b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
Size

270KB
MD5

930b90969de8f7e3169cd2e0b5580c9f
SHA1

463cb10f654705a5a71b6994180e698d711fe99e
SHA256

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a
SHA512

75a00f1d5a56908a8f4771b899fbc11df4801bad57bd93d687dcce739986a603a91603d9654674d7f2ed1e2ad8f95422206f5e08b3e5c0cda7d366b0b6ec6485
SSDEEP

6144:NtjpJkJqvoArlO+BeiG2/pWTxq/fnx7GDrRcJIcxyCq0hzfvS:rTvo8YVq/PERcHxywvS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ynopaq.exe

pid process

1168 ynopaq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe

pid	process
940	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe

pid	process
1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ynopaq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	ynopaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Uctu\\ynopaq.exe"	ynopaq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe

description pid process target process

PID 1324 set thread context of 940 1324 b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe cmd.exe

description	pid	process	target process
PID 1324 set thread context of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

ynopaq.exe

pid	process
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe
1168	ynopaq.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exeynopaq.exe

pid process

1324 b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
1168 ynopaq.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exeynopaq.exe

description	pid	process	target process
PID 1324 wrote to memory of 1168	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	ynopaq.exe
PID 1324 wrote to memory of 1168	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	ynopaq.exe
PID 1324 wrote to memory of 1168	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	ynopaq.exe
PID 1324 wrote to memory of 1168	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	ynopaq.exe
PID 1168 wrote to memory of 1124	1168	ynopaq.exe	taskhost.exe
PID 1168 wrote to memory of 1124	1168	ynopaq.exe	taskhost.exe
PID 1168 wrote to memory of 1124	1168	ynopaq.exe	taskhost.exe
PID 1168 wrote to memory of 1124	1168	ynopaq.exe	taskhost.exe
PID 1168 wrote to memory of 1124	1168	ynopaq.exe	taskhost.exe
PID 1168 wrote to memory of 1176	1168	ynopaq.exe	Dwm.exe
PID 1168 wrote to memory of 1176	1168	ynopaq.exe	Dwm.exe
PID 1168 wrote to memory of 1176	1168	ynopaq.exe	Dwm.exe
PID 1168 wrote to memory of 1176	1168	ynopaq.exe	Dwm.exe
PID 1168 wrote to memory of 1176	1168	ynopaq.exe	Dwm.exe
PID 1168 wrote to memory of 1208	1168	ynopaq.exe	Explorer.EXE
PID 1168 wrote to memory of 1208	1168	ynopaq.exe	Explorer.EXE
PID 1168 wrote to memory of 1208	1168	ynopaq.exe	Explorer.EXE
PID 1168 wrote to memory of 1208	1168	ynopaq.exe	Explorer.EXE
PID 1168 wrote to memory of 1208	1168	ynopaq.exe	Explorer.EXE
PID 1168 wrote to memory of 1324	1168	ynopaq.exe	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
PID 1168 wrote to memory of 1324	1168	ynopaq.exe	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
PID 1168 wrote to memory of 1324	1168	ynopaq.exe	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
PID 1168 wrote to memory of 1324	1168	ynopaq.exe	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
PID 1168 wrote to memory of 1324	1168	ynopaq.exe	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe
PID 1324 wrote to memory of 940	1324	b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe
"C:\Users\Admin\AppData\Local\Temp\b5d4f5babecdf1f4f43e5e0afc42a9a8ae3a9e8311eaaf777914cac3dc6d2f0a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Roaming\Uctu\ynopaq.exe
"C:\Users\Admin\AppData\Roaming\Uctu\ynopaq.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp943b44e4.bat"
3⤵
- Deletes itself
PID:940

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp943b44e4.bat

Filesize
307B

MD5
70836e2a037adc3b6debdfee3da914cd

SHA1
6998ec7fcec42f38e4edeea21ca4ad798180a9e7

SHA256
1d49083f96f71ec1ea69d8ed3623a93b08806ebb87192095be84b1c9b0b9b2ca

SHA512
e9674303ebe82676f73de006d41cc870616c3cb59d54e559ef823fb67947b4aacda3fd9edf2cca599d7b1e210c79351a5b14f5ba9e84efc491b5217af0fa5525

Download Submit
C:\Users\Admin\AppData\Roaming\Uctu\ynopaq.exe

Filesize
270KB

MD5
8f9ac047b857a73fcae5145650c9c8c9

SHA1
590b60a2175f54d74de848a63879200f281a3c67

SHA256
1c3351041491a24ed094d8fa0d64a6b07574c56da47c66f55ba3178d7bc9560c

SHA512
bad5b54ad417923e1ea42c1108199fcc5d3525a1ae44fe6552020a7ab8927f3777742e54e8e097d0d7e5f98cac8ba4a592ce621088ec4bb80121c3690423fab1

Download Submit
C:\Users\Admin\AppData\Roaming\Uctu\ynopaq.exe

Filesize
270KB

MD5
8f9ac047b857a73fcae5145650c9c8c9

SHA1
590b60a2175f54d74de848a63879200f281a3c67

SHA256
1c3351041491a24ed094d8fa0d64a6b07574c56da47c66f55ba3178d7bc9560c

SHA512
bad5b54ad417923e1ea42c1108199fcc5d3525a1ae44fe6552020a7ab8927f3777742e54e8e097d0d7e5f98cac8ba4a592ce621088ec4bb80121c3690423fab1

Download Submit
\Users\Admin\AppData\Roaming\Uctu\ynopaq.exe

Filesize
270KB

MD5
8f9ac047b857a73fcae5145650c9c8c9

SHA1
590b60a2175f54d74de848a63879200f281a3c67

SHA256
1c3351041491a24ed094d8fa0d64a6b07574c56da47c66f55ba3178d7bc9560c

SHA512
bad5b54ad417923e1ea42c1108199fcc5d3525a1ae44fe6552020a7ab8927f3777742e54e8e097d0d7e5f98cac8ba4a592ce621088ec4bb80121c3690423fab1

Download Submit
\Users\Admin\AppData\Roaming\Uctu\ynopaq.exe

Filesize
270KB

MD5
8f9ac047b857a73fcae5145650c9c8c9

SHA1
590b60a2175f54d74de848a63879200f281a3c67

SHA256
1c3351041491a24ed094d8fa0d64a6b07574c56da47c66f55ba3178d7bc9560c

SHA512
bad5b54ad417923e1ea42c1108199fcc5d3525a1ae44fe6552020a7ab8927f3777742e54e8e097d0d7e5f98cac8ba4a592ce621088ec4bb80121c3690423fab1

Download Submit
memory/940-91-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/940-107-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/940-93-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/940-92-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/940-94-0x000000000009E4C8-mapping.dmp

Download
memory/940-89-0x0000000000090000-0x00000000000D2000-memory.dmp

Filesize
264KB

Download
memory/1124-66-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1124-68-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1124-67-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1124-65-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1124-63-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/1168-102-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1168-104-0x0000000000360000-0x00000000003A6000-memory.dmp

Filesize
280KB

Download
memory/1168-105-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1168-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1168-59-0x0000000000000000-mapping.dmp

Download
memory/1168-108-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1176-74-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1176-71-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1176-72-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1176-73-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1208-80-0x0000000002470000-0x00000000024B2000-memory.dmp

Filesize
264KB

Download
memory/1208-77-0x0000000002470000-0x00000000024B2000-memory.dmp

Filesize
264KB

Download
memory/1208-79-0x0000000002470000-0x00000000024B2000-memory.dmp

Filesize
264KB

Download
memory/1208-78-0x0000000002470000-0x00000000024B2000-memory.dmp

Filesize
264KB

Download
memory/1324-83-0x00000000022A0000-0x00000000022E2000-memory.dmp

Filesize
264KB

Download
memory/1324-86-0x00000000022A0000-0x00000000022E2000-memory.dmp

Filesize
264KB

Download
memory/1324-99-0x00000000022A0000-0x00000000022E2000-memory.dmp

Filesize
264KB

Download
memory/1324-98-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1324-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-96-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1324-100-0x00000000022A0000-0x00000000022E6000-memory.dmp

Filesize
280KB

Download
memory/1324-97-0x00000000002C0000-0x0000000000306000-memory.dmp

Filesize
280KB

Download
memory/1324-84-0x00000000022A0000-0x00000000022E2000-memory.dmp

Filesize
264KB

Download
memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1324-85-0x00000000022A0000-0x00000000022E2000-memory.dmp

Filesize
264KB

Download
memory/1324-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-109-0x00000000022A0000-0x00000000022E6000-memory.dmp

Filesize
280KB

Download