fd719078c6ba4ca5794aadc57adb4fb2d3fd3f77d7ffa8a79b427b60192f9483051d0402a98a73251e4200b2d6f1ffdc521c13c
-
SSDEEP
3072:in1Od4X9di6+EOBq7CFLuupaFBzxk7c7awSZohDnjV2S8NmMx3WarRDSAzsUiztU:izi6iLuupszxk7USZoDnp23xmg9wUutU
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yhniud.exe -
Executes dropped EXE 1 IoCs
pid Process 208 yhniud.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /t" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /Z" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /A" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /y" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /H" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /v" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /L" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /k" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /P" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /K" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /c" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /G" yhniud.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /s" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /u" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /X" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /N" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /n" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /E" ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /d" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /j" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /V" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /U" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /q" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /m" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /C" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /D" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /b" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /h" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /Y" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /o" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /a" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /g" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /f" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /W" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /T" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /r" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /O" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /E" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /i" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /z" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /w" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /F" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /R" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /M" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /l" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /e" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /S" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /Q" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /p" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /J" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /B" yhniud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yhniud = "C:\\Users\\Admin\\yhniud.exe /I" yhniud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5080 ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe 5080 ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe 208 yhniud.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5080 ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe 208 yhniud.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5080 wrote to memory of 208 5080 ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe 86 PID 5080 wrote to memory of 208 5080 ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe 86 PID 5080 wrote to memory of 208 5080 ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe"C:\Users\Admin\AppData\Local\Temp\ea16924b946f1fc17e3e87f67d5eb631b795ea6aeee5af5ba838fd7293beefd7.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\yhniud.exe"C:\Users\Admin\yhniud.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:208
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5ba7ae4a2632ace0a5b0e068a7339edcc
SHA1c07e8b084d4368be867621b91cb09c48d4c739c3
SHA256784fe1dfef0a06b176a6e2df2bd6a0e82d56c2c5c577eec39fb4c84d4f62d665
SHA5128b2aa4c81b0433f4e478fd458806caba976f2975380186c2373fc0861cde283150acb0ad158118781f6c1b078bb889d137bf31725dfdd6c147d90ae8c343985b
-
Filesize
292KB
MD5ba7ae4a2632ace0a5b0e068a7339edcc
SHA1c07e8b084d4368be867621b91cb09c48d4c739c3
SHA256784fe1dfef0a06b176a6e2df2bd6a0e82d56c2c5c577eec39fb4c84d4f62d665
SHA5128b2aa4c81b0433f4e478fd458806caba976f2975380186c2373fc0861cde283150acb0ad158118781f6c1b078bb889d137bf31725dfdd6c147d90ae8c343985b