4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b

Analysis

max time kernel
177s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe
Size

2.7MB
MD5

657a3819d3661e1df5f6f3109b06c08a
SHA1

0d4ac748e5fdf00f748dacd3444af96c7a46ad47
SHA256

4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b
SHA512

279ff2519a090868fadd98b587deb72d275dd6fdf5d42e627e74fb17ffc32de519ae330517bda9e29181f89031cdeb9c658828828b950375c8e2aad669b4c5d4
SSDEEP

49152:82uhDSNs9swEr61JWFwCnYY8eguJGuqlSlG6YwWCSdXb2C59:82GOa9swu4J69nYv5lmY2m

Score

9^/10

evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcr71.dll	acprotect
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSVCR71.dll	acprotect

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Yandex Money Hack v 1.5.exeYandex.exe

pid process

3844 Yandex Money Hack v 1.5.exe
3168 Yandex.exe

pid	process
3844	Yandex Money Hack v 1.5.exe
3168	Yandex.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcr71.dll	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSVCR71.dll	upx
behavioral2/memory/3168-148-0x000000007C360000-0x000000007C3C0000-memory.dmp	upx
behavioral2/memory/3168-149-0x000000007C360000-0x000000007C3C0000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exeYandex Money Hack v 1.5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Yandex Money Hack v 1.5.exe

Drops startup file 7 IoCs

Processes:

Yandex Money Hack v 1.5.exe4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcr71.dll	Yandex Money Hack v 1.5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex.exe	Yandex Money Hack v 1.5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex.exe	Yandex Money Hack v 1.5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex Money Hack v 1.5.exe	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex Money Hack v 1.5.exe	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240585296	Yandex Money Hack v 1.5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcr71.dll	Yandex Money Hack v 1.5.exe

Loads dropped DLL 6 IoCs

Processes:

Yandex.exe

pid process

3168 Yandex.exe
3168 Yandex.exe
3168 Yandex.exe
3168 Yandex.exe
3168 Yandex.exe
3168 Yandex.exe

pid	process
3168	Yandex.exe
3168	Yandex.exe
3168	Yandex.exe
3168	Yandex.exe
3168	Yandex.exe
3168	Yandex.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DLBONCEJCNKBJCH = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Yandex Money Hack v 1.5.exe"	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4916 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4916 taskkill.exe

pid	process
4916	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4916	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exeYandex Money Hack v 1.5.exeYandex.execmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 3844	1532	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe	Yandex Money Hack v 1.5.exe
PID 1532 wrote to memory of 3844	1532	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe	Yandex Money Hack v 1.5.exe
PID 1532 wrote to memory of 3844	1532	4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe	Yandex Money Hack v 1.5.exe
PID 3844 wrote to memory of 3168	3844	Yandex Money Hack v 1.5.exe	Yandex.exe
PID 3844 wrote to memory of 3168	3844	Yandex Money Hack v 1.5.exe	Yandex.exe
PID 3844 wrote to memory of 3168	3844	Yandex Money Hack v 1.5.exe	Yandex.exe
PID 3168 wrote to memory of 2132	3168	Yandex.exe	cmd.exe
PID 3168 wrote to memory of 2132	3168	Yandex.exe	cmd.exe
PID 3168 wrote to memory of 2132	3168	Yandex.exe	cmd.exe
PID 2132 wrote to memory of 4916	2132	cmd.exe	taskkill.exe
PID 2132 wrote to memory of 4916	2132	cmd.exe	taskkill.exe
PID 2132 wrote to memory of 4916	2132	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe
"C:\Users\Admin\AppData\Local\Temp\4f91494a377bf2eb0ee0d969a73ff960d53e04821d2bb2e06af965a6aa001d2b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex Money Hack v 1.5.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex Money Hack v 1.5.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c TASKKILL /F /IM "explorer.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM "explorer.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bcompiler.dll

Filesize
46KB

MD5
a44bca08e8ed65e636f8b68960b8d7ea

SHA1
1803024e3e62f51d474e832b67d2d8ec167b96de

SHA256
26bb0541924fd7f96c22df5b4f7b8cabd88ea440dd19ddefb4e2754f17eb0df4

SHA512
c83a5c4b5f38767e74b67b81f83635459e9165e4bc6574c53e77e57cfb1107aa435172375e8eee44e7fce2b50ec8f108dc8d609bad332798740de7cb6cf51e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bcompiler.dll

Filesize
46KB

MD5
a44bca08e8ed65e636f8b68960b8d7ea

SHA1
1803024e3e62f51d474e832b67d2d8ec167b96de

SHA256
26bb0541924fd7f96c22df5b4f7b8cabd88ea440dd19ddefb4e2754f17eb0df4

SHA512
c83a5c4b5f38767e74b67b81f83635459e9165e4bc6574c53e77e57cfb1107aa435172375e8eee44e7fce2b50ec8f108dc8d609bad332798740de7cb6cf51e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bz2.dll

Filesize
68KB

MD5
2f8bc6c1741bc86ee012f444c56d192e

SHA1
c4840d4d39dd8fafe4248ab96082860a0db02f6f

SHA256
ec6f6310e3a08ad80ea159c336e93cc024dae223a5bd4b08ae2e0351941aec07

SHA512
6a8e415f5d14f56a29541d50f7277f66222f4f1374fdb1f1892ce51dbc29e5ef766552518a2c78b8ae0bb5820b6eb3330b2dc9595f80b78ef6131de069a8c76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSE11\php\modules\php_bz2.dll

Filesize
68KB

MD5
2f8bc6c1741bc86ee012f444c56d192e

SHA1
c4840d4d39dd8fafe4248ab96082860a0db02f6f

SHA256
ec6f6310e3a08ad80ea159c336e93cc024dae223a5bd4b08ae2e0351941aec07

SHA512
6a8e415f5d14f56a29541d50f7277f66222f4f1374fdb1f1892ce51dbc29e5ef766552518a2c78b8ae0bb5820b6eb3330b2dc9595f80b78ef6131de069a8c76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSE11\php\php5ts.dll

Filesize
4.6MB

MD5
5483bd2f68e4be087be99e938c4de8fc

SHA1
e5e56d93b69197f11f87d8dd3e84a9697b4ced29

SHA256
e452640009a12c3a666a425515953ebd3ca29a9064ed616671d722d31f9d2dfd

SHA512
3619d7f95d48c0840439d59a81bf3e6050f445e0158527aa24d98702f5cd6a67298947e999d23cfba80b0d279afae81eddc75d24a455bc484f7b3586482b2bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSVCR71.dll

Filesize
164KB

MD5
5776a4ef7f492636c052ae64b35bf4ce

SHA1
33f56f902e20ed138baa351f7446bf40abdd62c9

SHA256
42ded6072e28ed5394b0a832a0559b8e618490764f2490dbedcf7e5479537573

SHA512
829e286fd303577c2c6352c6279b084055f2bb772650f7b26d4b0a1c7c0185385ed8bde855fcc598c09ccd79ed92fcbf47537c7ea09786fddb6005dee3b9ae6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex Money Hack v 1.5.exe

Filesize
2.7MB

MD5
74d12252ed454ae8bd82e1e3383bd185

SHA1
aa8a7089932eae18f3c9f5134f673c2ca23ef5c5

SHA256
2f934596667b74ab413f355f7650c5160d1120766f901d935f0904206db8c58b

SHA512
9af794bb84aab2de520435b7e1ae9a31885fc9dfb22cf965fbd63ab91a1c752ba943924a3cdc3276da92fe91af2252e995ff8056b7549b04ba52aee2ce358009

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex Money Hack v 1.5.exe

Filesize
2.7MB

MD5
74d12252ed454ae8bd82e1e3383bd185

SHA1
aa8a7089932eae18f3c9f5134f673c2ca23ef5c5

SHA256
2f934596667b74ab413f355f7650c5160d1120766f901d935f0904206db8c58b

SHA512
9af794bb84aab2de520435b7e1ae9a31885fc9dfb22cf965fbd63ab91a1c752ba943924a3cdc3276da92fe91af2252e995ff8056b7549b04ba52aee2ce358009

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex.exe

Filesize
6.5MB

MD5
3dff741871305e853089d2239f464a57

SHA1
61ef1165778d6cf21877df508f300dbbe1f6ea77

SHA256
84e38cad0e15d70974cd605ebe3958d14c29860516ecfaa43de3bb4fad65a3d3

SHA512
bb4d3a5e2b556df6f27b77e32842ee35fc2fc434f7a7b902eded778d853ed5362a6ccf1af2d6e248fdbcf654e6cb41a0781f3122e58ca0578fd51845c505b07c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yandex.exe

Filesize
6.5MB

MD5
3dff741871305e853089d2239f464a57

SHA1
61ef1165778d6cf21877df508f300dbbe1f6ea77

SHA256
84e38cad0e15d70974cd605ebe3958d14c29860516ecfaa43de3bb4fad65a3d3

SHA512
bb4d3a5e2b556df6f27b77e32842ee35fc2fc434f7a7b902eded778d853ed5362a6ccf1af2d6e248fdbcf654e6cb41a0781f3122e58ca0578fd51845c505b07c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msvcr71.dll

Filesize
164KB

MD5
5776a4ef7f492636c052ae64b35bf4ce

SHA1
33f56f902e20ed138baa351f7446bf40abdd62c9

SHA256
42ded6072e28ed5394b0a832a0559b8e618490764f2490dbedcf7e5479537573

SHA512
829e286fd303577c2c6352c6279b084055f2bb772650f7b26d4b0a1c7c0185385ed8bde855fcc598c09ccd79ed92fcbf47537c7ea09786fddb6005dee3b9ae6d

Download Submit
memory/2132-150-0x0000000000000000-mapping.dmp

Download
memory/3168-135-0x0000000000000000-mapping.dmp

Download
memory/3168-147-0x00000000023C0000-0x00000000023D1000-memory.dmp

Filesize
68KB

Download
memory/3168-142-0x00000000023B0000-0x00000000023BF000-memory.dmp

Filesize
60KB

Download
memory/3168-139-0x0000000010000000-0x00000000104DC000-memory.dmp

Filesize
4.9MB

Download
memory/3168-148-0x000000007C360000-0x000000007C3C0000-memory.dmp

Filesize
384KB

Download
memory/3168-149-0x000000007C360000-0x000000007C3C0000-memory.dmp

Filesize
384KB

Download
memory/3844-132-0x0000000000000000-mapping.dmp

Download
memory/4916-151-0x0000000000000000-mapping.dmp

Download