88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d

Analysis

max time kernel
152s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe
Size

423KB
MD5

61a28ab4086db27d3cdc7376f5a69998
SHA1

a9de95c9d407abba3995a3a16a720913b8bab526
SHA256

88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d
SHA512

9ee6f1d3b178ab12ed3f09fa741d91091e43bbf6fd9a3bc5789f99dfc6a79a113bf3d9ee8ec1263e5d3e3e12d30cfe9ea5a44f63073b0dc002951016b389d3c0
SSDEEP

12288:W/O0T9PLWQhwpgIdA/t5tV8xjsgBov6/vYXubE/Wd:fQZ/0jdH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1316	ytimaj.exe

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	ytimaj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Ukaz\\ytimaj.exe"	ytimaj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe
1316	ytimaj.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe
1316	ytimaj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1316	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	27
PID 1768 wrote to memory of 1316	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	27
PID 1768 wrote to memory of 1316	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	27
PID 1768 wrote to memory of 1316	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	27
PID 1316 wrote to memory of 1112	1316	ytimaj.exe	16
PID 1316 wrote to memory of 1112	1316	ytimaj.exe	16
PID 1316 wrote to memory of 1112	1316	ytimaj.exe	16
PID 1316 wrote to memory of 1112	1316	ytimaj.exe	16
PID 1316 wrote to memory of 1112	1316	ytimaj.exe	16
PID 1316 wrote to memory of 1176	1316	ytimaj.exe	15
PID 1316 wrote to memory of 1176	1316	ytimaj.exe	15
PID 1316 wrote to memory of 1176	1316	ytimaj.exe	15
PID 1316 wrote to memory of 1176	1316	ytimaj.exe	15
PID 1316 wrote to memory of 1176	1316	ytimaj.exe	15
PID 1316 wrote to memory of 1204	1316	ytimaj.exe	14
PID 1316 wrote to memory of 1204	1316	ytimaj.exe	14
PID 1316 wrote to memory of 1204	1316	ytimaj.exe	14
PID 1316 wrote to memory of 1204	1316	ytimaj.exe	14
PID 1316 wrote to memory of 1204	1316	ytimaj.exe	14
PID 1316 wrote to memory of 1768	1316	ytimaj.exe	19
PID 1316 wrote to memory of 1768	1316	ytimaj.exe	19
PID 1316 wrote to memory of 1768	1316	ytimaj.exe	19
PID 1316 wrote to memory of 1768	1316	ytimaj.exe	19
PID 1316 wrote to memory of 1768	1316	ytimaj.exe	19
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28
PID 1768 wrote to memory of 1732	1768	88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe
  "C:\Users\Admin\AppData\Local\Temp\88b72e9e01452158ce71cef25e61bf2de0b30fc79fb794f25698446b3394718d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Roaming\Ukaz\ytimaj.exe
    "C:\Users\Admin\AppData\Roaming\Ukaz\ytimaj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6be90719.bat"
    3⤵
    - Deletes itself
    PID:1732

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6be90719.bat

Filesize
307B

MD5
19b8d4c496c80267037ec33a0e3e76fd

SHA1
f892518f082f5e73e0785724379d7fae5ca0b2da

SHA256
5948bd706400ba3b5f9a444119f1e218e40e4b53ce07cf3df0974df01a51e997

SHA512
74563deaede54a17b4f9cdc0726fb2dcdb67a88899e5bf4f23abdeda66e279fee55196c6fabbcfa9d2df2e5f136036ff9bfafb2c2edf1263cc019fcb0a797cfd

Download Submit
C:\Users\Admin\AppData\Roaming\Ukaz\ytimaj.exe

Filesize
423KB

MD5
2ed9c01ebf6ea25d76b21005a778b0e9

SHA1
5343234ad79d358b763095753a83bbc39f7f5b73

SHA256
35e409016eb35d6f37b26fee157e8f1495b797067286c49314ecdaf553fe6a24

SHA512
93d92393c7feb829d7282215946a374074d2640436cdb9926bae00dfdc445eb6f2fe1caaecf648ae97b02911cecf19d32754a79089bde063f86f66a17a002af3

Download Submit
C:\Users\Admin\AppData\Roaming\Ukaz\ytimaj.exe

Filesize
423KB

MD5
2ed9c01ebf6ea25d76b21005a778b0e9

SHA1
5343234ad79d358b763095753a83bbc39f7f5b73

SHA256
35e409016eb35d6f37b26fee157e8f1495b797067286c49314ecdaf553fe6a24

SHA512
93d92393c7feb829d7282215946a374074d2640436cdb9926bae00dfdc445eb6f2fe1caaecf648ae97b02911cecf19d32754a79089bde063f86f66a17a002af3

Download Submit
\Users\Admin\AppData\Roaming\Ukaz\ytimaj.exe

Filesize
423KB

MD5
2ed9c01ebf6ea25d76b21005a778b0e9

SHA1
5343234ad79d358b763095753a83bbc39f7f5b73

SHA256
35e409016eb35d6f37b26fee157e8f1495b797067286c49314ecdaf553fe6a24

SHA512
93d92393c7feb829d7282215946a374074d2640436cdb9926bae00dfdc445eb6f2fe1caaecf648ae97b02911cecf19d32754a79089bde063f86f66a17a002af3

Download Submit
memory/1112-62-0x0000000001CD0000-0x0000000001D16000-memory.dmp

Filesize
280KB

Download
memory/1112-66-0x0000000001CD0000-0x0000000001D16000-memory.dmp

Filesize
280KB

Download
memory/1112-67-0x0000000001CD0000-0x0000000001D16000-memory.dmp

Filesize
280KB

Download
memory/1112-65-0x0000000001CD0000-0x0000000001D16000-memory.dmp

Filesize
280KB

Download
memory/1112-64-0x0000000001CD0000-0x0000000001D16000-memory.dmp

Filesize
280KB

Download
memory/1176-73-0x0000000001AD0000-0x0000000001B16000-memory.dmp

Filesize
280KB

Download
memory/1176-72-0x0000000001AD0000-0x0000000001B16000-memory.dmp

Filesize
280KB

Download
memory/1176-71-0x0000000001AD0000-0x0000000001B16000-memory.dmp

Filesize
280KB

Download
memory/1176-70-0x0000000001AD0000-0x0000000001B16000-memory.dmp

Filesize
280KB

Download
memory/1204-76-0x0000000002A80000-0x0000000002AC6000-memory.dmp

Filesize
280KB

Download
memory/1204-79-0x0000000002A80000-0x0000000002AC6000-memory.dmp

Filesize
280KB

Download
memory/1204-78-0x0000000002A80000-0x0000000002AC6000-memory.dmp

Filesize
280KB

Download
memory/1204-77-0x0000000002A80000-0x0000000002AC6000-memory.dmp

Filesize
280KB

Download
memory/1316-111-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1316-110-0x0000000000350000-0x0000000000396000-memory.dmp

Filesize
280KB

Download
memory/1316-112-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1732-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1732-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1732-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1732-93-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1732-97-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1732-96-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1732-95-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1732-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1732-109-0x0000000000050000-0x0000000000096000-memory.dmp

Filesize
280KB

Download
memory/1732-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1732-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-99-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/1768-100-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1768-85-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1768-86-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-87-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-88-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1768-82-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1768-84-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1768-83-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1768-56-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1768-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download