407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa

Analysis

max time kernel
151s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
Size

384KB
MD5

41b40f8bb29310334434eb60b1c1bc1d
SHA1

37f0e6be39d1e780247f2401afa71ce7de468886
SHA256

407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa
SHA512

4c835165766859084bc2439e16c4a08ba26728b79858fd0dd077e17f2b5809985e8101a944d98f851a081dcac1875de91f39038a2fa484a415f38b130aed147c
SSDEEP

6144:bJGK2pYLlY4c6ue7lfhTuJZrM4l8KONb6/SPcGHciKjyISzTOILNhWOmzTTKWiYy:FGK2pYLlY4c6ue7lfhTuJZrM4l8KONbq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ybpian.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yY6uXQd3.exe

Executes dropped EXE 7 IoCs

pid	Process
884	yY6uXQd3.exe
1756	ybpian.exe
1496	2cmd.exe
1688	2cmd.exe
340	3cmd.exe
336	csrss.exe
788	4cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1688-86-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1688-83-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1688-90-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1688-91-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1688-92-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
896	cmd.exe

Loads dropped DLL 10 IoCs

pid	Process
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
884	yY6uXQd3.exe
884	yY6uXQd3.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /u"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /c"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /d"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /z"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /p"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /t"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /b"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /u"	yY6uXQd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /C"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /a"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /H"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /T"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /A"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /k"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /Z"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /w"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /K"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /Y"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /O"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /E"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /P"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /W"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /f"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /Q"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /n"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /j"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /D"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /B"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /R"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /o"	ybpian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /m"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /x"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /r"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /G"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /F"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /g"	ybpian.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yY6uXQd3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /i"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /M"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /X"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /v"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /h"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /q"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /V"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /e"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /l"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /N"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /s"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /I"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /J"	ybpian.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ybpian = "C:\\Users\\Admin\\ybpian.exe /S"	ybpian.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1688	1496	2cmd.exe	34
PID 340 set thread context of 1952	340	3cmd.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1448	tasklist.exe
1104	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	yY6uXQd3.exe
884	yY6uXQd3.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1756	ybpian.exe
1756	ybpian.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
340	3cmd.exe
340	3cmd.exe
340	3cmd.exe
1756	ybpian.exe
1756	ybpian.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1756	ybpian.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
340	3cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1756	ybpian.exe
1688	2cmd.exe
1756	ybpian.exe
1688	2cmd.exe
1688	2cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	tasklist.exe
Token: SeDebugPrivilege	340	3cmd.exe
Token: SeDebugPrivilege	340	3cmd.exe
Token: SeDebugPrivilege	1104	tasklist.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
884	yY6uXQd3.exe
1756	ybpian.exe
1496	2cmd.exe
788	4cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 884	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	27
PID 1208 wrote to memory of 884	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	27
PID 1208 wrote to memory of 884	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	27
PID 1208 wrote to memory of 884	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	27
PID 884 wrote to memory of 1756	884	yY6uXQd3.exe	28
PID 884 wrote to memory of 1756	884	yY6uXQd3.exe	28
PID 884 wrote to memory of 1756	884	yY6uXQd3.exe	28
PID 884 wrote to memory of 1756	884	yY6uXQd3.exe	28
PID 884 wrote to memory of 1984	884	yY6uXQd3.exe	29
PID 884 wrote to memory of 1984	884	yY6uXQd3.exe	29
PID 884 wrote to memory of 1984	884	yY6uXQd3.exe	29
PID 884 wrote to memory of 1984	884	yY6uXQd3.exe	29
PID 1984 wrote to memory of 1448	1984	cmd.exe	31
PID 1984 wrote to memory of 1448	1984	cmd.exe	31
PID 1984 wrote to memory of 1448	1984	cmd.exe	31
PID 1984 wrote to memory of 1448	1984	cmd.exe	31
PID 1208 wrote to memory of 1496	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	33
PID 1208 wrote to memory of 1496	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	33
PID 1208 wrote to memory of 1496	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	33
PID 1208 wrote to memory of 1496	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	33
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1496 wrote to memory of 1688	1496	2cmd.exe	34
PID 1208 wrote to memory of 340	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	35
PID 1208 wrote to memory of 340	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	35
PID 1208 wrote to memory of 340	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	35
PID 1208 wrote to memory of 340	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	35
PID 340 wrote to memory of 1388	340	3cmd.exe	15
PID 340 wrote to memory of 336	340	3cmd.exe	6
PID 340 wrote to memory of 1952	340	3cmd.exe	36
PID 340 wrote to memory of 1952	340	3cmd.exe	36
PID 340 wrote to memory of 1952	340	3cmd.exe	36
PID 340 wrote to memory of 1952	340	3cmd.exe	36
PID 340 wrote to memory of 1952	340	3cmd.exe	36
PID 1208 wrote to memory of 788	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	38
PID 1208 wrote to memory of 788	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	38
PID 1208 wrote to memory of 788	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	38
PID 1208 wrote to memory of 788	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	38
PID 1208 wrote to memory of 896	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	39
PID 1208 wrote to memory of 896	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	39
PID 1208 wrote to memory of 896	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	39
PID 1208 wrote to memory of 896	1208	407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe	39
PID 896 wrote to memory of 1104	896	cmd.exe	41
PID 896 wrote to memory of 1104	896	cmd.exe	41
PID 896 wrote to memory of 1104	896	cmd.exe	41
PID 896 wrote to memory of 1104	896	cmd.exe	41
PID 336 wrote to memory of 864	336	csrss.exe	21

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1388
- C:\Users\Admin\AppData\Local\Temp\407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
  "C:\Users\Admin\AppData\Local\Temp\407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\yY6uXQd3.exe
    C:\Users\Admin\yY6uXQd3.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\ybpian.exe
      "C:\Users\Admin\ybpian.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del yY6uXQd3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
- - C:\Users\Admin\2cmd.exe
    C:\Users\Admin\2cmd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\2cmd.exe
      "C:\Users\Admin\2cmd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1688
- - C:\Users\Admin\3cmd.exe
    C:\Users\Admin\3cmd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1952
- - C:\Users\Admin\4cmd.exe
    C:\Users\Admin\4cmd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 407f68d6d75b9eafbe009b65c597a987263afdba239a599e421926a41e753caa.exe
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
C:\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
C:\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
C:\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
C:\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
C:\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
C:\Users\Admin\ybpian.exe

Filesize
264KB

MD5
030ff561b25cc4d82f9ea273c67358cc

SHA1
cc6b8e26000d346bacef733304e0627a4504141a

SHA256
76691c75c6077b301a7f48309e5f61987c817bca079781bb293cbb5009e01600

SHA512
0595fe54bd79eca637b362a45a6c0b925398cbe4ef6eb529daac88b6265cf22a5f30283af5016c05cd4c6008ae06b7342e5d95586bd4d2b1b0cd5282ae125489

Download Submit
C:\Users\Admin\ybpian.exe

Filesize
264KB

MD5
030ff561b25cc4d82f9ea273c67358cc

SHA1
cc6b8e26000d346bacef733304e0627a4504141a

SHA256
76691c75c6077b301a7f48309e5f61987c817bca079781bb293cbb5009e01600

SHA512
0595fe54bd79eca637b362a45a6c0b925398cbe4ef6eb529daac88b6265cf22a5f30283af5016c05cd4c6008ae06b7342e5d95586bd4d2b1b0cd5282ae125489

Download Submit
C:\Windows\system32\consrv.dll

Filesize
53KB

MD5
d1c9e07123216e8836e7988794cd3c75

SHA1
a1061c34544c9377449e186074404e0dd1009994

SHA256
334bd46d5f3ba098c11827982715c0ff98e2aa1c2361b9702b222949e7e5730c

SHA512
06014da3030fa66fbf64f9dd0c9c229390c93dedcb2c6f53aff810a7d0054c05c514804ea9dbae3d6ec1f13b45b4dd844a7e1ec1706e5a7ae16be8e8a760898b

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
e26f52288b9aef50f6a68f5ce268b456

SHA1
7f69440284b36e814e41b562a2e3880b4475e503

SHA256
7cd3305430f9bbdab7548f21e98de9e0ac6aa4f74863c419e55f22710df8817a

SHA512
765e8e92b91c1a5d4a8465580e9b39f1d86b41a728396438a7e1d0d05d43fcd3dfd53cd73b22e3deebd346797cc4538ce2125eb599f75b0fd6225b9564d2e024

Download Submit
\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
\Users\Admin\2cmd.exe

Filesize
68KB

MD5
3a0c1cfad2607489a7b81afeadb1c8de

SHA1
505930aa4aacad8743768c73c9d56b7896277cd8

SHA256
d0115953a9086756f4c8fc090765ffc6eb842d2addb5faac7eb4b10f5422d701

SHA512
277c586dc9d11c3e6f899dd26cc18947051f9f3589bbfcb80e9f0d35296849fc610feb5ad2d43a0d0ad17e9aa0c1a147903c355b9e1cfc6514def04bf0f8672b

Download Submit
\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
\Users\Admin\3cmd.exe

Filesize
204KB

MD5
22d9cb396127839a597009a5c0d2092c

SHA1
c854e7c3954516ccb0f5aa8f96efb61fa0ca47c0

SHA256
81c1c53b6f97ff69a0762b45c123160b43c301c6b8ff5a996db20c22deb66660

SHA512
f0020266bd408ad8617e2a56ac21379907ec48384d9ddcd95d5602f58eac2e304d55eb5844e0062747ea8cb8b3f58d7fc44120d9e358a7b1bffa63e31362531a

Download Submit
\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
\Users\Admin\4cmd.exe

Filesize
36KB

MD5
06267a936e89e44812691c5ee418e214

SHA1
7a7f7fde8da51c6f8e077650f4718cfc84bb0eca

SHA256
c8818d1fae7fa653031cbd2dde9355085c1ece748508c6b294ad7567759d7ab2

SHA512
e85fa457dbb6b2fddc43d597697f9c88e20569201e383b6a1fb70c9fd2a69266be56b90a2766bcfb13d0a06adf2cf3353daa81f865442173d55d690b904ba506

Download Submit
\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
\Users\Admin\yY6uXQd3.exe

Filesize
264KB

MD5
490d9698c1890b9b4e1c62dd277c2ddb

SHA1
635866f95d176fa2567eb47f078d9a618a9ceb6a

SHA256
9ca36f2be3faf01aa4ebe57f90106ab517c757b505de69b3b5d8016ae11dc116

SHA512
3fd9745bee17f284e1cf693e538c81b71478432d0a3980dcdec5b15502f63eed072002c7ad10598778ccb1287549b5b3ae18a9070f1d3b7c077bf87bc616ff45

Download Submit
\Users\Admin\ybpian.exe

Filesize
264KB

MD5
030ff561b25cc4d82f9ea273c67358cc

SHA1
cc6b8e26000d346bacef733304e0627a4504141a

SHA256
76691c75c6077b301a7f48309e5f61987c817bca079781bb293cbb5009e01600

SHA512
0595fe54bd79eca637b362a45a6c0b925398cbe4ef6eb529daac88b6265cf22a5f30283af5016c05cd4c6008ae06b7342e5d95586bd4d2b1b0cd5282ae125489

Download Submit
\Users\Admin\ybpian.exe

Filesize
264KB

MD5
030ff561b25cc4d82f9ea273c67358cc

SHA1
cc6b8e26000d346bacef733304e0627a4504141a

SHA256
76691c75c6077b301a7f48309e5f61987c817bca079781bb293cbb5009e01600

SHA512
0595fe54bd79eca637b362a45a6c0b925398cbe4ef6eb529daac88b6265cf22a5f30283af5016c05cd4c6008ae06b7342e5d95586bd4d2b1b0cd5282ae125489

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
d1c9e07123216e8836e7988794cd3c75

SHA1
a1061c34544c9377449e186074404e0dd1009994

SHA256
334bd46d5f3ba098c11827982715c0ff98e2aa1c2361b9702b222949e7e5730c

SHA512
06014da3030fa66fbf64f9dd0c9c229390c93dedcb2c6f53aff810a7d0054c05c514804ea9dbae3d6ec1f13b45b4dd844a7e1ec1706e5a7ae16be8e8a760898b

Download Submit
memory/336-123-0x0000000002190000-0x00000000021A2000-memory.dmp

Filesize
72KB

Download
memory/340-98-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/340-113-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/340-109-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/340-114-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/340-99-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/864-134-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/864-137-0x00000000003B0000-0x00000000003BB000-memory.dmp

Filesize
44KB

Download
memory/864-139-0x00000000003B0000-0x00000000003BB000-memory.dmp

Filesize
44KB

Download
memory/864-126-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/864-130-0x00000000003A0000-0x00000000003AB000-memory.dmp

Filesize
44KB

Download
memory/864-138-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/864-136-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1208-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1388-108-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1388-104-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1388-100-0x0000000002A60000-0x0000000002A66000-memory.dmp

Filesize
24KB

Download
memory/1688-91-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1688-92-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1688-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1688-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1688-83-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1688-86-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1688-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download