d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1

General

Target

d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe
Size

109KB
MD5

30df3d8f374a5052afa29deacea17940
SHA1

7522bae6151af6cbf43426fd2e61095869468ce3
SHA256

d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1
SHA512

1dd65a45eaba7e747f150f6b0512bc144dbe0b2fec3629a412eb6be274f2bb7dae496e3570e1cca17802132346bbf9670a34fe4eea8d6f8a598046939912385f
SSDEEP

1536:B/iqYbQ7kwh2oyVbQ/L9uW22E0NtstjcKg6kiW7BWJKgchFPZ/wmPGKztVUzaIlK:4bKbRWk/L9p1tEBgL1Wcg0BnxVzdRS2b

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\yvykys.sys	Í¼.exe

Executes dropped EXE 1 IoCs

pid	Process
304	Í¼.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\peaajr\Parameters\ServiceDll = "%SystemRoot%\\System32\\yvykys.dll"	Í¼.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\peaajr\Parameters\ServiceDll = "%SystemRoot%\\System32\\yvykys.dll"	Í¼.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\peaajr\Parameters\ServiceDll = "%SystemRoot%\\System32\\yvykys.dll"	Í¼.exe

Loads dropped DLL 4 IoCs

pid	Process
1092	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe
1092	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe
304	Í¼.exe
820	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yvykys.dll	Í¼.exe
File created	C:\Windows\SysWOW64\000476f6.ini	Í¼.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
944	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
820	svchost.exe
820	svchost.exe
820	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 304	1092	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	27
PID 1092 wrote to memory of 304	1092	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	27
PID 1092 wrote to memory of 304	1092	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	27
PID 1092 wrote to memory of 304	1092	d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe	27

C:\Users\Admin\AppData\Local\Temp\d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe
"C:\Users\Admin\AppData\Local\Temp\d4785dd29c045919f0583ee4b6b24307f2048f58ad599609e1674e29ef1c08d1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\Í¼.exe
  "C:\Users\Admin\AppData\Local\Temp\Í¼.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k peaajr
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Í¼.exe

Filesize
63KB

MD5
5020f214ee9efc1ad06796016852dd50

SHA1
62a3b0b4bb71df32c3d6d06412d1c87bfc201f6c

SHA256
bc844f5910db6240f250fa15061bfd46908fda7b2067dde17fb4c7b7e24f1431

SHA512
309b5a71af1455b669e483bddacbb9c4cb84ba7e3fdcc86eddba3a8e608dbd7476bd29a0428b171791ef7be7b1f448f8a5142a01c7d342d56d4af87dc73549db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Í¼.exe

Filesize
63KB

MD5
5020f214ee9efc1ad06796016852dd50

SHA1
62a3b0b4bb71df32c3d6d06412d1c87bfc201f6c

SHA256
bc844f5910db6240f250fa15061bfd46908fda7b2067dde17fb4c7b7e24f1431

SHA512
309b5a71af1455b669e483bddacbb9c4cb84ba7e3fdcc86eddba3a8e608dbd7476bd29a0428b171791ef7be7b1f448f8a5142a01c7d342d56d4af87dc73549db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Î´ÃüÃû.jpg

Filesize
18KB

MD5
3a32c6dc1ebefc4caf31360c73f12534

SHA1
9bf8a8ca6886d89b9bbb84df53bb7676d238291a

SHA256
e6cd4bd7c496ad811d869741ffd4658f094b5b00c9dce1ccc8a2c55c05022e15

SHA512
d0a65f3c8e8dc3eb8df291c7d8f59f025e04c9f7efa8b447135dd9234b15509c4e3dad7a59227b92f85e17996836b190a36b6a344f7a6c7868010d0e4fee6731

Download Submit
\??\c:\windows\SysWOW64\yvykys.dll

Filesize
90KB

MD5
5670709c5b7b37c114deea3633ab2179

SHA1
d799b86b5cb9abea1bc00b2b395b848d5500cb1a

SHA256
4c7f62c334a1b28433f045a3245292c149aa6042ddfd2ab0337694b7d9781a77

SHA512
75738394bd1c845c1590196babc24e7ac87be4c9deb4c5f7e474abb9f9637f3854a92e34f0eb5823657fceeb541c14dc0dd1be486226679596ef0a31be421132

Download Submit
\Users\Admin\AppData\Local\Temp\Í¼.exe

Filesize
63KB

MD5
5020f214ee9efc1ad06796016852dd50

SHA1
62a3b0b4bb71df32c3d6d06412d1c87bfc201f6c

SHA256
bc844f5910db6240f250fa15061bfd46908fda7b2067dde17fb4c7b7e24f1431

SHA512
309b5a71af1455b669e483bddacbb9c4cb84ba7e3fdcc86eddba3a8e608dbd7476bd29a0428b171791ef7be7b1f448f8a5142a01c7d342d56d4af87dc73549db

Download Submit
\Users\Admin\AppData\Local\Temp\Í¼.exe

Filesize
63KB

MD5
5020f214ee9efc1ad06796016852dd50

SHA1
62a3b0b4bb71df32c3d6d06412d1c87bfc201f6c

SHA256
bc844f5910db6240f250fa15061bfd46908fda7b2067dde17fb4c7b7e24f1431

SHA512
309b5a71af1455b669e483bddacbb9c4cb84ba7e3fdcc86eddba3a8e608dbd7476bd29a0428b171791ef7be7b1f448f8a5142a01c7d342d56d4af87dc73549db

Download Submit
\Windows\SysWOW64\yvykys.dll

Filesize
90KB

MD5
5670709c5b7b37c114deea3633ab2179

SHA1
d799b86b5cb9abea1bc00b2b395b848d5500cb1a

SHA256
4c7f62c334a1b28433f045a3245292c149aa6042ddfd2ab0337694b7d9781a77

SHA512
75738394bd1c845c1590196babc24e7ac87be4c9deb4c5f7e474abb9f9637f3854a92e34f0eb5823657fceeb541c14dc0dd1be486226679596ef0a31be421132

Download Submit
\Windows\SysWOW64\yvykys.dll

Filesize
90KB

MD5
5670709c5b7b37c114deea3633ab2179

SHA1
d799b86b5cb9abea1bc00b2b395b848d5500cb1a

SHA256
4c7f62c334a1b28433f045a3245292c149aa6042ddfd2ab0337694b7d9781a77

SHA512
75738394bd1c845c1590196babc24e7ac87be4c9deb4c5f7e474abb9f9637f3854a92e34f0eb5823657fceeb541c14dc0dd1be486226679596ef0a31be421132

Download Submit
memory/1092-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing