Overview

overview

8

Static

static

Yvbhq.exe

windows7-x64

8

Yvbhq.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Yvbhq.exe

  • Size

    65KB

  • MD5

    9829cba45d96db58f0898ad58743a474

  • SHA1

    a3f4827d0523dac0c56e91b4538bdcf14c36570f

  • SHA256

    19d2e3e1f912a1fe23399b0a1c150e28e03ef0cff5dfb7d2d532f705769862b5

  • SHA512

    bd4d6431ca4315ad21a1094594ca0cb68a5cca689b64b73876045e468d1ba1c03d6845b444d2936ea50e71438b44ef65fdd74ca22d2339472f2f6e53be90cd8a

  • SSDEEP

    1536:pmV+3Z/ZBJEomaAsurFk5ZjXx+plbfP9HPe0/v7WYPwoMkeT1eK6G:I+JtEomapYFk5ZsFP9HmelqT1N6G

Score
8/10
evasionpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Stops running service(s) 3 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yvbhq.exe
    "C:\Users\Admin\AppData\Local\Temp\Yvbhq.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C sc delete VSS
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\system32\sc.exe
        sc delete VSS
        3⤵
        • Launches sc.exe
        PID:524
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C NET VIEW
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\system32\net.exe
        NET VIEW
        3⤵
        • Discovers systems in the same network
        PID:332
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C NET USE
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\system32\net.exe
        NET USE
        3⤵
          PID:320
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C NET VIEW \\RYNKSFQE
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\system32\net.exe
          NET VIEW \\RYNKSFQE
          3⤵
          • Discovers systems in the same network
          PID:1916
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\#README#.txt
        2⤵
          PID:1744

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Impair Defenses

      1
      T1562

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini
        Filesize

        203B

        MD5

        6c28e539b6a2aed65c2a0d68752a063f

        SHA1

        03882709eb28cf277b2bcee22563d36df98fa8e5

        SHA256

        be0f89ef3bf43540b04edeef2ed0bd86a6a1bb97d535eda5c65f869659472a22

        SHA512

        a9d75e4d0502ba99783240d98283618f315cc798cdc575e8e2f468db935db92260fe263f72d895bb0c5711c50fe9674bb61af08e1b47aa4119302da5b79a2f2f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\#README#.txt
        Filesize

        2KB

        MD5

        bb62ec7a63e5753ce7f6df005ed80c40

        SHA1

        2d22c38455a23a911e87f1c7eda6cf7f68396c67

        SHA256

        b99b2de92232164524ace2b2bf3573351c65196572650902ea77b84c36310811

        SHA512

        21a31235ecde657f9831d5d919168dcab45f041563a5f4e9978734f6a1c835488d1035bb989891f9f14ca7ee8468893af68cd5ace0bc0d4b12b2606e5409703e

        Download Submit
      • memory/320-62-0x0000000000000000-mapping.dmp
        Download
      • memory/332-60-0x0000000000000000-mapping.dmp
        Download
      • memory/472-61-0x0000000000000000-mapping.dmp
        Download
      • memory/524-58-0x0000000000000000-mapping.dmp
        Download
      • memory/840-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1112-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1544-54-0x0000000001280000-0x0000000001296000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1544-56-0x00000000005E0000-0x00000000005E6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1544-55-0x00000000002C0000-0x00000000002DC000-memory.dmp
        Filesize

        112KB

        Download
      • memory/1744-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1744-67-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1912-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1916-64-0x0000000000000000-mapping.dmp
        Download