Resubmissions
10-08-2023 17:03
230810-vktf5ahb8w 810-08-2023 16:18
230810-tsd6qseh75 512-10-2021 18:50
211012-xg8gzschfq 1012-10-2021 18:01
211012-wl6zaacffq 1006-10-2021 20:46
211006-zkl49sbhbq 1005-10-2021 18:43
211005-xde19sacb2 1004-10-2021 21:53
211004-1rxd9ahae5 1Analysis
-
max time kernel
1797s -
max time network
1808s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2023 16:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ycof.dll
Resource
win10v2004-20230703-en
windows10-2004-x64
3 signatures
1800 seconds
General
-
Target
ycof.dll
-
Size
1.1MB
-
MD5
54a3bcca6b1eb92adb299a46df941826
-
SHA1
6988e010056d88985b8e8f8de06706327779d3ca
-
SHA256
c4ab81d7b7d44dd6dfc4f2b69dbe3f22fbf23c1ae49ab8edac2d26f85ae4514d
-
SHA512
4e4f10abf8a97f649060cb3eaa125a487141a42b87d2dc1449d87531d927031279bd7b48a3859ffa8f5d4400deea77022ecb00c61de8511756dc9c0d27e3f150
-
SSDEEP
24576:I+Z6pjqiycCc0Ic7dYnG8896mYdB3g17yp/Xx3xShc1ZcQGcoCKVXUGGotVjYmM+:fY+ICc0t7iG88Rp7AfxBShc1ZcQGZlVx
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3992 set thread context of 4996 3992 rundll32.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
rundll32.exedescription pid process Token: SeShutdownPrivilege 3992 rundll32.exe Token: SeCreatePagefilePrivilege 3992 rundll32.exe Token: SeShutdownPrivilege 3992 rundll32.exe Token: SeCreatePagefilePrivilege 3992 rundll32.exe Token: SeShutdownPrivilege 3992 rundll32.exe Token: SeCreatePagefilePrivilege 3992 rundll32.exe Token: SeShutdownPrivilege 3992 rundll32.exe Token: SeCreatePagefilePrivilege 3992 rundll32.exe Token: SeShutdownPrivilege 3992 rundll32.exe Token: SeCreatePagefilePrivilege 3992 rundll32.exe Token: SeShutdownPrivilege 3992 rundll32.exe Token: SeCreatePagefilePrivilege 3992 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1680 wrote to memory of 3992 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 3992 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 3992 1680 rundll32.exe rundll32.exe PID 3992 wrote to memory of 4996 3992 rundll32.exe msiexec.exe PID 3992 wrote to memory of 4996 3992 rundll32.exe msiexec.exe PID 3992 wrote to memory of 4996 3992 rundll32.exe msiexec.exe PID 3992 wrote to memory of 4996 3992 rundll32.exe msiexec.exe PID 3992 wrote to memory of 4996 3992 rundll32.exe msiexec.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ycof.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ycof.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3992-133-0x0000000074060000-0x0000000074A96000-memory.dmpFilesize
10.2MB
-
memory/3992-134-0x0000000074060000-0x0000000074A96000-memory.dmpFilesize
10.2MB
-
memory/3992-136-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/3992-135-0x0000000074060000-0x0000000074A96000-memory.dmpFilesize
10.2MB
-
memory/3992-137-0x0000000074060000-0x0000000074A96000-memory.dmpFilesize
10.2MB
-
memory/3992-138-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/3992-184-0x0000000074060000-0x0000000074A96000-memory.dmpFilesize
10.2MB
-
memory/4996-183-0x0000000000F10000-0x0000000000F3A000-memory.dmpFilesize
168KB
-
memory/4996-185-0x0000000000F10000-0x0000000000F3A000-memory.dmpFilesize
168KB
-
memory/4996-188-0x0000000000F10000-0x0000000000F3A000-memory.dmpFilesize
168KB
-
memory/4996-187-0x0000000000F10000-0x0000000000F3A000-memory.dmpFilesize
168KB
-
memory/4996-190-0x0000000000F10000-0x0000000000F3A000-memory.dmpFilesize
168KB