962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a

General

Target

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Size

298KB
MD5

93caba46f3c5d9aeb9c9fad652a57361
SHA1

1473a0d514eae8cf4b829d552817becc5acb586a
SHA256

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a
SHA512

ce48dee408cc1acc25e15c0e9354b1fa35c30e33a12a6b66346dd0a35d2668a05d5f01ed43be2c1709fbe1dce287e57a30fa18a7983a15b96e2461f334c8d922
SSDEEP

6144:I7YfIbo3sjP3PN/dfomL4ZPba/Oauy26UjD5uL:I7tbSsD31FxCevpzUjD5uL

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yrkooncwv.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yrkooncwv.exe\DisableExceptionChainValidation	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description ioc process

File created C:\ProgramData\CreativeAudio\desktop.ini 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
File created	C:\ProgramData\CreativeAudio\desktop.ini	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	pid	process	target process
PID 4952 set thread context of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4392 schtasks.exe

pid	process
4392	schtasks.exe

Modifies registry class 6 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC\CG1	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC\CG1\HAL = 05ee0000	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC\CG1\BID = 2000080019000b00e60700001400000019000e001200310000000000c9ce8063	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

pid	process
4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

pid	process
3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

pid process

3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

description	pid	process
Token: SeRestorePrivilege	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Token: SeBackupPrivilege	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Token: SeDebugPrivilege	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe

C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
"C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
"C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"
2⤵
- Sets file execution options in registry
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x0E7302EC" /TR "C:\ProgramData\CreativeAudio\yrkooncwv.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Security Software Discovery

1

T1063

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3712-140-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/3712-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3712-132-0x0000000000000000-mapping.dmp

Download
memory/3712-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3712-139-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/3712-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3712-144-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/3712-141-0x00000000025D0000-0x00000000025DB000-memory.dmp

Filesize
44KB

Download
memory/4192-146-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/4192-147-0x0000000000710000-0x00000000007A9000-memory.dmp

Filesize
612KB

Download
memory/4192-143-0x0000000000000000-mapping.dmp

Download
memory/4192-145-0x0000000000930000-0x00000000009AB000-memory.dmp

Filesize
492KB

Download
memory/4392-142-0x0000000000000000-mapping.dmp

Download
memory/4952-134-0x00000000020D0000-0x00000000020F7000-memory.dmp

Filesize
156KB

Download

description	pid	process	target process
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 4952 wrote to memory of 3712	4952	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
PID 3712 wrote to memory of 4392	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 3712 wrote to memory of 4392	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 3712 wrote to memory of 4392	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	schtasks.exe
PID 3712 wrote to memory of 4192	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 3712 wrote to memory of 4192	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe
PID 3712 wrote to memory of 4192	3712	962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe	WerFault.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads