Overview

overview

9

Static

static

7

Yams_Servi...er.exe

windows7-x64

9

Yams_Servi...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2023 10:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Yams_Services_Free_Spoofer.exe

  • Size

    3.7MB

  • MD5

    b7b3977d71565f7439d8678a4588c503

  • SHA1

    d9552cc2ccd6f6e301b9fdaed8d86c22dc9740b2

  • SHA256

    c6a00f85e448a6278cea21dbd835d99d1ebd227828096e5f02fcb41f141bea69

  • SHA512

    4b9e53d7ec59d189f2b5693fa2193490ad53f9c042219f30ebe291ea7768b7b1cc6ce8d7c1bd3dc6705ec342f09c0c93f42c283e2995a3843dd561736e101ce5

  • SSDEEP

    98304:wtNJ1joN3XNBr7PuUZJunmnY7zL1V3ekh8bCZ9+RkOKlDwKtN:yBoNnrr7PrJumnY3LN8+KMDw2N

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yams_Services_Free_Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Yams_Services_Free_Spoofer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color d
      2⤵
        PID:1996
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start https://discord.gg/heck
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/heck
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2020
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Yams_Services_Free_Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Yams_Services_Free_Spoofer.exe" MD5
          3⤵
            PID:1748
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:1504
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:1240
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:1884

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Virtualization/Sandbox Evasion

            1
            T1497

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            Virtualization/Sandbox Evasion

            1
            T1497

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              e5782e53cfd1b1270062764d4c64e8d0

              SHA1

              ef44cfb2f77762b945b3ae351c44550874accfb7

              SHA256

              ac87427be65915246546447d1633ed2d686a23bd0d422398742f1bae4b4b5411

              SHA512

              65e6ff02364bff563d47c371da639940e6ce8a398dcadfe6e7e6ed5dc1a6d4c01340112ecd2b522c52b990eaa8e5a16303d6f90cb5182dbc607826a20528cb52

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              df6b9ae805941fc8677ba0c4a2e29056

              SHA1

              f4a8301c6c47b5d161f11c74d6ed53f86ee13f7c

              SHA256

              41e61be670298a0a64d34d035529dedc8dd6b8f5bf9133e96ed96e11f44ce4f6

              SHA512

              044c57b34db8c99e2ebc532f16db35b2ea1126acb034d9d903979a35ae6cd18063c58f750177d30d5abbaaad6a80e16166d8736867dd6834a68bec03d2108245

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              b722064d229d1dfea70af95d3ba8e3ab

              SHA1

              c335bf8c18414aa08c45fda2afdabda0fce4b267

              SHA256

              65e0cec07906382558e6b31e1d90123fda277e74e63d4e210df8212128bf574b

              SHA512

              b910a79c3af878cd94ef03f1f98a6ae4a1ebfa4d751e4153bf9bca824c82565caeb7da394e33296922cbc4b83b3a1582c71cd8e9be96d1f52b1c72d99ef7d89d

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              6e6b8ccdaf8af9680826d5617c62f664

              SHA1

              a150b3e3ad426a8bf93c8ad0c947a8ff493ba26f

              SHA256

              9fa47734f0def82aec4ff943a040385f578eedde3ee1d8db5a4a5a8c66f2958a

              SHA512

              6c515e9895d8a5040b6530c591862cb05fc3cfa5f64b116d8a96307c4b98ab07ca2761e7486ca37e13e6d552dd13f8b7f1cefdd233d7d9c3afd14987032fabe6

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              15c5719922cc32c4d0fa53df6557aad2

              SHA1

              8b9b622dd03220f4df9e6c0714b61530f7380b63

              SHA256

              5bd245f88f80c99b509d62e97a3d24b8aa55b6d4a8541e7dc96bc7e71017c5ea

              SHA512

              717688d0b542504d5e4e09137d089cbe97bd138bf04c16c85c2d7f0b66a213806d2c2c6adeb504dd45910a37b1b245f3e64cd16ffef28ed6be5ec44598227afe

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              aa0f5fcb4d3a01ad0be74861f2285431

