833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1

General

Target

833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe
Size

299KB
MD5

06a8d9b0ad5af32b05f6269fa507cb2d
SHA1

8551ff05e0daf82b0d9608b93c7d3dd075ffbc50
SHA256

833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1
SHA512

20e7b1ba9296ebac5fe97c1a5b6207a909eb76a0b53a5b061ec56e22d273296c18d64efa8de6bfdb14a76662afe9d77b06ad717c97de03679c83f2f53d6bc5c2
SSDEEP

6144:0VKvptNqxv4ypQCF6y4FnjRIcAlDOEBF/PeAdmyJh2rQIeP9FD4EA:06Rqp4SQCF945S91jBBeAn0vwzk

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yryhdbmu.exe

pid process

1092 yryhdbmu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1212 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeyryhdbmu.exe

pid process

1212 cmd.exe
1212 cmd.exe
1092 yryhdbmu.exe

pid	process
1212	cmd.exe

pid	process
1212	cmd.exe
1212	cmd.exe
1092	yryhdbmu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1156 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

668 PING.EXE

pid	process
1156	taskkill.exe

pid	process
668	PING.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

yryhdbmu.exe

pid	process
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe
1092	yryhdbmu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1156 taskkill.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

yryhdbmu.exe

pid process

1092 yryhdbmu.exe
1092 yryhdbmu.exe
1092 yryhdbmu.exe
1092 yryhdbmu.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

yryhdbmu.exe

pid process

1092 yryhdbmu.exe
1092 yryhdbmu.exe
1092 yryhdbmu.exe
1092 yryhdbmu.exe

description	pid	process
Token: SeDebugPrivilege	1156	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 1212	1448	833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe	cmd.exe
PID 1448 wrote to memory of 1212	1448	833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe	cmd.exe
PID 1448 wrote to memory of 1212	1448	833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe	cmd.exe
PID 1448 wrote to memory of 1212	1448	833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe	cmd.exe
PID 1212 wrote to memory of 1156	1212	cmd.exe	taskkill.exe
PID 1212 wrote to memory of 1156	1212	cmd.exe	taskkill.exe
PID 1212 wrote to memory of 1156	1212	cmd.exe	taskkill.exe
PID 1212 wrote to memory of 1156	1212	cmd.exe	taskkill.exe
PID 1212 wrote to memory of 668	1212	cmd.exe	PING.EXE
PID 1212 wrote to memory of 668	1212	cmd.exe	PING.EXE
PID 1212 wrote to memory of 668	1212	cmd.exe	PING.EXE
PID 1212 wrote to memory of 668	1212	cmd.exe	PING.EXE
PID 1212 wrote to memory of 1092	1212	cmd.exe	yryhdbmu.exe
PID 1212 wrote to memory of 1092	1212	cmd.exe	yryhdbmu.exe
PID 1212 wrote to memory of 1092	1212	cmd.exe	yryhdbmu.exe
PID 1212 wrote to memory of 1092	1212	cmd.exe	yryhdbmu.exe

C:\Users\Admin\AppData\Local\Temp\833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe
"C:\Users\Admin\AppData\Local\Temp\833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1448 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1.exe" & start C:\Users\Admin\AppData\Local\yryhdbmu.exe -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1448
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:668

C:\Users\Admin\AppData\Local\yryhdbmu.exe
C:\Users\Admin\AppData\Local\yryhdbmu.exe -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1092

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\yryhdbmu.exe
Filesize
299KB

MD5
06a8d9b0ad5af32b05f6269fa507cb2d

SHA1
8551ff05e0daf82b0d9608b93c7d3dd075ffbc50

SHA256
833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1

SHA512
20e7b1ba9296ebac5fe97c1a5b6207a909eb76a0b53a5b061ec56e22d273296c18d64efa8de6bfdb14a76662afe9d77b06ad717c97de03679c83f2f53d6bc5c2

Download Submit
C:\Users\Admin\AppData\Local\yryhdbmu.exe
Filesize
299KB

MD5
06a8d9b0ad5af32b05f6269fa507cb2d

SHA1
8551ff05e0daf82b0d9608b93c7d3dd075ffbc50

SHA256
833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1

SHA512
20e7b1ba9296ebac5fe97c1a5b6207a909eb76a0b53a5b061ec56e22d273296c18d64efa8de6bfdb14a76662afe9d77b06ad717c97de03679c83f2f53d6bc5c2

Download Submit
\Users\Admin\AppData\Local\yryhdbmu.exe
Filesize
299KB

MD5
06a8d9b0ad5af32b05f6269fa507cb2d

SHA1
8551ff05e0daf82b0d9608b93c7d3dd075ffbc50

SHA256
833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1

SHA512
20e7b1ba9296ebac5fe97c1a5b6207a909eb76a0b53a5b061ec56e22d273296c18d64efa8de6bfdb14a76662afe9d77b06ad717c97de03679c83f2f53d6bc5c2

Download Submit
\Users\Admin\AppData\Local\yryhdbmu.exe
Filesize
299KB

MD5
06a8d9b0ad5af32b05f6269fa507cb2d

SHA1
8551ff05e0daf82b0d9608b93c7d3dd075ffbc50

SHA256
833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1

SHA512
20e7b1ba9296ebac5fe97c1a5b6207a909eb76a0b53a5b061ec56e22d273296c18d64efa8de6bfdb14a76662afe9d77b06ad717c97de03679c83f2f53d6bc5c2

Download Submit
\Users\Admin\AppData\Local\yryhdbmu.exe
Filesize
299KB

MD5
06a8d9b0ad5af32b05f6269fa507cb2d

SHA1
8551ff05e0daf82b0d9608b93c7d3dd075ffbc50

SHA256
833af9a70a64ee226149367dd378d6d81cc4584ff95b8950ddf1cce23829ddc1

SHA512
20e7b1ba9296ebac5fe97c1a5b6207a909eb76a0b53a5b061ec56e22d273296c18d64efa8de6bfdb14a76662afe9d77b06ad717c97de03679c83f2f53d6bc5c2

Download Submit
memory/668-60-0x0000000000000000-mapping.dmp

Download
memory/1092-64-0x0000000000000000-mapping.dmp

Download
memory/1092-70-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1092-71-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1156-59-0x0000000000000000-mapping.dmp

Download
memory/1212-57-0x0000000000000000-mapping.dmp

Download
memory/1448-58-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-56-0x0000000001000000-0x00000000010A6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads