ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7

General

Target

ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
Size

60KB
MD5

272c8cef702dea53313465f8006a9caf
SHA1

22396cc93577c147058d74744d097e5bba2c1dad
SHA256

ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7
SHA512

cac738e60c7a570caf9ec5f3f120e9063d8c47494b2a3c06804b0483909bc419dfa04425844e7b6195de6968d5ef5068184ef0b64d500d4564726a654831cdf5
SSDEEP

1536:FBVOrd5wHFG57GZXw4Eu8nF/w12TIeLtzEb:TVOrUHVZXw4jg/w12Tt2b

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

yauil.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yauil.exe

Executes dropped EXE 1 IoCs

Processes:

yauil.exe

pid process

592 yauil.exe

Loads dropped DLL 2 IoCs

Processes:

ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe

pid	process
564	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
564	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yauil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yauil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\yauil = "C:\\Users\\Admin\\yauil.exe"	yauil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yauil.exe

pid	process
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe
592	yauil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exeyauil.exe

pid process

564 ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
592 yauil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exeyauil.exe

description	pid	process	target process
PID 564 wrote to memory of 592	564	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe	yauil.exe
PID 564 wrote to memory of 592	564	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe	yauil.exe
PID 564 wrote to memory of 592	564	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe	yauil.exe
PID 564 wrote to memory of 592	564	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe	yauil.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
PID 592 wrote to memory of 564	592	yauil.exe	ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe

C:\Users\Admin\AppData\Local\Temp\ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe
"C:\Users\Admin\AppData\Local\Temp\ce47fbb8fd49fc5ea094c645de737bc214eafc35fa3842a27a81e96fb459feb7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\yauil.exe
"C:\Users\Admin\yauil.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yauil.exe

Filesize
60KB

MD5
28e803f35ba5803d0650396fbfefa33e

SHA1
3e4cfa742e65ef90f29dab6aeffc17c22687b034

SHA256
ac1d2fce548f9334b7999cf49ea03b5e11525148523a76136da5c2544635b604

SHA512
3dbc5813af35dedf209f1402de68016b16ca70ffc9d5dc43f50180687e1039c52edcc9f4da2a9bb12aa676f3da887cce8a4786deb8ca02f58f21e77672c8af9b

Download Submit
C:\Users\Admin\yauil.exe

Filesize
60KB

MD5
28e803f35ba5803d0650396fbfefa33e

SHA1
3e4cfa742e65ef90f29dab6aeffc17c22687b034

SHA256
ac1d2fce548f9334b7999cf49ea03b5e11525148523a76136da5c2544635b604

SHA512
3dbc5813af35dedf209f1402de68016b16ca70ffc9d5dc43f50180687e1039c52edcc9f4da2a9bb12aa676f3da887cce8a4786deb8ca02f58f21e77672c8af9b

Download Submit
\Users\Admin\yauil.exe

Filesize
60KB

MD5
28e803f35ba5803d0650396fbfefa33e

SHA1
3e4cfa742e65ef90f29dab6aeffc17c22687b034

SHA256
ac1d2fce548f9334b7999cf49ea03b5e11525148523a76136da5c2544635b604

SHA512
3dbc5813af35dedf209f1402de68016b16ca70ffc9d5dc43f50180687e1039c52edcc9f4da2a9bb12aa676f3da887cce8a4786deb8ca02f58f21e77672c8af9b

Download Submit
\Users\Admin\yauil.exe

Filesize
60KB

MD5
28e803f35ba5803d0650396fbfefa33e

SHA1
3e4cfa742e65ef90f29dab6aeffc17c22687b034

SHA256
ac1d2fce548f9334b7999cf49ea03b5e11525148523a76136da5c2544635b604

SHA512
3dbc5813af35dedf209f1402de68016b16ca70ffc9d5dc43f50180687e1039c52edcc9f4da2a9bb12aa676f3da887cce8a4786deb8ca02f58f21e77672c8af9b

Download Submit
memory/564-56-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/592-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads