9f8573f56d1ab71935f3a47c074ec7071b2ebf87e6e9e4f0b1cef9b866c333ee

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YDArk(系统内核辅助)_v1.0.1.11_Sign.exe
Size

12.6MB
MD5

8198b596db9c5379f588fa530d89bf38
SHA1

22c13c98777bfe9faf70f2f191d5c192ac5fede1
SHA256

9f8573f56d1ab71935f3a47c074ec7071b2ebf87e6e9e4f0b1cef9b866c333ee
SHA512

bf53571bd6dfcb8b38fc1b18f7aa0d05b50e7d656666f3b5d5e2452e10dc4b1fe8d35a9053770799081fdb327e537c8779e5c68465af458708322c414b13f063
SSDEEP

393216:zkau45J10twUXoo/iBt0YC6f3qzW6+6+sjoLr:zkaZ5X05Xocgt0XHr+sj0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
556	YDArk.exe

Loads dropped DLL 1 IoCs

pid	Process
556	YDArk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
556	YDArk.exe
556	YDArk.exe
556	YDArk.exe
556	YDArk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
556	YDArk.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
676	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	YDArk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
556	YDArk.exe
556	YDArk.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 556	2628	YDArk(系统内核辅助)_v1.0.1.11_Sign.exe	88
PID 2628 wrote to memory of 556	2628	YDArk(系统内核辅助)_v1.0.1.11_Sign.exe	88

C:\Users\Admin\AppData\Local\Temp\YDArk(系统内核辅助)_v1.0.1.11_Sign.exe
"C:\Users\Admin\AppData\Local\Temp\YDArk(系统内核辅助)_v1.0.1.11_Sign.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\YDArk\YDArk.exe
  "C:\Users\Admin\AppData\Local\Temp\YDArk\YDArk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YDArk\YDArk.exe

Filesize
11.0MB

MD5
81ec1351addcc32f1022271b42cfb317

SHA1
d1b582f8d25de0784facb382f23b94e7a18ff53b

SHA256
b971af3b2f5d14e6afdfe11bac8fd2606abbc403a2e71a1d9dda05f5bfefe5c7

SHA512
ab488306a0c07858ce40390244b94126f82e0c992dc55e3b8e3093a14cee07acb91e49b4cca3c2130b8db1bc70e46fb98f44dbf3b2d13a569848358a61785ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDArk\YDArk.exe

Filesize
11.0MB

MD5
81ec1351addcc32f1022271b42cfb317

SHA1
d1b582f8d25de0784facb382f23b94e7a18ff53b

SHA256
b971af3b2f5d14e6afdfe11bac8fd2606abbc403a2e71a1d9dda05f5bfefe5c7

SHA512
ab488306a0c07858ce40390244b94126f82e0c992dc55e3b8e3093a14cee07acb91e49b4cca3c2130b8db1bc70e46fb98f44dbf3b2d13a569848358a61785ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDArk\dbghelp.dll

Filesize
1.5MB

MD5
a5e4b3ff51cf5b7926d9651908feb666

SHA1
4ef5d229709e40f3f84e46c3a28341eadbd1a044

SHA256
13f0c74845318b52b76e6000564b1a99c37de48422b44ac74d034fa222c65a23

SHA512
0615ff581b648715461349b1622fbc208042fc8c395cb2d271203b25b036f59edb0fc3470065dc15061af1be0fff48981f55bbea7f00c88906e9b470764a86fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDArk\dbghelp.dll

Filesize
1.5MB

MD5
a5e4b3ff51cf5b7926d9651908feb666

SHA1
4ef5d229709e40f3f84e46c3a28341eadbd1a044

SHA256
13f0c74845318b52b76e6000564b1a99c37de48422b44ac74d034fa222c65a23

SHA512
0615ff581b648715461349b1622fbc208042fc8c395cb2d271203b25b036f59edb0fc3470065dc15061af1be0fff48981f55bbea7f00c88906e9b470764a86fa

Download Submit
memory/556-17-0x00007FF794D80000-0x00007FF79631F000-memory.dmp

Filesize
21.6MB

Download
memory/556-13-0x00007FFE53330000-0x00007FFE53332000-memory.dmp

Filesize
8KB

Download
memory/556-14-0x00007FFE53340000-0x00007FFE53342000-memory.dmp

Filesize
8KB

Download
memory/556-16-0x00007FFE51460000-0x00007FFE51462000-memory.dmp

Filesize
8KB

Download
memory/556-15-0x00007FFE51450000-0x00007FFE51452000-memory.dmp

Filesize
8KB

Download
memory/556-18-0x00007FFE50CF0000-0x00007FFE50CF2000-memory.dmp

Filesize
8KB

Download
memory/556-19-0x00007FFE50D00000-0x00007FFE50D02000-memory.dmp

Filesize
8KB

Download
memory/556-21-0x00007FFE53350000-0x00007FFE53352000-memory.dmp

Filesize
8KB

Download
memory/556-25-0x0000022B75A20000-0x0000022B75AA3000-memory.dmp

Filesize
524KB

Download
memory/556-26-0x00007FF794D80000-0x00007FF79631F000-memory.dmp

Filesize
21.6MB

Download