fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374

Analysis

max time kernel
196s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
Size

14.4MB
MD5

1e689754e627e3b7cf3f7e40eec7d75c
SHA1

c54b121f0b85e91003d78607bf1fa6718c256029
SHA256

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374
SHA512

515444eec9c8d7ed0e9d0dff4c930fc5e60678fc3a32546213593bdbd69b621e31863d45bd0d30afc1d8b70f7832c0d2e95fa7d208a4e53cb4e7aaef3767c4c2
SSDEEP

393216:QJmhtTMVQl4CpDTzx7pKNy/wmFAHlcnZzRok/c74vCCcRVLBCy:QJst6OhpDFAGn7/RCCWVBCy

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

yclacfs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\DownloadSave\\yclacfs.exe"	yclacfs.exe

Drops file in Drivers directory 2 IoCs

Processes:

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe

Executes dropped EXE 4 IoCs

Processes:

bbGame.exeDownloader.exebbGame.tmpyclacfs.exe

pid process

2228 bbGame.exe
2168 Downloader.exe
3848 bbGame.tmp
3420 yclacfs.exe

pid	process
2228	bbGame.exe
2168	Downloader.exe
3848	bbGame.tmp
3420	yclacfs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe

Loads dropped DLL 2 IoCs

Processes:

bbGame.tmp

pid process

3848 bbGame.tmp
3848 bbGame.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Downloader.exe

pid process

2168 Downloader.exe
2168 Downloader.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Downloader.exeyclacfs.exe

pid process

2168 Downloader.exe
3420 yclacfs.exe
3420 yclacfs.exe
3420 yclacfs.exe
3420 yclacfs.exe
3420 yclacfs.exe
3420 yclacfs.exe
3420 yclacfs.exe

pid	process
3848	bbGame.tmp
3848	bbGame.tmp

pid	process
2168	Downloader.exe
2168	Downloader.exe

pid	process
668
668

pid	process
2168	Downloader.exe
3420	yclacfs.exe
3420	yclacfs.exe
3420	yclacfs.exe
3420	yclacfs.exe
3420	yclacfs.exe
3420	yclacfs.exe
3420	yclacfs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exebbGame.exeDownloader.exe

description	pid	process	target process
PID 1844 wrote to memory of 2228	1844	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1844 wrote to memory of 2228	1844	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1844 wrote to memory of 2228	1844	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	bbGame.exe
PID 1844 wrote to memory of 2168	1844	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 1844 wrote to memory of 2168	1844	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 1844 wrote to memory of 2168	1844	fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe	Downloader.exe
PID 2228 wrote to memory of 3848	2228	bbGame.exe	bbGame.tmp
PID 2228 wrote to memory of 3848	2228	bbGame.exe	bbGame.tmp
PID 2228 wrote to memory of 3848	2228	bbGame.exe	bbGame.tmp
PID 2168 wrote to memory of 3420	2168	Downloader.exe	yclacfs.exe
PID 2168 wrote to memory of 3420	2168	Downloader.exe	yclacfs.exe
PID 2168 wrote to memory of 3420	2168	Downloader.exe	yclacfs.exe

C:\Users\Admin\AppData\Local\Temp\fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe
"C:\Users\Admin\AppData\Local\Temp\fd798eaac5e7d41abb2a6ab33939793d0df3e76e247139f190b2e40009eac374.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\bbGame.exe
"C:\Users\Admin\AppData\Local\Temp\bbGame.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\is-8ROVF.tmp\bbGame.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8ROVF.tmp\bbGame.tmp" /SL5="$A01C2,14702138,56832,C:\Users\Admin\AppData\Local\Temp\bbGame.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3848

C:\Users\Admin\AppData\Local\Temp\Downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Downloader.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\ProgramData\DownloadSave\yclacfs.exe
"C:\ProgramData\DownloadSave\yclacfs.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadSave\RecordPath

Filesize
260B

MD5
24f2c38eabe958728f6da180d1764ce7

SHA1
34eb0609a1a826c7b0b6226fb21756888a2bb997

SHA256
28b1fcda7be31a1a3d2a8f82d2062ac2c67623304410bb5d742ab82a0ad27ea5

SHA512
f1a4d0d789f7a83c3fb2561e9b5b48626cbbdc24c60010cd0b18b4b05399895aeb5cba39fd5cdd3d94035c61faf26a2d5fd7d36f365bd4108860e59888c711fa

