f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

General

Target

f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
Size

34KB
MD5

35cef4d8899d029b91292671489c1d70
SHA1

4fd6705c5797c80cf38316719c10ff0f36eeb149
SHA256

f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e
SHA512

6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf
SSDEEP

768:AcQhyn/CSQ7JJLQCFNCMhKFZRtEltyF2JbRD+TGseKIfirwp:vQhyn/m7JJLZiMw3TEltyF25t+2ti

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1756	ywkkso.exe
1700	hrlE745.tmp

Deletes itself 1 IoCs

pid	Process
1916	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1756	ywkkso.exe
1756	ywkkso.exe
1756	ywkkso.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	ywkkso.exe
File opened (read-only)	\??\T:	ywkkso.exe
File opened (read-only)	\??\U:	ywkkso.exe
File opened (read-only)	\??\X:	ywkkso.exe
File opened (read-only)	\??\H:	ywkkso.exe
File opened (read-only)	\??\O:	ywkkso.exe
File opened (read-only)	\??\Z:	ywkkso.exe
File opened (read-only)	\??\G:	ywkkso.exe
File opened (read-only)	\??\I:	ywkkso.exe
File opened (read-only)	\??\K:	ywkkso.exe
File opened (read-only)	\??\L:	ywkkso.exe
File opened (read-only)	\??\M:	ywkkso.exe
File opened (read-only)	\??\Q:	ywkkso.exe
File opened (read-only)	\??\R:	ywkkso.exe
File opened (read-only)	\??\V:	ywkkso.exe
File opened (read-only)	\??\E:	ywkkso.exe
File opened (read-only)	\??\J:	ywkkso.exe
File opened (read-only)	\??\W:	ywkkso.exe
File opened (read-only)	\??\Y:	ywkkso.exe
File opened (read-only)	\??\P:	ywkkso.exe
File opened (read-only)	\??\F:	ywkkso.exe
File opened (read-only)	\??\N:	ywkkso.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ywkkso.exe	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
File opened for modification	C:\Windows\SysWOW64\ywkkso.exe	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
File created	C:\Windows\SysWOW64\hra8.dll	ywkkso.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	ywkkso.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	ywkkso.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ywkkso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ywkkso.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1980	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1916	1980	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	29
PID 1980 wrote to memory of 1916	1980	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	29
PID 1980 wrote to memory of 1916	1980	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	29
PID 1980 wrote to memory of 1916	1980	f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe	29
PID 1756 wrote to memory of 1700	1756	ywkkso.exe	30
PID 1756 wrote to memory of 1700	1756	ywkkso.exe	30
PID 1756 wrote to memory of 1700	1756	ywkkso.exe	30
PID 1756 wrote to memory of 1700	1756	ywkkso.exe	30

C:\Users\Admin\AppData\Local\Temp\f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe
"C:\Users\Admin\AppData\Local\Temp\f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F8A8DF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1916

C:\Windows\SysWOW64\ywkkso.exe
C:\Windows\SysWOW64\ywkkso.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\TEMP\hrlE745.tmp
  C:\Windows\TEMP\hrlE745.tmp
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ywkkso.exe

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
C:\Windows\SysWOW64\ywkkso.exe

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
C:\Windows\Temp\hrlE745.tmp

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
\Windows\SysWOW64\hra8.dll

Filesize
42KB

MD5
650c15e84b4714971dc86b1d8b7e88c5

SHA1
7153d080e2d8b7e7c4bca5bd19fa98dc8b72d6bd

SHA256
602ea9d49bd459c8cc21cc6e28e7927c8b46a5ba1f7f353a71b0843824f1ff6d

SHA512
7345328c891fbe5493b29533bde3df2d4f0dabe5cb4980ed25d4bb17cbfab1ec4e350e1ba52e3d3155d66a13aea428d311104b887564beeece1b18c88ead6246

Download Submit
\Windows\Temp\hrlE745.tmp

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
\Windows\Temp\hrlE745.tmp

Filesize
34KB

MD5
35cef4d8899d029b91292671489c1d70

SHA1
4fd6705c5797c80cf38316719c10ff0f36eeb149

SHA256
f8a8df688da71632c557437047ab4ea5aa58ef274ade68b871216d9969aa8c6e

SHA512
6a3e0289b00ed2177345f558db05f38feb6d7d361f02f9ec5323975337ae9b1616a3dff033ebfb6e6dfd9e405b433b43203c1e3b2d5481244906fbaa11dd81cf

Download Submit
memory/1756-58-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads