Analysis
-
max time kernel
151s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 16:30
Static task
static1
Behavioral task
behavioral1
Sample
087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe
Resource
win10v2004-20220812-en
General
-
Target
087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe
-
Size
96KB
-
MD5
8410480295a216636114c9b277c48dde
-
SHA1
d8937c7c8a2955d4f03fcabca0a574a0bbba4556
-
SHA256
087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a
-
SHA512
65554953f29506f0500f93f276320843aecc4a534a5d87204c17aca3cf90ad10d167cbf2843f3a703f6d6168ab7cd5b1fa852ba91c78376a2708150c4af76215
-
SSDEEP
1536:LxQBHff6cO/h36kGulSc16l6u+NMMl/KlYv1Tq5ThFNNIjni:ssh3Plu8CFFNCni
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yiais.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe -
Executes dropped EXE 1 IoCs
pid Process 844 yiais.exe -
Loads dropped DLL 2 IoCs
pid Process 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe -
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /C" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /X" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /s" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /M" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /p" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /V" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /A" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /P" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /l" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /F" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /Z" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /m" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /h" 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /Y" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /d" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /a" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /R" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /b" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /H" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /i" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /N" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /O" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /w" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /Q" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /e" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /r" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /o" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /S" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /G" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /L" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /K" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /n" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /f" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /q" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /I" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /g" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /k" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /J" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /u" yiais.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /D" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /v" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /B" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /x" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /U" yiais.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /c" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /y" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /t" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /E" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /W" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /j" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /h" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /z" yiais.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiais = "C:\\Users\\Admin\\yiais.exe /T" yiais.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe 844 yiais.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 844 yiais.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1444 wrote to memory of 844 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 27 PID 1444 wrote to memory of 844 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 27 PID 1444 wrote to memory of 844 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 27 PID 1444 wrote to memory of 844 1444 087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe"C:\Users\Admin\AppData\Local\Temp\087c034840ef8a3807faf1786aa42a14d393bcdb13ed0241c84bb2d2c0ca067a.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\yiais.exe"C:\Users\Admin\yiais.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:844
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD59c39533e56ac07d8b09c1fca55884f62
SHA1768db764c8c19cce9991373120afc41221016040
SHA256efd8221368019d9c7a6ad4909534badee4ee2842d7bd30f010e696401880ba9d
SHA5129230e5d69226852e77815f946fe9d929d5f815d97141840602fd58a0afea683f90d8f4569a963311ee3001d2244fabbfb1b519679a8db7bfb08f4f400f1af2b8
-
Filesize
96KB
MD59c39533e56ac07d8b09c1fca55884f62
SHA1768db764c8c19cce9991373120afc41221016040
SHA256efd8221368019d9c7a6ad4909534badee4ee2842d7bd30f010e696401880ba9d
SHA5129230e5d69226852e77815f946fe9d929d5f815d97141840602fd58a0afea683f90d8f4569a963311ee3001d2244fabbfb1b519679a8db7bfb08f4f400f1af2b8
-
Filesize
96KB
MD59c39533e56ac07d8b09c1fca55884f62
SHA1768db764c8c19cce9991373120afc41221016040
SHA256efd8221368019d9c7a6ad4909534badee4ee2842d7bd30f010e696401880ba9d
SHA5129230e5d69226852e77815f946fe9d929d5f815d97141840602fd58a0afea683f90d8f4569a963311ee3001d2244fabbfb1b519679a8db7bfb08f4f400f1af2b8
-
Filesize
96KB
MD59c39533e56ac07d8b09c1fca55884f62
SHA1768db764c8c19cce9991373120afc41221016040
SHA256efd8221368019d9c7a6ad4909534badee4ee2842d7bd30f010e696401880ba9d
SHA5129230e5d69226852e77815f946fe9d929d5f815d97141840602fd58a0afea683f90d8f4569a963311ee3001d2244fabbfb1b519679a8db7bfb08f4f400f1af2b8