Download Submit
C:\ProgramData\DownloadSave\yclacfs.exe

Filesize
6.1MB

MD5
baa69675d0d1507de72bfa4a98bcd2d0

SHA1
8d95b768361e22ad7bf24d50a2e8d96f2dc536d2

SHA256
635e3fac79b1bb12756748d9163928967059ebe70a8a5f273a8043d16fa7df8a

SHA512
b34e6857ed8dd010197e1fcac1353b42d31e017ca03881e86ef236091082952bab6fcf30cc87c30cf434bd87ad05b06f2d74c31ee3e30a7943a9c444ff0a855d

Download Submit
C:\ProgramData\DownloadSave\yclacfs.exe

Filesize
6.1MB

MD5
baa69675d0d1507de72bfa4a98bcd2d0

SHA1
8d95b768361e22ad7bf24d50a2e8d96f2dc536d2

SHA256
635e3fac79b1bb12756748d9163928967059ebe70a8a5f273a8043d16fa7df8a

SHA512
b34e6857ed8dd010197e1fcac1353b42d31e017ca03881e86ef236091082952bab6fcf30cc87c30cf434bd87ad05b06f2d74c31ee3e30a7943a9c444ff0a855d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Downloader.exe

Filesize
129KB

MD5
e19fe4b77007fea0cf4bd8a1eb30a25f

SHA1
4e48f007d80134c38914018d40bc134b7a8c3db7

SHA256
c09bd43cea169c85875922337cfbdbe574903491b5e811422674179a64311632

SHA512
93cf3036b4db8ead7e4fbbc659bd581e8d1b2a5cc361dc6ab9a8aa19e6c2b2b0b31a09cc3a18a8b871562ea8cfd44f9b9ef01d5da2673b2bdedcdf80a3cbed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Downloader.exe

Filesize
129KB

MD5
e19fe4b77007fea0cf4bd8a1eb30a25f

SHA1
4e48f007d80134c38914018d40bc134b7a8c3db7

SHA256
c09bd43cea169c85875922337cfbdbe574903491b5e811422674179a64311632

SHA512
93cf3036b4db8ead7e4fbbc659bd581e8d1b2a5cc361dc6ab9a8aa19e6c2b2b0b31a09cc3a18a8b871562ea8cfd44f9b9ef01d5da2673b2bdedcdf80a3cbed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbGame.exe

Filesize
14.3MB

MD5
226a3433949fb2c1b50b1a15e1e82505

SHA1
d04e449e74b74dc59e6f948179165b35ad8bd4b1

SHA256
77b1edc6af0b482f47f1de3523c8e83d80d4e823e67cfe85598f410ecca60014

SHA512
4f52622a3922d5b8148aa5ed51052c950e3b74df9a4f27ee81df8b912c51f5b20b2085c1dec4e583f23655e36f580c73796b761301f998eac5a804a8eea9664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbGame.exe

Filesize
14.3MB

MD5
226a3433949fb2c1b50b1a15e1e82505

SHA1
d04e449e74b74dc59e6f948179165b35ad8bd4b1

SHA256
77b1edc6af0b482f47f1de3523c8e83d80d4e823e67cfe85598f410ecca60014

SHA512
4f52622a3922d5b8148aa5ed51052c950e3b74df9a4f27ee81df8b912c51f5b20b2085c1dec4e583f23655e36f580c73796b761301f998eac5a804a8eea9664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8ROVF.tmp\bbGame.tmp

Filesize
701KB

MD5
1ff30f1553f38ebe433432cfbbcadc67

SHA1
8d64a95509fe49ef252c8906687c58e84f6bc519

SHA256
35cd85d5ef97558dea22a5f9d9dfb23cc465b8f113f6825d82c2a2b1870dd831

SHA512
0c17dbd75ed839acaa18b34c023d7017a0acf18bf6c48f6cd21438dad61a94e254c401036f713837ddbf795d43975776e3e04f2fbf131ff74fa129803df2ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8ROVF.tmp\bbGame.tmp

Filesize
701KB

MD5
1ff30f1553f38ebe433432cfbbcadc67

SHA1
8d64a95509fe49ef252c8906687c58e84f6bc519

SHA256
35cd85d5ef97558dea22a5f9d9dfb23cc465b8f113f6825d82c2a2b1870dd831

SHA512
0c17dbd75ed839acaa18b34c023d7017a0acf18bf6c48f6cd21438dad61a94e254c401036f713837ddbf795d43975776e3e04f2fbf131ff74fa129803df2ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7SP6.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7SP6.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/2168-135-0x0000000000000000-mapping.dmp

Download
memory/2228-140-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2228-132-0x0000000000000000-mapping.dmp

Download
memory/2228-148-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2228-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3420-144-0x0000000000000000-mapping.dmp

Download
memory/3848-141-0x0000000000000000-mapping.dmp

Download
memory/3848-151-0x00000000030D1000-0x00000000030D3000-memory.dmp

Filesize
8KB

Download