aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
Size

208KB
MD5

66be6aa49cf48dbea19416a99b8cd5eb
SHA1

0e4e14b2a7ffae8bbad8243c26d5debe07eb9e96
SHA256

aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4
SHA512

ff209533179df4875380e4c34fd093df5dd0f7ddae4d7415b4642638d00a779fa05c6ef2a363b3b8e7b1d1ed0966e150222a8d54035357b24724703fff7ed74c
SSDEEP

3072:TDMM1GyDaM979aAqvxpDWDhQx9AhHp8NeqxEN1yy8p+uxM/T:T5GSoA8pDqQx9AhJSRxiJ8j+/T

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ynxeos.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	ynxeos.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /L"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /T"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /D"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /O"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /f"	ynxeos.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /M"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /C"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /r"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /U"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /R"	ynxeos.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /H"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /e"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /V"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /m"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /i"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /G"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /d"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /n"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /Y"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /J"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /b"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /y"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /u"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /Z"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /w"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /k"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /a"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /q"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /x"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /Q"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /P"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /N"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /A"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /I"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /B"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /p"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /g"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /F"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /h"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /c"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /X"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /t"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /S"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /q"	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /s"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /W"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /o"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /z"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /j"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /l"	ynxeos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ynxeos = "C:\\Users\\Admin\\ynxeos.exe /v"	ynxeos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe
1704	ynxeos.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
1704	ynxeos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1704	1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe	27
PID 1448 wrote to memory of 1704	1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe	27
PID 1448 wrote to memory of 1704	1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe	27
PID 1448 wrote to memory of 1704	1448	aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe	27

C:\Users\Admin\AppData\Local\Temp\aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe
"C:\Users\Admin\AppData\Local\Temp\aa44797ae10ad878cd50ae60d7688a7f579c221cc1b5fadcf047abdf7acc3ef4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\ynxeos.exe
  "C:\Users\Admin\ynxeos.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ynxeos.exe

Filesize
208KB

MD5
74c126590bcf6bfb6248baad85acd463

SHA1
f1fff88de38bb1a46000ff1fcbbd1cea7c13a0eb

SHA256
0180fa678209772a6a59fd52108ffa659ad5a5fa7a6f5360300db32d2a8dfa69

SHA512
4e64c587fc12b7adad0030deb7486592bc4d3838a80dead11b50bf324ecd26fdeec0f111bdaa806445c015bb6c808dacb7585cfa53e769c3565bdedc3fc0be38

Download Submit
C:\Users\Admin\ynxeos.exe

Filesize
208KB

MD5
74c126590bcf6bfb6248baad85acd463

SHA1
f1fff88de38bb1a46000ff1fcbbd1cea7c13a0eb

SHA256
0180fa678209772a6a59fd52108ffa659ad5a5fa7a6f5360300db32d2a8dfa69

SHA512
4e64c587fc12b7adad0030deb7486592bc4d3838a80dead11b50bf324ecd26fdeec0f111bdaa806445c015bb6c808dacb7585cfa53e769c3565bdedc3fc0be38

Download Submit
\Users\Admin\ynxeos.exe

Filesize
208KB

MD5
74c126590bcf6bfb6248baad85acd463

SHA1
f1fff88de38bb1a46000ff1fcbbd1cea7c13a0eb

SHA256
0180fa678209772a6a59fd52108ffa659ad5a5fa7a6f5360300db32d2a8dfa69

SHA512
4e64c587fc12b7adad0030deb7486592bc4d3838a80dead11b50bf324ecd26fdeec0f111bdaa806445c015bb6c808dacb7585cfa53e769c3565bdedc3fc0be38

Download Submit
\Users\Admin\ynxeos.exe

Filesize
208KB

MD5
74c126590bcf6bfb6248baad85acd463

SHA1
f1fff88de38bb1a46000ff1fcbbd1cea7c13a0eb

SHA256
0180fa678209772a6a59fd52108ffa659ad5a5fa7a6f5360300db32d2a8dfa69

SHA512
4e64c587fc12b7adad0030deb7486592bc4d3838a80dead11b50bf324ecd26fdeec0f111bdaa806445c015bb6c808dacb7585cfa53e769c3565bdedc3fc0be38

Download Submit
memory/1448-56-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download