Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 09:59
Static task
static1
Behavioral task
behavioral1
Sample
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
Resource
win10v2004-20220812-en
General
-
Target
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
-
Size
341KB
-
MD5
fe7d0c5786b24efc2b7e6520a24ccf4c
-
SHA1
be0f2a8a108426c514d3c4d5819b87b921b41e52
-
SHA256
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1
-
SHA512
bfc1e350ea9365f94183db17dca728a3ce89421beaef1381bb09c2e823e3765bc5563c77459767c300a79e5cacba404bfdd32b77046c99ed912d37c0dfcdee9c
-
SSDEEP
6144:h2TX+xO9QNaDyPk9gcTher8o/xPh+PWmp2k98mrjI3s:hqXsO98a+cter8kPMxp2Jc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ynapo.exepid process 1660 ynapo.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1560 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exepid process 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ynapo.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run ynapo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ynapo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Egwae\\ynapo.exe" ynapo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exedescription pid process target process PID 1740 set thread context of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exeynapo.exepid process 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe 1660 ynapo.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exeynapo.exedescription pid process target process PID 1740 wrote to memory of 1660 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe ynapo.exe PID 1740 wrote to memory of 1660 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe ynapo.exe PID 1740 wrote to memory of 1660 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe ynapo.exe PID 1740 wrote to memory of 1660 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe ynapo.exe PID 1660 wrote to memory of 1128 1660 ynapo.exe taskhost.exe PID 1660 wrote to memory of 1128 1660 ynapo.exe taskhost.exe PID 1660 wrote to memory of 1128 1660 ynapo.exe taskhost.exe PID 1660 wrote to memory of 1128 1660 ynapo.exe taskhost.exe PID 1660 wrote to memory of 1128 1660 ynapo.exe taskhost.exe PID 1660 wrote to memory of 1184 1660 ynapo.exe Dwm.exe PID 1660 wrote to memory of 1184 1660 ynapo.exe Dwm.exe PID 1660 wrote to memory of 1184 1660 ynapo.exe Dwm.exe PID 1660 wrote to memory of 1184 1660 ynapo.exe Dwm.exe PID 1660 wrote to memory of 1184 1660 ynapo.exe Dwm.exe PID 1660 wrote to memory of 1212 1660 ynapo.exe Explorer.EXE PID 1660 wrote to memory of 1212 1660 ynapo.exe Explorer.EXE PID 1660 wrote to memory of 1212 1660 ynapo.exe Explorer.EXE PID 1660 wrote to memory of 1212 1660 ynapo.exe Explorer.EXE PID 1660 wrote to memory of 1212 1660 ynapo.exe Explorer.EXE PID 1660 wrote to memory of 1740 1660 ynapo.exe 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe PID 1660 wrote to memory of 1740 1660 ynapo.exe 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe PID 1660 wrote to memory of 1740 1660 ynapo.exe 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe PID 1660 wrote to memory of 1740 1660 ynapo.exe 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe PID 1660 wrote to memory of 1740 1660 ynapo.exe 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1740 wrote to memory of 1560 1740 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe PID 1660 wrote to memory of 532 1660 ynapo.exe conhost.exe PID 1660 wrote to memory of 532 1660 ynapo.exe conhost.exe PID 1660 wrote to memory of 532 1660 ynapo.exe conhost.exe PID 1660 wrote to memory of 532 1660 ynapo.exe conhost.exe PID 1660 wrote to memory of 532 1660 ynapo.exe conhost.exe PID 1660 wrote to memory of 1560 1660 ynapo.exe cmd.exe PID 1660 wrote to memory of 1560 1660 ynapo.exe cmd.exe PID 1660 wrote to memory of 1560 1660 ynapo.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe"C:\Users\Admin\AppData\Local\Temp\1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\Egwae\ynapo.exe"C:\Users\Admin\AppData\Local\Temp\Egwae\ynapo.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGLDD00.bat"3⤵
- Deletes itself
PID:1560
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "115323065322713390-1977309385194970933416910796253507951431581118628-267813925"1⤵PID:532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD5e7dd5108f005baa913ac93728a226f18
SHA1c82ce62f7af5c97f9c68b41bb688007734f312f7
SHA25661260a124e3006a7856d31c002ceae5fba5b4c71bc0bed6f610268b5bff46ddb
SHA512ab19c8f9fe87cab5490250811c5318048302c821d2415632322c48a14c6c8b4bdca4e9829c9ec29e02b9cb2910eb19fc0fd7dedb310c424a804f1a0e77615cf0
-
Filesize
341KB
MD5e7dd5108f005baa913ac93728a226f18
SHA1c82ce62f7af5c97f9c68b41bb688007734f312f7
SHA25661260a124e3006a7856d31c002ceae5fba5b4c71bc0bed6f610268b5bff46ddb
SHA512ab19c8f9fe87cab5490250811c5318048302c821d2415632322c48a14c6c8b4bdca4e9829c9ec29e02b9cb2910eb19fc0fd7dedb310c424a804f1a0e77615cf0
-
Filesize
282B
MD53a8990924314c9490364287b8eeae298
SHA1dc400394c70c89ad5ec9abc0d99e0e74a62ff401
SHA256584fa2290c61173a6272c302fced60c8ba29bb47ecf16f51eb2b7b44117788db
SHA51232df25cb7bd5dfe24dc4aa09df90bf7a751295b704bda8cf2f8b8d9bafa62f83d42d8252c3d262b3fa40cb84ca03bf4ff8b1a13b1831e9d09a5c67829fb70669
-
Filesize
341KB
MD5e7dd5108f005baa913ac93728a226f18
SHA1c82ce62f7af5c97f9c68b41bb688007734f312f7
SHA25661260a124e3006a7856d31c002ceae5fba5b4c71bc0bed6f610268b5bff46ddb
SHA512ab19c8f9fe87cab5490250811c5318048302c821d2415632322c48a14c6c8b4bdca4e9829c9ec29e02b9cb2910eb19fc0fd7dedb310c424a804f1a0e77615cf0