6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d

General

Target

6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
Size

473KB
MD5

81282e0d6896cc8dd1d298f8116d1e2d
SHA1

3fa374759b94604119b0a01805672b6152a5562b
SHA256

6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d
SHA512

4a5ae043bc4d6ef25de61f97d42caba8e9b828d2a8a64127eb6ee19f0cccc3702598820a4bf213ebe8c436da2a31949ce20eb73f6ca8060933fe89a0183567d6
SSDEEP

6144:Gplmbm6BGwXMve4aMEz4J9/xXe8S7Cn02N0TDxKEqIO6CM:Gplmbm6BGwXMve4aMmG9k8sa0XnC

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1336	Yhyhya.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1676-54-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral1/files/0x0007000000012726-61.dat	upx
behavioral1/memory/1336-63-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
File created	C:\Windows\Yhyhya.exe	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
File opened for modification	C:\Windows\Yhyhya.exe	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Yhyhya.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Yhyhya.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Yhyhya.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1336	Yhyhya.exe
1336	Yhyhya.exe
1336	Yhyhya.exe
1336	Yhyhya.exe
1336	Yhyhya.exe
1336	Yhyhya.exe
1336	Yhyhya.exe
1336	Yhyhya.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1336	Yhyhya.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
1336	Yhyhya.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1336	1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe	28
PID 1676 wrote to memory of 1336	1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe	28
PID 1676 wrote to memory of 1336	1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe	28
PID 1676 wrote to memory of 1336	1676	6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe	28

C:\Users\Admin\AppData\Local\Temp\6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe
"C:\Users\Admin\AppData\Local\Temp\6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\Yhyhya.exe
  C:\Windows\Yhyhya.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of UnmapMainImage
  PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
408B

MD5
7a637ed03a024ef6df57ff8f2e96f395

SHA1
30af9500cd490e4f453f3b669a44e49dd5125d41

SHA256
5491e6670a597748012ee5ff42bb21c4f038ce50610258aa955fb1c5ede6270b

SHA512
bd2ff4028a40ae50392d323d8602ec5e33d145db04bec3b1eb7fe7661c92454bcc7654e2739db949d8fe8c51ec758408243880dbe2fca53a164ddf9b9f750877

Download Submit
C:\Windows\Yhyhya.exe

Filesize
473KB

MD5
81282e0d6896cc8dd1d298f8116d1e2d

SHA1
3fa374759b94604119b0a01805672b6152a5562b

SHA256
6809aadf4f391bc67efe02c15a377ad4af78c12b13b6b459f716a8be874a299d

SHA512
4a5ae043bc4d6ef25de61f97d42caba8e9b828d2a8a64127eb6ee19f0cccc3702598820a4bf213ebe8c436da2a31949ce20eb73f6ca8060933fe89a0183567d6

Download Submit
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1336-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1336-69-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1676-58-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1676-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1676-62-0x0000000001FD0000-0x0000000002048000-memory.dmp

Filesize
480KB

Download
memory/1676-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing