5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba

General

Target

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
Size

321KB
MD5

2464355c63e0e31c9f013b79becc0a85
SHA1

925a116b78c88b240b0a75b5c5afeefaf36162d5
SHA256

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba
SHA512

566dd42711232bfbe1c44ac6b9c12c3638c5be29a45a589d1e86cf0e36742f1ecc4b2281f1b87093a6b13fd47cfa7b256da2eb3ba534afec24a190cf75db65d8
SSDEEP

6144:eT+FQogd7PswMHScIOq1G/PJRnC2CkErfoe:RFhgkycBqwJRC2gce

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ybjuv.exe

pid process

848 ybjuv.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

768 cmd.exe

pid	process
768	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe

pid	process
1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ybjuv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ybjuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Mouv\\ybjuv.exe"	ybjuv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe

description pid process target process

PID 1508 set thread context of 768 1508 5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe cmd.exe

description	pid	process	target process
PID 1508 set thread context of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ybjuv.exe

pid	process
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe
848	ybjuv.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exeybjuv.exe

pid process

1508 5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
848 ybjuv.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exeybjuv.exe

description	pid	process	target process
PID 1508 wrote to memory of 848	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	ybjuv.exe
PID 1508 wrote to memory of 848	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	ybjuv.exe
PID 1508 wrote to memory of 848	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	ybjuv.exe
PID 1508 wrote to memory of 848	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	ybjuv.exe
PID 848 wrote to memory of 1116	848	ybjuv.exe	taskhost.exe
PID 848 wrote to memory of 1116	848	ybjuv.exe	taskhost.exe
PID 848 wrote to memory of 1116	848	ybjuv.exe	taskhost.exe
PID 848 wrote to memory of 1116	848	ybjuv.exe	taskhost.exe
PID 848 wrote to memory of 1116	848	ybjuv.exe	taskhost.exe
PID 848 wrote to memory of 1212	848	ybjuv.exe	Dwm.exe
PID 848 wrote to memory of 1212	848	ybjuv.exe	Dwm.exe
PID 848 wrote to memory of 1212	848	ybjuv.exe	Dwm.exe
PID 848 wrote to memory of 1212	848	ybjuv.exe	Dwm.exe
PID 848 wrote to memory of 1212	848	ybjuv.exe	Dwm.exe
PID 848 wrote to memory of 1244	848	ybjuv.exe	Explorer.EXE
PID 848 wrote to memory of 1244	848	ybjuv.exe	Explorer.EXE
PID 848 wrote to memory of 1244	848	ybjuv.exe	Explorer.EXE
PID 848 wrote to memory of 1244	848	ybjuv.exe	Explorer.EXE
PID 848 wrote to memory of 1244	848	ybjuv.exe	Explorer.EXE
PID 848 wrote to memory of 1508	848	ybjuv.exe	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
PID 848 wrote to memory of 1508	848	ybjuv.exe	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
PID 848 wrote to memory of 1508	848	ybjuv.exe	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
PID 848 wrote to memory of 1508	848	ybjuv.exe	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
PID 848 wrote to memory of 1508	848	ybjuv.exe	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe
PID 1508 wrote to memory of 768	1508	5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe
"C:\Users\Admin\AppData\Local\Temp\5f713449823d914c2d75308e6475fda37bd86c87b3e20c8e81010894c8c357ba.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\Mouv\ybjuv.exe
"C:\Users\Admin\AppData\Roaming\Mouv\ybjuv.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa731a6dc.bat"
3⤵
- Deletes itself
PID:768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa731a6dc.bat

Filesize
307B

MD5
0288b1c05c4f97d81542ccd3eb459ba8

SHA1
9432d892ff52159039b19a0d5749a2ba498349b2

SHA256
81496a6a73a9f71e02e91681f469ea8039bbe702556e93b51c794da6054a51fe

SHA512
5be29205d86658e2a8e09e659ed8bedc2bd683ee84adc16ace2898222eda0e633ed47960ca9ccbe2f887edecfe32c73b8616657e29ea454658ed85ea73ab1995

Download Submit
C:\Users\Admin\AppData\Roaming\Mouv\ybjuv.exe

Filesize
321KB

MD5
9c85bc7d2396a66a7a4336f26ee15a8f

SHA1
bf2ffe0fea08ad725da0dc0e946cbb1f7f89d7e1

SHA256
8a1fb131c2196c5df43c0b7d6bb286236e8783ff9562e133f3cb364a0b21ace6

SHA512
727d935ea4e84e8a4a13c50f293328ac859f881e8154a8eeeb583d8838192471a0829b5424b296a3ddddb8ad46d4a1ed5119c26f7be7819a69e87ea136038702

Download Submit
C:\Users\Admin\AppData\Roaming\Mouv\ybjuv.exe

Filesize
321KB

MD5
9c85bc7d2396a66a7a4336f26ee15a8f

SHA1
bf2ffe0fea08ad725da0dc0e946cbb1f7f89d7e1

SHA256
8a1fb131c2196c5df43c0b7d6bb286236e8783ff9562e133f3cb364a0b21ace6

SHA512
727d935ea4e84e8a4a13c50f293328ac859f881e8154a8eeeb583d8838192471a0829b5424b296a3ddddb8ad46d4a1ed5119c26f7be7819a69e87ea136038702

Download Submit
\Users\Admin\AppData\Roaming\Mouv\ybjuv.exe

Filesize
321KB

MD5
9c85bc7d2396a66a7a4336f26ee15a8f

SHA1
bf2ffe0fea08ad725da0dc0e946cbb1f7f89d7e1

SHA256
8a1fb131c2196c5df43c0b7d6bb286236e8783ff9562e133f3cb364a0b21ace6

SHA512
727d935ea4e84e8a4a13c50f293328ac859f881e8154a8eeeb583d8838192471a0829b5424b296a3ddddb8ad46d4a1ed5119c26f7be7819a69e87ea136038702

Download Submit
\Users\Admin\AppData\Roaming\Mouv\ybjuv.exe

Filesize
321KB

MD5
9c85bc7d2396a66a7a4336f26ee15a8f

SHA1
bf2ffe0fea08ad725da0dc0e946cbb1f7f89d7e1

SHA256
8a1fb131c2196c5df43c0b7d6bb286236e8783ff9562e133f3cb364a0b21ace6

SHA512
727d935ea4e84e8a4a13c50f293328ac859f881e8154a8eeeb583d8838192471a0829b5424b296a3ddddb8ad46d4a1ed5119c26f7be7819a69e87ea136038702

Download Submit
memory/768-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/768-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/768-101-0x00000000000671E6-mapping.dmp

Download
memory/768-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/768-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/768-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/848-59-0x0000000000000000-mapping.dmp

Download
memory/848-99-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/848-97-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/848-98-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/1116-66-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1116-68-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1116-63-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1116-65-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1116-67-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1212-74-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1212-73-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1212-72-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1212-71-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1244-77-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1244-78-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1244-79-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1244-80-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1508-84-0x0000000001D10000-0x0000000001D54000-memory.dmp

Filesize
272KB

Download
memory/1508-95-0x0000000000310000-0x0000000000366000-memory.dmp

Filesize
344KB

Download
memory/1508-86-0x0000000001D10000-0x0000000001D54000-memory.dmp

Filesize
272KB

Download
memory/1508-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1508-96-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1508-94-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1508-100-0x0000000001D10000-0x0000000001D66000-memory.dmp

Filesize
344KB

Download
memory/1508-85-0x0000000001D10000-0x0000000001D54000-memory.dmp

Filesize
272KB

Download
memory/1508-83-0x0000000001D10000-0x0000000001D54000-memory.dmp

Filesize
272KB

Download
memory/1508-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-103-0x0000000001D10000-0x0000000001D54000-memory.dmp

Filesize
272KB

Download
memory/1508-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1508-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads