Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 22:45
Behavioral task
behavioral1
Sample
926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe
Resource
win7-20220812-en
General
-
Target
926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe
-
Size
120KB
-
MD5
fcc3e83c605961ce711a28522be916f6
-
SHA1
18681477b75de6979d9d3c857fa09f72da36ec90
-
SHA256
926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
-
SHA512
b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
SSDEEP
3072:Ig+3fh/PHrgNUqOBx4J2vNbGfvGnd3gW5ZM4/uBnh:h+3fRb9NdndPZMT7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\yvsmpfuf\\hckyafev.exe" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
yhftchgcedwfsetd.exepid process 1928 yhftchgcedwfsetd.exe -
Processes:
resource yara_rule behavioral1/memory/1476-73-0x0000000000400000-0x000000000043957C-memory.dmp upx \Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe upx \Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe upx \Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe upx \Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe upx C:\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe upx C:\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe upx behavioral1/memory/1928-82-0x0000000000400000-0x000000000043957C-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hckyafev.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hckyafev.exe svchost.exe -
Loads dropped DLL 4 IoCs
Processes:
926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exepid process 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\HckYafev = "C:\\Users\\Admin\\AppData\\Local\\yvsmpfuf\\hckyafev.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
svchost.exepid process 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe 1604 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exesvchost.exesvchost.exeyhftchgcedwfsetd.exedescription pid process Token: SeSecurityPrivilege 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe Token: SeDebugPrivilege 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe Token: SeSecurityPrivilege 1512 svchost.exe Token: SeSecurityPrivilege 1604 svchost.exe Token: SeDebugPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeSecurityPrivilege 1928 yhftchgcedwfsetd.exe Token: SeLoadDriverPrivilege 1928 yhftchgcedwfsetd.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe Token: SeBackupPrivilege 1604 svchost.exe Token: SeRestorePrivilege 1604 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exedescription pid process target process PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1512 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1604 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe svchost.exe PID 1476 wrote to memory of 1928 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe yhftchgcedwfsetd.exe PID 1476 wrote to memory of 1928 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe yhftchgcedwfsetd.exe PID 1476 wrote to memory of 1928 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe yhftchgcedwfsetd.exe PID 1476 wrote to memory of 1928 1476 926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe yhftchgcedwfsetd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe"C:\Users\Admin\AppData\Local\Temp\926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe"C:\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exeFilesize
120KB
MD5fcc3e83c605961ce711a28522be916f6
SHA118681477b75de6979d9d3c857fa09f72da36ec90
SHA256926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
SHA512b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
C:\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exeFilesize
120KB
MD5fcc3e83c605961ce711a28522be916f6
SHA118681477b75de6979d9d3c857fa09f72da36ec90
SHA256926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
SHA512b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exeFilesize
120KB
MD5fcc3e83c605961ce711a28522be916f6
SHA118681477b75de6979d9d3c857fa09f72da36ec90
SHA256926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
SHA512b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exeFilesize
120KB
MD5fcc3e83c605961ce711a28522be916f6
SHA118681477b75de6979d9d3c857fa09f72da36ec90
SHA256926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
SHA512b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exeFilesize
120KB
MD5fcc3e83c605961ce711a28522be916f6
SHA118681477b75de6979d9d3c857fa09f72da36ec90
SHA256926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
SHA512b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
\Users\Admin\AppData\Local\Temp\yhftchgcedwfsetd.exeFilesize
120KB
MD5fcc3e83c605961ce711a28522be916f6
SHA118681477b75de6979d9d3c857fa09f72da36ec90
SHA256926bf338297a71450377e65aa6c0078e71faa674a08b8be39748d60124cec08b
SHA512b7fa234511234e1c81980d18c34021d5aa93f6c120f4c2be96eb2fbc8dafc24b622d9fc71c18ff75520ba7ac284ecf46f771a0ca333089db4a7d6fc42d1268ad
-
memory/1476-54-0x0000000076701000-0x0000000076703000-memory.dmpFilesize
8KB
-
memory/1476-73-0x0000000000400000-0x000000000043957C-memory.dmpFilesize
229KB
-
memory/1512-56-0x0000000020010000-0x000000002001C000-memory.dmpFilesize
48KB
-
memory/1512-58-0x0000000000000000-mapping.dmp
-
memory/1512-59-0x0000000020010000-0x000000002001C000-memory.dmpFilesize
48KB
-
memory/1604-65-0x0000000020010000-0x0000000020023000-memory.dmpFilesize
76KB
-
memory/1604-69-0x0000000020010000-0x0000000020023000-memory.dmpFilesize
76KB
-
memory/1604-67-0x0000000000000000-mapping.dmp
-
memory/1928-78-0x0000000000000000-mapping.dmp
-
memory/1928-82-0x0000000000400000-0x000000000043957C-memory.dmpFilesize
229KB