Analysis
-
max time kernel
177s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe
-
Size
88KB
-
MD5
748ec7b6f01dc4cfe734ddde128379ad
-
SHA1
58b9df240f833b785fc3d5d69810eb573ee0858c
-
SHA256
b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497
-
SHA512
3ab3b254d078b236c72f28bfe13bc4c8c478717a08493caf6f8bff0aef0a17894cdcc536330a7e6a4f0cc5f309b55c16d8afb26738eb8b94e0459f91a0ca12e7
-
SSDEEP
768:QCxXPXxmJwemFIkud+P9WiMTwOUMBHFIkNcXHoaLtAy9ZZ1RG+naYn6fSFTsFJdY:/lVsfMZ1G0L+mRZx1sR1z
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yaamig.exe -
Executes dropped EXE 1 IoCs
pid Process 1772 yaamig.exe -
Loads dropped DLL 2 IoCs
pid Process 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe -
Adds Run key to start application 2 TTPs 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /P" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /B" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /R" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /r" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /H" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /g" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /t" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /k" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /a" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /m" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /u" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /w" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /W" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /Y" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /X" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /n" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /M" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /d" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /E" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /z" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /T" yaamig.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /G" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /O" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /S" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /C" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /v" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /l" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /L" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /e" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /o" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /s" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /y" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /J" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /q" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /F" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /c" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /N" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /I" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /j" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /f" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /D" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /x" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /U" yaamig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\yaamig = "C:\\Users\\Admin\\yaamig.exe /p" yaamig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe 1772 yaamig.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe 1772 yaamig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1772 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe 28 PID 1648 wrote to memory of 1772 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe 28 PID 1648 wrote to memory of 1772 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe 28 PID 1648 wrote to memory of 1772 1648 b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe 28 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18 PID 1772 wrote to memory of 1648 1772 yaamig.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe"C:\Users\Admin\AppData\Local\Temp\b091d23bbaf8d6d6bf0d48299a8452a979d76f497c69476f4d46cc60d80aa497.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\yaamig.exe"C:\Users\Admin\yaamig.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5721b2386fa50d2cca3fe9a947e6940e3
SHA15815f82bfc18d01616c05b1c7c025cb290c6fd4f
SHA2564aa54cf87340f5464e995b9315e6870fd2610cdb19c47e84bd60ea2a32c49387
SHA5125817f80319ee26f8bf10eafd8c1ee7b588d7a1dceed12f4b0068758354f620a53a8c3de15e970d0f34dd40bda4d760ed1a05c71b8f8ce3d7d8f155825da2bdbb
-
Filesize
88KB
MD5721b2386fa50d2cca3fe9a947e6940e3
SHA15815f82bfc18d01616c05b1c7c025cb290c6fd4f
SHA2564aa54cf87340f5464e995b9315e6870fd2610cdb19c47e84bd60ea2a32c49387
SHA5125817f80319ee26f8bf10eafd8c1ee7b588d7a1dceed12f4b0068758354f620a53a8c3de15e970d0f34dd40bda4d760ed1a05c71b8f8ce3d7d8f155825da2bdbb
-
Filesize
88KB
MD5721b2386fa50d2cca3fe9a947e6940e3
SHA15815f82bfc18d01616c05b1c7c025cb290c6fd4f
SHA2564aa54cf87340f5464e995b9315e6870fd2610cdb19c47e84bd60ea2a32c49387
SHA5125817f80319ee26f8bf10eafd8c1ee7b588d7a1dceed12f4b0068758354f620a53a8c3de15e970d0f34dd40bda4d760ed1a05c71b8f8ce3d7d8f155825da2bdbb
-
Filesize
88KB
MD5721b2386fa50d2cca3fe9a947e6940e3
SHA15815f82bfc18d01616c05b1c7c025cb290c6fd4f
SHA2564aa54cf87340f5464e995b9315e6870fd2610cdb19c47e84bd60ea2a32c49387
SHA5125817f80319ee26f8bf10eafd8c1ee7b588d7a1dceed12f4b0068758354f620a53a8c3de15e970d0f34dd40bda4d760ed1a05c71b8f8ce3d7d8f155825da2bdbb