818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583

Analysis

max time kernel
152s
max time network
84s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 01:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
Size

204KB
MD5

85e2eb2bc495704ea090697353284b9c
SHA1

ef38c6de3a022a17d6babd7d71d1133083554eb0
SHA256

818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583
SHA512

f824640154da8f58eb7ada4b413c8c4aa700af21d56b7017f689c86af67cee83c7d969546d1c276197eafcd2d8e1eeb94d91dee423abd1d20077ff1ff467eef6
SSDEEP

3072:aCuTo/0YxV0tQ9nLHbB9WPliBs2HWWEakGJm9QX:aC3H4QxL7B9WPli+yWWEazl

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ypdaw.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	ypdaw.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /v"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /f"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /s"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /e"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /c"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /o"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /w"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /t"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /p"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /y"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /k"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /u"	ypdaw.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /h"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /a"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /l"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /z"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /i"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /q"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /m"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /g"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /d"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /j"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /n"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /r"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /r"	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /x"	ypdaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ypdaw = "C:\\Users\\Admin\\ypdaw.exe /b"	ypdaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe
1168	ypdaw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
1168	ypdaw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1168	1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe	27
PID 1872 wrote to memory of 1168	1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe	27
PID 1872 wrote to memory of 1168	1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe	27
PID 1872 wrote to memory of 1168	1872	818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe	27

C:\Users\Admin\AppData\Local\Temp\818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe
"C:\Users\Admin\AppData\Local\Temp\818586f1600cf474c57c2c7d4a03d932c509172a8d1e370825caf21150146583.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\ypdaw.exe
  "C:\Users\Admin\ypdaw.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ypdaw.exe

Filesize
204KB

MD5
db7ad6026fb4a21f63a7841fd971d949

SHA1
3173de3626c99a5abb7fcb9b518f02e1476c1640

SHA256
79a7ed32fd247ab944d8d5a899cfea40f5b7e0f78fd9864df86abba1dec9289a

SHA512
df31ff11b224622b812fe8722d540726545f6dc65e6a3a72331030bc4466fc6b8fed01803782fc18b012f4fcc8d2597006401a29486c3809783fcb0a86568687

Download Submit
C:\Users\Admin\ypdaw.exe

Filesize
204KB

MD5
db7ad6026fb4a21f63a7841fd971d949

SHA1
3173de3626c99a5abb7fcb9b518f02e1476c1640

SHA256
79a7ed32fd247ab944d8d5a899cfea40f5b7e0f78fd9864df86abba1dec9289a

SHA512
df31ff11b224622b812fe8722d540726545f6dc65e6a3a72331030bc4466fc6b8fed01803782fc18b012f4fcc8d2597006401a29486c3809783fcb0a86568687

Download Submit
\Users\Admin\ypdaw.exe

Filesize
204KB

MD5
db7ad6026fb4a21f63a7841fd971d949

SHA1
3173de3626c99a5abb7fcb9b518f02e1476c1640

SHA256
79a7ed32fd247ab944d8d5a899cfea40f5b7e0f78fd9864df86abba1dec9289a

SHA512
df31ff11b224622b812fe8722d540726545f6dc65e6a3a72331030bc4466fc6b8fed01803782fc18b012f4fcc8d2597006401a29486c3809783fcb0a86568687

Download Submit
\Users\Admin\ypdaw.exe

Filesize
204KB

MD5
db7ad6026fb4a21f63a7841fd971d949

SHA1
3173de3626c99a5abb7fcb9b518f02e1476c1640

SHA256
79a7ed32fd247ab944d8d5a899cfea40f5b7e0f78fd9864df86abba1dec9289a

SHA512
df31ff11b224622b812fe8722d540726545f6dc65e6a3a72331030bc4466fc6b8fed01803782fc18b012f4fcc8d2597006401a29486c3809783fcb0a86568687

Download Submit
memory/1168-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1168-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1872-57-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1872-64-0x0000000002D10000-0x0000000002D5C000-memory.dmp

Filesize
304KB

Download
memory/1872-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download