Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
Resource
win10v2004-20220812-en
General
-
Target
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe
-
Size
298KB
-
MD5
93caba46f3c5d9aeb9c9fad652a57361
-
SHA1
1473a0d514eae8cf4b829d552817becc5acb586a
-
SHA256
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a
-
SHA512
ce48dee408cc1acc25e15c0e9354b1fa35c30e33a12a6b66346dd0a35d2668a05d5f01ed43be2c1709fbe1dce287e57a30fa18a7983a15b96e2461f334c8d922
-
SSDEEP
6144:I7YfIbo3sjP3PN/dfomL4ZPba/Oauy26UjD5uL:I7tbSsD31FxCevpzUjD5uL
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yrkooncwv.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yrkooncwv.exe\DisableExceptionChainValidation 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription ioc process File created C:\ProgramData\CreativeAudio\desktop.ini 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription pid process target process PID 4952 set thread context of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 6 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC\CG1 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF} 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC\CG1\HAL = 05ee0000 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{D9373D0B-F3F7-5E48-B2AA-56DBC75D51DF}\0E7302EC\CG1\BID = 2000080019000b00e60700001400000019000e001200310000000000c9ce8063 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exepid process 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exepid process 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exepid process 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription pid process Token: SeRestorePrivilege 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Token: SeBackupPrivilege 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe Token: SeDebugPrivilege 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exedescription pid process target process PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 4952 wrote to memory of 3712 4952 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe PID 3712 wrote to memory of 4392 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe schtasks.exe PID 3712 wrote to memory of 4392 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe schtasks.exe PID 3712 wrote to memory of 4392 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe schtasks.exe PID 3712 wrote to memory of 4192 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe WerFault.exe PID 3712 wrote to memory of 4192 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe WerFault.exe PID 3712 wrote to memory of 4192 3712 962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"C:\Users\Admin\AppData\Local\Temp\962a40135de9d428e5ab40df994734d90048b4ecfb30b2b4c5db88a27513a14a.exe"2⤵
- Sets file execution options in registry
- Checks computer location settings
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x0E7302EC" /TR "C:\ProgramData\CreativeAudio\yrkooncwv.exe" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4392 -
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"3⤵PID:4192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3712-140-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB
-
memory/3712-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3712-132-0x0000000000000000-mapping.dmp
-
memory/3712-138-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3712-139-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB
-
memory/3712-133-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3712-144-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB
-
memory/3712-141-0x00000000025D0000-0x00000000025DB000-memory.dmpFilesize
44KB
-
memory/4192-146-0x0000000000710000-0x00000000007A9000-memory.dmpFilesize
612KB
-
memory/4192-147-0x0000000000710000-0x00000000007A9000-memory.dmpFilesize
612KB
-
memory/4192-143-0x0000000000000000-mapping.dmp
-
memory/4192-145-0x0000000000930000-0x00000000009AB000-memory.dmpFilesize
492KB
-
memory/4392-142-0x0000000000000000-mapping.dmp
-
memory/4952-134-0x00000000020D0000-0x00000000020F7000-memory.dmpFilesize
156KB