04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29/03/2023, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43.exe
Size

259KB
MD5

a98f0fd7f830e6c6514d4b8cc9934743
SHA1

656ea5d51323b7929bc57c5f8b3723b5e026d657
SHA256

04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43
SHA512

09aea433725609854a2cac4465412f55bc5364129fa0ad914b050f6a8a3e70520b6b4d3454a3af4795b695a5b2e591d04557a1a5e6cc855e24580da061e6cc88
SSDEEP

6144:vYa6hrIai2SNrr+/zyabPz4WxLxqJjg/SaSzt7T/U:vYzrZiTrr+eab9xLOVaE/U

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation	yakjdcca.exe

Executes dropped EXE 2 IoCs

pid	Process
4324	yakjdcca.exe
3652	yakjdcca.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4324 set thread context of 3652	4324	yakjdcca.exe	67
PID 3652 set thread context of 3200	3652	yakjdcca.exe	25
PID 3568 set thread context of 3200	3568	control.exe	25

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1904	2868	WerFault.exe	69

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-640001698-3754512395-3275565439-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3200	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4324	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3652	yakjdcca.exe
3568	control.exe
3568	control.exe
3568	control.exe
3568	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	yakjdcca.exe
Token: SeDebugPrivilege	3568	control.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4324	3048	04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43.exe	66
PID 3048 wrote to memory of 4324	3048	04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43.exe	66
PID 3048 wrote to memory of 4324	3048	04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43.exe	66
PID 4324 wrote to memory of 3652	4324	yakjdcca.exe	67
PID 4324 wrote to memory of 3652	4324	yakjdcca.exe	67
PID 4324 wrote to memory of 3652	4324	yakjdcca.exe	67
PID 4324 wrote to memory of 3652	4324	yakjdcca.exe	67
PID 3200 wrote to memory of 3568	3200	Explorer.EXE	68
PID 3200 wrote to memory of 3568	3200	Explorer.EXE	68
PID 3200 wrote to memory of 3568	3200	Explorer.EXE	68
PID 3568 wrote to memory of 2868	3568	control.exe	69
PID 3568 wrote to memory of 2868	3568	control.exe	69
PID 3568 wrote to memory of 2868	3568	control.exe	69

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43.exe
  "C:\Users\Admin\AppData\Local\Temp\04bc25b64fef7a482500b3ca966e2d08ee2ba45b4493db70cb24e66eea965f43.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe
    "C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe" C:\Users\Admin\AppData\Local\Temp\ruisfu.h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe
      "C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3652
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2868
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2868 -s 136
      4⤵
      Program crash
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ruisfu.h

Filesize
5KB

MD5
3588278818841e16700aac4218f26be4

SHA1
90c6553fd15c927d315c5d92b91796f8f0eb4183

SHA256
eb03c7bad0c35373ee906e6a4feb3c755fc7ab9e9c4e816fd49adf733855ff69

SHA512
46f3ccd53b233bdea7fe38695bd6b2c6ee9e1afebaf3d87787a81fcca18d9c072ed53ddc6dfe9724c8266219ce05409778aeedf7eb9cd17f11debabd331f3d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjfwz.e

Filesize
206KB

MD5
8fdd26303e208aea453870cc93083f76

SHA1
3f232a0b83b5867ca34efd5b26faf1f50b83fccc

SHA256
1ca0d3e730d07aee5fc02f1d5fe385c9ea0fd7aff8bed1c506238a8fbf5eebf7

SHA512
0520b2559378aa0f6b1089091df1c211906f33c4648cb28f9c0bcd82724976fae04f0a4b9e447aff928d6a28ae25f518ea4117722bb23ae6cbe55c7e0f0845d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe

Filesize
34KB

MD5
1cc3128c295f0311c404989b1176567c

SHA1
02f9f4c4ca698ee6c969b736dabef5a33d42c01c

SHA256
22842ae83059e74ccfbb81a321dc41f5bdb0ae98999202aa32d7129a5b5cb36b

SHA512
d2e95c2e1f2336a10e7e4c5c8f1793a1c41b1c397145f81b2deb0cf64a27240ea5b4c25a1493c813c21e4258c86fe8bbf5fcab6448ce4f57f000c8f1b99323a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe

Filesize
34KB

MD5
1cc3128c295f0311c404989b1176567c

SHA1
02f9f4c4ca698ee6c969b736dabef5a33d42c01c

SHA256
22842ae83059e74ccfbb81a321dc41f5bdb0ae98999202aa32d7129a5b5cb36b

SHA512
d2e95c2e1f2336a10e7e4c5c8f1793a1c41b1c397145f81b2deb0cf64a27240ea5b4c25a1493c813c21e4258c86fe8bbf5fcab6448ce4f57f000c8f1b99323a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yakjdcca.exe

Filesize
34KB

MD5
1cc3128c295f0311c404989b1176567c

SHA1
02f9f4c4ca698ee6c969b736dabef5a33d42c01c

SHA256
22842ae83059e74ccfbb81a321dc41f5bdb0ae98999202aa32d7129a5b5cb36b

SHA512
d2e95c2e1f2336a10e7e4c5c8f1793a1c41b1c397145f81b2deb0cf64a27240ea5b4c25a1493c813c21e4258c86fe8bbf5fcab6448ce4f57f000c8f1b99323a9

Download Submit
memory/3200-136-0x0000000002D30000-0x0000000002E14000-memory.dmp

Filesize
912KB

Download
memory/3200-148-0x0000000005230000-0x0000000005319000-memory.dmp

Filesize
932KB

Download
memory/3200-151-0x0000000005230000-0x0000000005319000-memory.dmp

Filesize
932KB

Download
memory/3568-144-0x00000000046F0000-0x0000000004A10000-memory.dmp

Filesize
3.1MB

Download
memory/3568-138-0x0000000000930000-0x0000000000950000-memory.dmp

Filesize
128KB

Download
memory/3568-139-0x0000000000930000-0x0000000000950000-memory.dmp

Filesize
128KB

Download
memory/3568-142-0x0000000000930000-0x0000000000950000-memory.dmp

Filesize
128KB

Download
memory/3568-143-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/3568-145-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/3568-147-0x00000000044B0000-0x000000000453F000-memory.dmp

Filesize
572KB

Download
memory/3652-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-135-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/3652-133-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download