              SHA1

              a803ae9b3fc40fa05334ead89e4d7d812b12b204

              SHA256

              3a360b5245fb85b1e69810715f046611cbcd3c1618705a638d03ad6a9fbdf7e4

              SHA512

              545fa4b8e79ed907e7fd10596ccdd27c12a27246ea0bdc59bbe362418f72589cff9caa98b2a0299068965390b914abcccf639474538820eabadc6fafdae4a9ac

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              603af92ff1ee1e81204de9a2f78bf67c

              SHA1

              385dc0e5536798918f71f2243c09943c5a60f705

              SHA256

              85414414b49fc6c7e6f0f1981635879c1cf9e4676ece0a0a6a090c09fc9d14dd

              SHA512

              2696c16c3483884ef19bbe97d66580149c22d2ce96936d1fe352edc066bcb90d59003550be776c7320bf226f11292183db2397a83c83b6cc7ff51cf6b9c40e25

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              342B

              MD5

              d52d2f3da469689da721b488422ebfb1

              SHA1

              e5bccc1eb14f3158e1c305a50cd85fe0a287ddd9

              SHA256

              1c8030e19d0df3214cf7e084da7ef125ff44bcc1217f37a6ebd8f70ea87bb912

              SHA512

              750bdeddb850ce39d5d95b93c8dbe9f05e5dd3ae078c75d2b5f41633a99ae3d1ac30f90b1d18f1d5e4395a6130663adeda2d17f98660b2d4f8db715955aa6250

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z62wpf5\imagestore.dat
              Filesize

              28KB

              MD5

              21183d1247529795982975572c09a143

              SHA1

              9c4854d9d405fced88bc815b71ebcd6da1415c41

              SHA256

              177e86fe020a3a3fd47edd790477851b935724e2df0dd575ca2c0806f77f0883

              SHA512

              7db29666976a4987a798bb632e01297d03964627f60e3f46f9a85db21398c97ff80afa666c807cd26252dff95460ebe7fccb211792abdd35fe38536ad8f1d6e6

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\ec2c34cadd4b5f4594415127380a85e6[1].ico
              Filesize

              23KB

              MD5

              ec2c34cadd4b5f4594415127380a85e6

              SHA1

              e7e129270da0153510ef04a148d08702b980b679

              SHA256

              128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

              SHA512

              c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Cab21D9.tmp
              Filesize

              61KB

              MD5

              e71c8443ae0bc2e282c73faead0a6dd3

              SHA1

              0c110c1b01e68edfacaeae64781a37b1995fa94b

              SHA256

              95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

              SHA512

              b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\CabFF29.tmp
              Filesize

              61KB

              MD5

              fc4666cbca561e864e7fdf883a9e6661

              SHA1

              2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

              SHA256

              10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

              SHA512

              c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Tar210C.tmp
              Filesize

              161KB

              MD5

              73b4b714b42fc9a6aaefd0ae59adb009

              SHA1

              efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

              SHA256

              c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

              SHA512

              73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Tar2364.tmp
              Filesize

              161KB

              MD5

              be2bec6e8c5653136d3e72fe53c98aa3

              SHA1

              a8182d6db17c14671c3d5766c72e58d87c0810de

              SHA256

              1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

              SHA512

              0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IXN5D6FX.txt
              Filesize

              605B

              MD5

              ff98f910604df8fc57d02bb3b50fb58c

              SHA1

              0822d42e8ebeaf63afd7edea0f2064607b0dd7ce

              SHA256

              f3a840561de118542d0e3237bc721a0df6fba1b17cbfaabb1337c2e0f0033878

              SHA512

              7541ec26fb935e3902d98bb050f1d45b8f08412ca35b27d7704bc63af8e738949f728cda508f3525db2645c45747e4bb2752e3a4b136c5423a8a9cf410176f11

              Download Submit
            • memory/1712-54-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-85-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-64-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-60-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-59-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-58-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-57-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-56-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-614-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download
            • memory/1712-55-0x000000013FCE0000-0x0000000140690000-memory.dmp
              Filesize

              9.7MB

              Download