ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c

General

Target

ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
Size

21KB
MD5

a008fed1202090617be74e3c5b871690
SHA1

7cd8b1f860c6fc53ca9ab73b38e8b384f56e93f4
SHA256

ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c
SHA512

48fb986528526293bf2892200707cd393dbe8972546fec05dc3456cfdacadda05cb31a858a58725ae143a0fcef4e2f319197b2a811bbeed28f669f95c373a68f
SSDEEP

384:hWw3e7zpf6n0+7RjiyGS0x3oJPwh4EiUJanzK7u+GmK:Je7zpe0kRwS0z4EvE27qd

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\rgbzpi.sys	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
File opened for modification	C:\Windows\SysWOW64\drivers\rgbzpi.sys	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
File created	C:\Windows\SysWOW64\drivers\ynbypp.sys	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ynbypp.sys	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\rgbzpi\ImagePath = "system32\\drivers\\rgbzpi.sys"	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ynbypp\ImagePath = "system32\\drivers\\ynbypp.sys"	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe

Loads dropped DLL 1 IoCs

pid	Process
1272	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ynbypp.dll	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
File created	C:\Windows\SysWOW64\ynbypp.dll	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe
1272	Rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26
PID 1348 wrote to memory of 1272	1348	ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe	26

C:\Users\Admin\AppData\Local\Temp\ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe
"C:\Users\Admin\AppData\Local\Temp\ad01393ea0584affd5bd51e321eca4d937fea3232a4cb612b46d1463f616b47c.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\Rundll32.exe
  C:\Windows\system32\Rundll32.exe "C:\Windows\system32\ynbypp",DllUnregisterServer
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ynbypp.DLL

Filesize
10KB

MD5
0118cd2898ce45335479b51e23cdd76c

SHA1
dfe9bcc062bcad4c3d22a83f4a39d6541f4bb110

SHA256
d35ca075d341bb8cbc3e6dd8369bf809e54b79fbb28dd5e14999e691b6e27cbb

SHA512
984884a78279ec11b646c445be8f71ff7e6343525dd16a935feafec66b8b97fd1faeecbd3312e6bd2be1234bc8bf6bf971a625c91e5534f6fa52c2aa981761ce

Download Submit
\Windows\SysWOW64\ynbypp.dll

Filesize
10KB

MD5
0118cd2898ce45335479b51e23cdd76c

SHA1
dfe9bcc062bcad4c3d22a83f4a39d6541f4bb110

SHA256
d35ca075d341bb8cbc3e6dd8369bf809e54b79fbb28dd5e14999e691b6e27cbb

SHA512
984884a78279ec11b646c445be8f71ff7e6343525dd16a935feafec66b8b97fd1faeecbd3312e6bd2be1234bc8bf6bf971a625c91e5534f6fa52c2aa981761ce

Download Submit
memory/1348-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1348-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing