9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331

General

Target

9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Size

1.8MB
MD5

86c441bcaeb3eb434aac14c1663b34f2
SHA1

05634e7ac8e0229f90d7f9a15e4b3eee612809c2
SHA256

9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331
SHA512

862d6ddce61de5e612a79e70c03eda8b090d91991b10b509c110455490cc0077d4f645fbac4b4acabe6b70eb47bdd7f20b98d0fcee56c59498c900efbb11467e
SSDEEP

24576:HdbL3cC6dFj2oR6AnSwq/TvC4yHe0FcbGACak6OWxyb/rY/waa89WsXdmJSPU6D:HRsCA/jHeuFaDOWATrzaa89WlQMi

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

Processes:

9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe

description	ioc	process
File created	C:\Windows\SysWOW64\yytmp\yyws1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File opened for modification	C:\Windows\SysWOW64\yytmp\yyws1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\yytmp\ywsfiletmp.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File opened for modification	C:\Windows\SysWOW64\ÓÑÒæÎÄÊé.exe	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\yytmp\yywsmu1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\yytmp\yywslk1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File opened for modification	C:\Windows\SysWOW64\yytmp\ÓÑÒæÎÄÊé.exe	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\ÓÑÒæÎÄÊé.exe	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File opened for modification	C:\Windows\SysWOW64\yytmp\yywsmu1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File opened for modification	C:\Windows\SysWOW64\yytmp\yywssx1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\yytmp\yywssx1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File opened for modification	C:\Windows\SysWOW64\yytmp\yywslk1.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\yytmp\ÓÑÒæÎÄÊé.exe	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
File created	C:\Windows\SysWOW64\yytmp\yadverser.tmp	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe

Modifies registry class 15 IoCs

Processes:

9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.yws\ = "ywsfile"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open\command	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\ÓÑÒæÎÄÊé.exe,2"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\ = "ÓÑÒæÎÄÊé"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version\ = "5.2.4"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open\command\ = "C:\\Windows\\SysWow64\\ÓÑÒæÎÄÊé.exe %1"	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.yws	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\DefaultIcon	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe

pid	process
1916	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
1916	9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe

C:\Users\Admin\AppData\Local\Temp\9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe
"C:\Users\Admin\AppData\Local\Temp\9747ef0339460f2d12c865420041baa61cb8991334d74189a5f2fdd8adf32331.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1916

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads