Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 06:14
Behavioral task
behavioral1
Sample
yan1.exe
Resource
win7-20220812-en
General
-
Target
yan1.exe
-
Size
398KB
-
MD5
afaf2d4ebb6dc47e79a955df5ad1fc8a
-
SHA1
c418ce055d97928f94ba06b5de8124a601d8f632
-
SHA256
d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
-
SHA512
321424ac21ebdb7f759a84236cb95c533b3000b3143099e1697f4a1f534c11782dafa68e5fa9e662b973b9669c1177b69c2fd0b83455625e57aa123385f581e6
-
SSDEEP
12288:EfaLQyGK6kAa2XgsA1RUa+jE6S3qRTjO0:EwIHnXp/O0
Malware Config
Signatures
-
Drops file in Drivers directory 27 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui yan1.exe File created C:\Windows\SysWOW64\drivers\en-US\README.txt yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui yan1.exe File created C:\Windows\SysWOW64\drivers\fr-FR\README.txt yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui yan1.exe File created C:\Windows\SysWOW64\drivers\es-ES\README.txt yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui yan1.exe File created C:\Windows\SysWOW64\drivers\ja-JP\README.txt yan1.exe File created C:\Windows\SysWOW64\drivers\de-DE\README.txt yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui yan1.exe File created C:\Windows\SysWOW64\drivers\it-IT\README.txt yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui yan1.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui yan1.exe File created C:\Windows\SysWOW64\drivers\README.txt yan1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation yan1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\en-US\adp80xx.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\SDFLauncher.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_usbfn.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netdriver.inf_amd64_2d569d832b41b8df\README.txt yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_167948d0c94abc27\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\Amd64\MSIPP.xml yan1.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PCLXL.GPD yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\netavpna.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\netlldp.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\dc21x4vm.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\mdmvv.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\sisraid2.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\buttonconverter.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_b8b0fe7bbc76405b\README.txt yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_d9886a7bbe9e55ca\README.txt yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_0e2452f597790e95\Amd64\unishare-pipelineconfig.xml yan1.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\e2xw10x64.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_f10a5650b96630b9\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_AC_BRN.bin yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_1218fad01506b7af\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\c_firmware.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\iaLPSS2i_GPIO2_GLK.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\mdmbtmdm.inf_loc yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\netshell.dll.mui yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_503a2398f4c86893\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\acpipagr.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\IntelTA.inf_loc yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\wcnwiz.dll.mui yan1.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\ts_wpdmtp.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\CompositeBus.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netbvbda.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\b57nd60a.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_c4ed3602d3c754f2\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\netrndis.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnms005.inf_loc yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\mmc.exe.mui yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\wevtfwd.dll.mui yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netloop.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\HalExtIntcLpioDma.inf_loc yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\Apphlpdm.dll.mui yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\scrptadm.dll.mui yan1.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\netvf63a.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\cht4vx64.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\wstorvsc.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\Netwew01.INF_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\wvmic_heartbeat.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\xboxgip.inf_amd64_90ed6b3fdc759a5b\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\msdv.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\wGenCounter.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\scmvolume.inf_amd64_6957cfb7d6fea5c7\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\c_scmvolume.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\hidbatt.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\en-US\virtdisk.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_scmdisk.inf_amd64_d8f75a9c87c2f7c4\README.txt yan1.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\ipmidrv.inf_loc yan1.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\microsoft_bluetooth_a2dp_src.inf_loc yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\README.txt yan1.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_b2ebe9229789b181\README.txt yan1.exe File opened for modification C:\Windows\SysWOW64\de-DE\WABSyncProvider.dll.mui yan1.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\hidbthle.inf_loc yan1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Cursors\busy_m.cur yan1.exe File opened for modification C:\Windows\Globalization\ELS\Transliteration\malayalam-to-latin.nlt yan1.exe File opened for modification C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-Full-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\Cursors\busy_il.cur yan1.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Fonts.Jpan~und-Jpan~1.0.mum yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.844.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NetFx2-OC-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat yan1.exe File created C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\es\README.txt yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-EmbeddedLogon-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\INF\wvmic_guestinterface.inf yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-Perfcounters-Client~31bf3856ad364e35~amd64~~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\README.txt yan1.exe File opened for modification C:\Windows\Resources\Themes\aero\ja-JP\aerolite.msstyles.mui yan1.exe File opened for modification C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat yan1.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\8335c7a6cac9c2a3a77da9f4a1817282\README.txt yan1.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\9b714bc9d597b3de794f1cedb3fe3349\README.txt yan1.exe File opened for modification C:\Windows\L2Schemas\WWAN_profile_v4.xsd yan1.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\MOF\es\README.txt yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-Full-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Package_2_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat yan1.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\a59eafc66ceb93baa9032d0ec04afd19\README.txt yan1.exe File opened for modification C:\Windows\schemas\EAPHost\eaphostconfig.xsd yan1.exe File created C:\Windows\servicing\FodMetadata\metadata\README.txt yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SecConfig-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\apppatch\frxmain.sdb yan1.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\README.txt yan1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security.aspx.es.resx yan1.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.19041.264.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\PolicyDefinitions\fr-FR\Servicing.adml yan1.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.altform-unplated.png yan1.exe File opened for modification C:\Windows\INF\microsoft_bluetooth_avrcptransport.inf yan1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de-DE\ServiceModelRegUI.dll.mui yan1.exe File opened for modification C:\Windows\PolicyDefinitions\de-DE\InetRes.adml yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-MFPMP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-WebcamExperience-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat yan1.exe File opened for modification C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\en-US\en_US_word_c.lm1 yan1.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.PowerShell.ConsoleHost\v4.0_1.0.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Powershell.ConsoleHost.config yan1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.fr.resx yan1.exe File opened for modification C:\Windows\PolicyDefinitions\de-DE\msched.adml yan1.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\DiskDiagnostic.adml yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\it-IT\CbsMsg.dll.mui yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSMinusHeadless-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Remotefx-Clientvm-Rdvgwddmdx11-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat yan1.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f577ef2b3b341c57f4b7eb23478be457\README.txt yan1.exe File opened for modification C:\Windows\Help\mui\0407\sqlsoldb.chm yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-CoreSystem-RemoteFS-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-ServerCommon-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat yan1.exe File created C:\Windows\rescache\_merged\3200614358\README.txt yan1.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Snapins-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat yan1.exe File opened for modification C:\Windows\INF\rtux64w10.inf yan1.exe File opened for modification C:\Windows\PolicyDefinitions\de-DE\NetworkIsolation.adml yan1.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\Sharing.adml yan1.exe File opened for modification C:\Windows\Provisioning\Packages\Power.Settings.Display.ppkg yan1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1116 powershell.exe 1116 powershell.exe 1116 powershell.exe 1116 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4876 yan1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe Token: SeTakeOwnershipPrivilege 4876 yan1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 4848 4876 yan1.exe 91 PID 4876 wrote to memory of 4848 4876 yan1.exe 91 PID 4876 wrote to memory of 4848 4876 yan1.exe 91 PID 4876 wrote to memory of 1900 4876 yan1.exe 93 PID 4876 wrote to memory of 1900 4876 yan1.exe 93 PID 4876 wrote to memory of 1900 4876 yan1.exe 93 PID 4876 wrote to memory of 3904 4876 yan1.exe 95 PID 4876 wrote to memory of 3904 4876 yan1.exe 95 PID 4876 wrote to memory of 3904 4876 yan1.exe 95 PID 4876 wrote to memory of 2868 4876 yan1.exe 98 PID 4876 wrote to memory of 2868 4876 yan1.exe 98 PID 4876 wrote to memory of 2868 4876 yan1.exe 98 PID 4848 wrote to memory of 1116 4848 cmd.exe 97 PID 4848 wrote to memory of 1116 4848 cmd.exe 97 PID 4848 wrote to memory of 1116 4848 cmd.exe 97 PID 4876 wrote to memory of 4116 4876 yan1.exe 100 PID 4876 wrote to memory of 4116 4876 yan1.exe 100 PID 4876 wrote to memory of 4116 4876 yan1.exe 100 PID 4876 wrote to memory of 3792 4876 yan1.exe 102 PID 4876 wrote to memory of 3792 4876 yan1.exe 102 PID 4876 wrote to memory of 3792 4876 yan1.exe 102 PID 4876 wrote to memory of 3156 4876 yan1.exe 104 PID 4876 wrote to memory of 3156 4876 yan1.exe 104 PID 4876 wrote to memory of 3156 4876 yan1.exe 104 PID 4876 wrote to memory of 2244 4876 yan1.exe 106 PID 4876 wrote to memory of 2244 4876 yan1.exe 106 PID 4876 wrote to memory of 2244 4876 yan1.exe 106 PID 4876 wrote to memory of 1288 4876 yan1.exe 108 PID 4876 wrote to memory of 1288 4876 yan1.exe 108 PID 4876 wrote to memory of 1288 4876 yan1.exe 108 PID 4876 wrote to memory of 3872 4876 yan1.exe 110 PID 4876 wrote to memory of 3872 4876 yan1.exe 110 PID 4876 wrote to memory of 3872 4876 yan1.exe 110 PID 4876 wrote to memory of 4080 4876 yan1.exe 112 PID 4876 wrote to memory of 4080 4876 yan1.exe 112 PID 4876 wrote to memory of 4080 4876 yan1.exe 112 PID 4876 wrote to memory of 2624 4876 yan1.exe 114 PID 4876 wrote to memory of 2624 4876 yan1.exe 114 PID 4876 wrote to memory of 2624 4876 yan1.exe 114 PID 4876 wrote to memory of 4336 4876 yan1.exe 117 PID 4876 wrote to memory of 4336 4876 yan1.exe 117 PID 4876 wrote to memory of 4336 4876 yan1.exe 117 PID 4876 wrote to memory of 2372 4876 yan1.exe 118 PID 4876 wrote to memory of 2372 4876 yan1.exe 118 PID 4876 wrote to memory of 2372 4876 yan1.exe 118 PID 4876 wrote to memory of 4948 4876 yan1.exe 120 PID 4876 wrote to memory of 4948 4876 yan1.exe 120 PID 4876 wrote to memory of 4948 4876 yan1.exe 120 PID 4876 wrote to memory of 4604 4876 yan1.exe 122 PID 4876 wrote to memory of 4604 4876 yan1.exe 122 PID 4876 wrote to memory of 4604 4876 yan1.exe 122 PID 4876 wrote to memory of 960 4876 yan1.exe 124 PID 4876 wrote to memory of 960 4876 yan1.exe 124 PID 4876 wrote to memory of 960 4876 yan1.exe 124 PID 4876 wrote to memory of 2400 4876 yan1.exe 126 PID 4876 wrote to memory of 2400 4876 yan1.exe 126 PID 4876 wrote to memory of 2400 4876 yan1.exe 126 PID 4876 wrote to memory of 2344 4876 yan1.exe 127 PID 4876 wrote to memory of 2344 4876 yan1.exe 127 PID 4876 wrote to memory of 2344 4876 yan1.exe 127 PID 4876 wrote to memory of 2676 4876 yan1.exe 130 PID 4876 wrote to memory of 2676 4876 yan1.exe 130 PID 4876 wrote to memory of 2676 4876 yan1.exe 130 PID 4876 wrote to memory of 1348 4876 yan1.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\yan1.exeC:\Users\Admin\AppData\Local\Temp\yan1.exe -pass D86BDXL9N3H1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -command "Get-VM | Stop-VM -Force"2⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-VM | Stop-VM -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper1002⤵PID:1900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQL$ISARS2⤵PID:3904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQL$MSFW2⤵PID:2868
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLAgent$ISARS2⤵PID:4116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLAgent$MSFW2⤵PID:3792
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLBrowser2⤵PID:3156
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop ReportServer$ISARS2⤵PID:2244
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLWriter2⤵PID:1288
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop WinDefend2⤵PID:3872
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop mr2kserv2⤵PID:4080
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeADTopology2⤵PID:2624
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeFBA2⤵PID:4336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeIS2⤵PID:2372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeSA2⤵PID:4948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop ShadowProtectSvc2⤵PID:4604
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPAdminV42⤵PID:960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPTimerV42⤵PID:2400
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPTraceV42⤵PID:2344
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPUserCodeV42⤵PID:2676
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPWriterV42⤵PID:1348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPSearch42⤵PID:4368
