Overview

overview

1

Static

static

1

youtube-dl.exe

windows7-x64

1

Analysis

  • max time kernel
    114s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20230220-es
  • resource tags

    arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    12-03-2023 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    youtube-dl.exe

  • Size

    7.8MB

  • MD5

    643cbb91d62906353deaaf479f77f386

  • SHA1

    3cb915afed82741e477e74677c1b0201d8bf23f7

  • SHA256

    26e5c00c35c5c3edc86dfc0a720aed109a13b1b7c67ac654a0ce8ff82a1f2c16

  • SHA512

    24cc5ad86c35f40ff8f864f7098ebf50a0a57375216732b4e27a3fffa5de7dbe0f40bd41005e53fe1b2f0713df3f00182b8b552a785ccc41ee968144fe03075c

  • SSDEEP

    196608:v/8Lv/T+GuQYKCDJlEqFceFXWjUOn59lQLuD9/U:v/4T+GhYNVOTlQLm/U

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\youtube-dl.exe
    "C:\Users\Admin\AppData\Local\Temp\youtube-dl.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1992
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1128
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x1cc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.0.377647071\1326090289" -parentBuildID 20221007134813 -prefsHandle 1208 -prefMapHandle 1200 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {060230e3-fa64-4323-a0be-6cfd72768c4a} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 1284 13d19858 gpu
          3⤵
            PID:916
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.1.1963968299\876581413" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {662a85cd-b861-4952-8ad0-84d7ad66bf5e} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 1484 3e14f58 socket
            3⤵
              PID:1788
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.2.861983491\1503574230" -childID 1 -isForBrowser -prefsHandle 1988 -prefMapHandle 2108 -prefsLen 21054 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed8c12ea-aded-4667-9d33-cd7fa1e5f8c4} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 1976 197e8e58 tab
              3⤵
                PID:1304
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.3.386686372\1447708596" -childID 2 -isForBrowser -prefsHandle 2624 -prefMapHandle 2620 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63748c75-d79b-4a13-a6b5-f2f6f47905cc} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 2636 d6d658 tab
                3⤵
                  PID:1324
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.4.990826555\1044693950" -childID 3 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b51b011c-ea2c-4a08-8264-d996b0251d7c} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 2784 d62b58 tab
                  3⤵
                    PID:752
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.5.548230007\1606526982" -childID 4 -isForBrowser -prefsHandle 3592 -prefMapHandle 3420 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a8cc008-ea8d-4f53-89c7-24cd9119af07} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 3508 1d6b7258 tab
                    3⤵
                      PID:2496
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.6.280493491\1375785457" -childID 5 -isForBrowser -prefsHandle 1064 -prefMapHandle 1060 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dd29f84-a996-499c-bf2a-fc0465a81957} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 3324 1d6b5d58 tab
                      3⤵
                        PID:2504
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1444.7.894655955\740191384" -childID 6 -isForBrowser -prefsHandle 3564 -prefMapHandle 3576 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e62a69-2cfe-40b6-ad09-77c9d46311ef} 1444 "\\.\pipe\gecko-crash-server-pipe.1444" 3724 1d6b7e58 tab
                        3⤵
                          PID:2524

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0fuzji1n.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      146KB

                      MD5

                      4840f81c4343f8e2123c20b44f38d1af

                      SHA1

                      6d246ec772cbf7d39c454ef145774c4fc959dc59

                      SHA256

                      3353422e373d83ddd8e42ec9590d69506870645254da411b5268b379b769deab

                      SHA512

                      f761b8650e5f75dfbebb354f92228597e4f6d14c0338ef98216b72d4c8b4d648886636934422954f5e562f1dbbecd4d0d0f703a01a8f479af5de82c50c8d3cb2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      024c6fe18df82522164511c697474338

                      SHA1

                      152f2037990159375f4846bec398c223ac5e6ba0

                      SHA256

                      2bf01fd3c6c1e12236d23ad9d41fc04528bd1af72be08efb6ea097f4c8f64bb2

                      SHA512

                      071602ab881eef19d5369f88a8aaf0194f931c8a013088466c5b493f600a7ab914693899e37dd84e30e380b25c4faf674616ea09b76f89465cec406b5ffde225

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0fuzji1n.default-release\sessionstore.jsonlz4
                      Filesize

                      851B

                      MD5

                      911d4e1e1c9999a7361664b36cc8697b

                      SHA1

                      ab36964a01c02a6617825df8f4dca1c68fb52e60

                      SHA256

                      d3130587075ee6ce686ae719ff443c779a7208f08e125cb87951f0de1fb0eb21

                      SHA512

                      328220b4700de01c93b588c0c4f969d8f62045ccf410868ba40d56de0a8adbe5e648ed00db386a07cae2d183e7f3a0b30dc9ebfc2844c9f9e6df3cba4b820116

                      Download Submit

                    • memory/1992-73-0x00000000002E0000-0x0000000000304000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/1992-67-0x0000000000090000-0x000000000009E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/1992-70-0x000000001D100000-0x000000001D122000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1992-54-0x000000001E000000-0x000000001E2AA000-memory.dmp

                      Filesize

                      2.7MB

                      Download

                    • memory/1992-76-0x0000000002A70000-0x0000000002BBA000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/1992-79-0x00000000000A0000-0x00000000000A5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/1992-82-0x0000000000410000-0x000000000041A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/1992-64-0x000000001D170000-0x000000001D180000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/1992-61-0x0000000010000000-0x00000000100E5000-memory.dmp

                      Filesize

                      916KB

                      Download

                    • memory/1992-58-0x000000001D1A0000-0x000000001D1B8000-memory.dmp

                      Filesize

                      96KB

                      Download