30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f

Analysis

max time kernel
10s
max time network
170s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 04:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe
Size

26KB
MD5

e0d1abe7689fa441983a08fc64be1d45
SHA1

a3f7519c35ba254803dc47ee6d53deade072e449
SHA256

30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f
SHA512

b83b682668b2bbd1a4b7bbf580540d875242b7f2acc851342717981fc7cbd22cbc26b70f66d2ac635a3285e9ef509de9f5cc204e6e91a7ec6d1aa251f2e494c9
SSDEEP

384:IKL3JZC3MbKEhq0VcAjN5hGgOoyMC4GrmPCOh/pjgNZlSRI4fEX4FxCAJ7vXLry4:Iq0Mb7hegOXMCn0COh/Ych7XD7uSBX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1784	YouTube Notifier.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\YouTube Notifier = "C:\\Users\\Admin\\AppData\\Local\\Temp\\30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe"	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\YouTube Notifier = "C:\\Users\\Admin\\AppData\\Roaming\\YouTube Notifier.exe"	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe
1784	YouTube Notifier.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe
1784	YouTube Notifier.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe
1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1784	1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe	29
PID 1032 wrote to memory of 1784	1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe	29
PID 1032 wrote to memory of 1784	1032	30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe	29

C:\Users\Admin\AppData\Local\Temp\30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe
"C:\Users\Admin\AppData\Local\Temp\30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Roaming\YouTube Notifier.exe
  "C:\Users\Admin\AppData\Roaming\YouTube Notifier.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\YouTube Notifier.exe

Filesize
26KB

MD5
e0d1abe7689fa441983a08fc64be1d45

SHA1
a3f7519c35ba254803dc47ee6d53deade072e449

SHA256
30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f

SHA512
b83b682668b2bbd1a4b7bbf580540d875242b7f2acc851342717981fc7cbd22cbc26b70f66d2ac635a3285e9ef509de9f5cc204e6e91a7ec6d1aa251f2e494c9

Download Submit
C:\Users\Admin\AppData\Roaming\YouTube Notifier.exe

Filesize
26KB

MD5
e0d1abe7689fa441983a08fc64be1d45

SHA1
a3f7519c35ba254803dc47ee6d53deade072e449

SHA256
30a2b97bd8ccdbd2ceb79ffdccfd6069e5883818873da38d4f8e30c81e1ea69f

SHA512
b83b682668b2bbd1a4b7bbf580540d875242b7f2acc851342717981fc7cbd22cbc26b70f66d2ac635a3285e9ef509de9f5cc204e6e91a7ec6d1aa251f2e494c9

Download Submit
memory/1032-54-0x000007FEF3930000-0x000007FEF4353000-memory.dmp

Filesize
10.1MB

Download
memory/1032-55-0x000007FEF2890000-0x000007FEF3926000-memory.dmp

Filesize
16.6MB

Download
memory/1032-56-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/1032-57-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1032-60-0x0000000000A86000-0x0000000000AA5000-memory.dmp

Filesize
124KB

Download
memory/1784-62-0x000007FEF3930000-0x000007FEF4353000-memory.dmp

Filesize
10.1MB

Download
memory/1784-63-0x000007FEF2890000-0x000007FEF3926000-memory.dmp

Filesize
16.6MB

Download
memory/1784-64-0x0000000002026000-0x0000000002045000-memory.dmp

Filesize
124KB

Download
memory/1784-65-0x0000000002026000-0x0000000002045000-memory.dmp

Filesize
124KB

Download