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper1002⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop IISADMIN2⤵PID:4476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop firebirdguardiandefaultinstance2⤵PID:4832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop ibmiasrw2⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QBCFMonitorService2⤵PID:4676
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QBVSS2⤵PID:660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QBPOSDBServiceV122⤵PID:520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop "IBM Domino Server (CProgramFilesIBMDominodata)"2⤵PID:1008
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"2⤵PID:1084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop IISADMIN2⤵PID:2988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop "Simply Accounting Database Connection Manager"2⤵PID:4984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB12⤵PID:3076
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB22⤵PID:444
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB32⤵PID:3524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB42⤵PID:1028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB52⤵PID:5144
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB62⤵PID:5240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB72⤵PID:5280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB82⤵PID:5356
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB92⤵PID:5380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB102⤵PID:5440
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB112⤵PID:5488
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB122⤵PID:5524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB132⤵PID:5600
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB142⤵PID:5628
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB152⤵PID:5696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB162⤵PID:5716
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB172⤵PID:5788
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB182⤵PID:5860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB192⤵PID:5896
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB202⤵PID:5952
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB212⤵PID:5972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB222⤵PID:6012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB232⤵PID:6072
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB242⤵PID:6092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB252⤵PID:5364
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im mysql*2⤵PID:5724
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im dsa*2⤵PID:5904
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im veeam*2⤵PID:6040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im chrome*2⤵PID:6148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im iexplore*2⤵PID:6176
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im firefox*2⤵PID:6256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im excel*2⤵PID:6312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*2⤵PID:6272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im taskmgr*2⤵PID:6352
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im tasklist*2⤵PID:6384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im Ntrtscan*2⤵PID:6432
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im ds_monitor*2⤵PID:6532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*2⤵PID:6344
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im Notifier*2⤵PID:6608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im putty*2⤵PID:6668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im ssh*2⤵PID:6684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im TmListen*2⤵PID:6748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im CNTAoSMgr*2⤵PID:6784
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im iVPAgent*2⤵PID:6756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im IBM*2⤵PID:6872
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im black*2⤵PID:6928
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im bes10*2⤵PID:6884
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im robo*2⤵PID:6996
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im copy*2⤵PID:7028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im sql2⤵PID:7064
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im store.exe2⤵PID:7120
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im sql*2⤵PID:7140
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im vee*2⤵PID:6380
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa*2⤵PID:6084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa.exe2⤵PID:7084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im postg*2⤵PID:7172
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im sage*2⤵PID:7232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cec6220591035e8e7c9348669b0c6473
SHA1af3e74a170d3ab22c3f1b250d25d3890a8b0ad54
SHA256d3b707678c04cc400857d1a317536aefe3da586df0e0a6f5abc8731c9f0d3f80
SHA51277a4f2691786b0dd65cdfcd6c24f715ef3584fd79f7c696572a0dbaf6191e72b996a3c13d12b68423563b889c45831fc1a36d4b364508176706c17ed9628526d
-
Filesize
18KB
MD5640a5968529546c836734c9581618c6a
SHA1f58b1dcf07d51dfd4eea4993fdbbb0e7d123212a
SHA25634d0c639ab1bdb851f078c3a580ce2041c78049598676153759115496a293cb9
SHA5128b1e858140abcc8e49c88d45d60c5fd1ea077d4d10695a140b11570e58bf20899d2270bff8fd90ea8e2f87e3098ffcf1676c747721c7350298a1eb26b62713c5