70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d

General

Target

70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Size

685KB
MD5

0d318412812641ae760b7949d8037fef
SHA1

aa750898bad800bd21f7823eccb1e259f14c6ad7
SHA256

70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d
SHA512

7e6bc236b821dfa3938a6989a06b693831a78666eb9a78cc0021dfb2b40c91ad3473d5c46ad42acb286095e9ea4ccf28a81eb9b74efb2dbf957b9c9eddc49205
SSDEEP

12288:mfOMTqlIilNtVhyqGxwX0SC/OXVptKGA2WQ1+FGZMSefFb4XP96/t:mfTqlXxhVv0SC/4VbALSetb4Xo/t

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 24 IoCs

Processes:

70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\yytmp1\1941527793\sx1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\opfileOneA	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1941527793\mu1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1941527793\1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\ÓÑÒæÎÄÊé.exe	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\syys7.1.1.syw	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ywsinid.files\25.bmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1941527793\lk1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1941527793\lk1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\ÓÑÒæÎÄÊé.exe	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\ywsfiletmp.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1941527793\yadviser.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\ywsexe1.exs	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yyhelp.yws	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1941527793\mu1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1941527793\fj1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\yytmp1\1941527793\sx1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\opfilejlA	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1941527793\1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File created	\??\c:\windows\SysWOW64\yytmp1\1941527793\fj1941527793.tmp	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\opfileOneA	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\ÓÑÒæÎÄÊé.exe	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
File opened for modification	\??\c:\windows\SysWOW64\opfilejlA	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe

Modifies registry class 17 IoCs

Processes:

70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.yws	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version\ = "7.1.1"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\DefaultIcon	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\DefaultIcon\ = "c:\\windows\\SysWow64\\ÓÑÒæÎÄÊé.exe,1"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.yws\ = "ywsfile"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open\command	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\shell\open\command\ = "c:\\windows\\SysWow64\\ÓÑÒæÎÄÊé.exe %1"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\isogg = "alrGady"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\ = "ÓÑÒæÎÄÊé"	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\Version	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe

pid	process
1900	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
1900	70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe

C:\Users\Admin\AppData\Local\Temp\70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe
"C:\Users\Admin\AppData\Local\Temp\70786c405b12307647ae71503dfd2865470d3d6bbc2aff41e17a89516bcfd28d.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1900

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1900-72-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/1900-73-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads