637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e

General

Target

637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe
Size

102KB
MD5

0229ca666a0db66270c417ec65dfa466
SHA1

c8b6160b670e1365e6ea1180472e9356f58ad855
SHA256

637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e
SHA512

eeb276563a3f13eb4ff4baa2e38baaba382698eacd919423e93f0b98a6f452a8fa357f20df99f40fc1a33ebb11ec330ff319d20c28706a3577d9320ed4323930
SSDEEP

1536:zxgp2ZUpdiEnPVtp0rZrEfl1RKbAkzZd3DMtvLu+DIACfucWRwH+oTfQ9:zxgQWimp0rqffc8aZdgLu+8ACn5+oA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	setup.exe
3924	Ytkjw.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1688-132-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1688-137-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\VUQPX22E34P7PP2E\\Ytkjw.exe /launch"	Ytkjw.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	Ytkjw.exe
File opened (read-only)	\??\b:	Ytkjw.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	Ytkjw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ytkjw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ytkjw.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3000	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3924	Ytkjw.exe
3924	Ytkjw.exe
3924	Ytkjw.exe
3924	Ytkjw.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	setup.exe
Token: SeDebugPrivilege	2460	setup.exe
Token: SeDebugPrivilege	2460	setup.exe
Token: SeDebugPrivilege	3924	Ytkjw.exe
Token: SeDebugPrivilege	3924	Ytkjw.exe
Token: SeDebugPrivilege	3924	Ytkjw.exe
Token: SeDebugPrivilege	3924	Ytkjw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	setup.exe
3924	Ytkjw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2460	1688	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe	84
PID 1688 wrote to memory of 2460	1688	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe	84
PID 1688 wrote to memory of 2460	1688	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe	84
PID 1688 wrote to memory of 1572	1688	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe	85
PID 1688 wrote to memory of 1572	1688	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe	85
PID 1688 wrote to memory of 1572	1688	637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe	85
PID 1572 wrote to memory of 3000	1572	cmd.exe	87
PID 1572 wrote to memory of 3000	1572	cmd.exe	87
PID 1572 wrote to memory of 3000	1572	cmd.exe	87
PID 2460 wrote to memory of 3924	2460	setup.exe	88
PID 2460 wrote to memory of 3924	2460	setup.exe	88
PID 2460 wrote to memory of 3924	2460	setup.exe	88

C:\Users\Admin\AppData\Local\Temp\637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe
"C:\Users\Admin\AppData\Local\Temp\637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Datas\setup.exe
  "C:\Datas\setup.exe" launch
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - \??\c:\VUQPX22E34P7PP2E\Ytkjw.exe
    launch
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping -n 5 127.0.0.1&&del "C:\Users\Admin\AppData\Local\Temp\637e2843f389d91102d02bc5bf5e3f7c5cd89fa5118328bc91a48623776bd70e.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Datas\Config.ini

Filesize
104KB

MD5
35ad9328104fc9784f4d6b08fc4bf0b3

SHA1
f5169520dd16db20639869c79813e4a239a7dc1e

SHA256
557d3efc17bd4429f7ae8dade1c5574fb3f9bc24f15642bc088a5f326c4314cb

SHA512
62646b83367447ded9b0270d5bfac2b0d8b21c229eac50911caf6080b30a9a23a232f4c3ae34f8ffa120cdaac61f057895fac380b6ef02f4f1e40af3fe5c176d

Download Submit
C:\Datas\Setup.exe

Filesize
36KB

MD5
dd7dfd8095a4df03a0516d19ded7247a

SHA1
ea32a3c877aa18697aecb3b7565fd6421d24bb42

SHA256
01ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0

SHA512
43fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966

Download Submit
C:\Datas\setup.exe

Filesize
36KB

MD5
dd7dfd8095a4df03a0516d19ded7247a

SHA1
ea32a3c877aa18697aecb3b7565fd6421d24bb42

SHA256
01ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0

SHA512
43fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966

Download Submit
C:\VUQPX22E34P7PP2E\Ytkjw.exe

Filesize
36KB

MD5
dd7dfd8095a4df03a0516d19ded7247a

SHA1
ea32a3c877aa18697aecb3b7565fd6421d24bb42

SHA256
01ea215f45d07e65cbb28c216386d4161670fb625815c47ef8ec91c02dbb0cd0

SHA512
43fcfba1b51f684ca0771d9f4e74f5dcb83c1172cc2c727aa6e202e3dbefd29f7e47ce73dc163a18793e2c38d68e056d3b7aa25645c2e316782f316349127966

Download Submit
memory/1688-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1688-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2460-139-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2460-145-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3924-148-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3924-153-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads