Analysis Overview
SHA256
0b8c847eb78a586597beec4b5efc14118f315b7dbcc41b69f863e6f2d315eaa7
Threat Level: Known bad
The file 217.exe was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat
VMProtect packed file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Enumerates connected drives
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 04:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-08 04:32
Reported
2023-12-08 04:35
Platform
win10-20231129-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File created | C:\Windows\SysWOW64\YingInstall\409.ini | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\yybrowser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Token: 33 | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4168 wrote to memory of 3100 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 4168 wrote to memory of 3100 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 4168 wrote to memory of 3100 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\217.exe
"C:\Users\Admin\AppData\Local\Temp\217.exe"
C:\Users\Public\Documents\yybrowser.exe
C:\Users\Public\Documents\yybrowser.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oggfcv.lol | udp |
| SG | 206.238.220.217:2025 | oggfcv.lol | tcp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.220.238.206.in-addr.arpa | udp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\20231208043322202~YingInstall-TopFramePicture.bmp
| MD5 | a528a1efb19f5bee2fa74cd8650dab24 |
| SHA1 | 51b72c994283ec899a32732bc60655d3039138a8 |
| SHA256 | d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608 |
| SHA512 | bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a |
C:\Users\Public\Documents\yybrowser.exe
| MD5 | 46343a46271dcaddf9f5192118d4190a |
| SHA1 | 998d84a369d392c76b60082f9e4da31bfff4dc53 |
| SHA256 | f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001 |
| SHA512 | 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d |
C:\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
C:\Users\Public\Documents\MSVCP140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
memory/3100-60-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/3100-61-0x0000000010000000-0x00000000100A0000-memory.dmp
\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
C:\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\VCRUNTIME140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
\Users\Public\Documents\msvcp140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
\Users\Public\Documents\msvcp140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
C:\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
memory/3100-63-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/3100-65-0x0000000003620000-0x000000000367F000-memory.dmp
memory/3100-66-0x00000000037D0000-0x0000000003959000-memory.dmp
memory/3100-70-0x00000000037D0000-0x0000000003959000-memory.dmp
memory/3100-69-0x00000000037D0000-0x0000000003959000-memory.dmp
memory/3100-71-0x00000000037D0000-0x0000000003959000-memory.dmp
memory/3100-72-0x00000000037D0000-0x0000000003959000-memory.dmp
memory/3100-74-0x00000000037D0000-0x0000000003959000-memory.dmp
memory/3100-82-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/3100-83-0x00000000037D0000-0x0000000003959000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-08 04:32
Reported
2023-12-08 04:34
Platform
win10v2004-20231201-en
Max time kernel
41s
Max time network
34s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\YingInstall\409.ini | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File created | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\yybrowser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 692 wrote to memory of 4220 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 692 wrote to memory of 4220 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 692 wrote to memory of 4220 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\217.exe
"C:\Users\Admin\AppData\Local\Temp\217.exe"
C:\Users\Public\Documents\yybrowser.exe
C:\Users\Public\Documents\yybrowser.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oggfcv.lol | udp |
| SG | 206.238.220.217:2025 | oggfcv.lol | tcp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
| US | 8.8.8.8:53 | 217.220.238.206.in-addr.arpa | udp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.135.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\20231208043321401~YingInstall-TopFramePicture.bmp
| MD5 | a528a1efb19f5bee2fa74cd8650dab24 |
| SHA1 | 51b72c994283ec899a32732bc60655d3039138a8 |
| SHA256 | d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608 |
| SHA512 | bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a |
C:\Users\Public\Documents\yybrowser.exe
| MD5 | 46343a46271dcaddf9f5192118d4190a |
| SHA1 | 998d84a369d392c76b60082f9e4da31bfff4dc53 |
| SHA256 | f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001 |
| SHA512 | 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d |
C:\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
C:\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
C:\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
C:\Users\Public\Documents\VCRUNTIME140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\MSVCP140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
C:\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
C:\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\msvcp140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
memory/4220-61-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/4220-60-0x0000000010000000-0x00000000100A0000-memory.dmp
C:\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
C:\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
memory/4220-63-0x00000000035A0000-0x00000000035A1000-memory.dmp
memory/4220-65-0x00000000036F0000-0x000000000374F000-memory.dmp
memory/4220-66-0x00000000038A0000-0x0000000003A29000-memory.dmp
memory/4220-70-0x00000000038A0000-0x0000000003A29000-memory.dmp
memory/4220-71-0x00000000038A0000-0x0000000003A29000-memory.dmp
memory/4220-69-0x00000000038A0000-0x0000000003A29000-memory.dmp
memory/4220-72-0x00000000038A0000-0x0000000003A29000-memory.dmp
memory/4220-74-0x00000000038A0000-0x0000000003A29000-memory.dmp
memory/4220-82-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/4220-83-0x00000000038A0000-0x0000000003A29000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-12-08 04:32
Reported
2023-12-08 04:34
Platform
win11-20231129-en
Max time kernel
34s
Max time network
11s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File created | C:\Windows\SysWOW64\YingInstall\409.ini | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\yybrowser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 5116 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 5116 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\217.exe
"C:\Users\Admin\AppData\Local\Temp\217.exe"
C:\Users\Public\Documents\yybrowser.exe
C:\Users\Public\Documents\yybrowser.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oggfcv.lol | udp |
| SG | 206.238.220.217:2025 | oggfcv.lol | tcp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\20231208043322327~YingInstall-TopFramePicture.bmp
| MD5 | a528a1efb19f5bee2fa74cd8650dab24 |
| SHA1 | 51b72c994283ec899a32732bc60655d3039138a8 |
| SHA256 | d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608 |
| SHA512 | bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a |
C:\Users\Public\Documents\yybrowser.exe
| MD5 | 46343a46271dcaddf9f5192118d4190a |
| SHA1 | 998d84a369d392c76b60082f9e4da31bfff4dc53 |
| SHA256 | f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001 |
| SHA512 | 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d |
C:\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
C:\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
C:\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
C:\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
C:\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
memory/4848-62-0x0000000010000000-0x00000000100A0000-memory.dmp
C:\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
C:\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\msvcp140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
C:\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
C:\Users\Public\Documents\VCRUNTIME140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\MSVCP140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
memory/4848-64-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/4848-66-0x00000000030A0000-0x00000000030FF000-memory.dmp
memory/4848-67-0x0000000003250000-0x00000000033D9000-memory.dmp
memory/4848-71-0x0000000003250000-0x00000000033D9000-memory.dmp
memory/4848-70-0x0000000003250000-0x00000000033D9000-memory.dmp
memory/4848-72-0x0000000003250000-0x00000000033D9000-memory.dmp
memory/4848-73-0x0000000003250000-0x00000000033D9000-memory.dmp
memory/4848-75-0x0000000003250000-0x00000000033D9000-memory.dmp
memory/4848-83-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/4848-84-0x0000000003250000-0x00000000033D9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 04:32
Reported
2023-12-08 04:35
Platform
win7-20231023-en
Max time kernel
131s
Max time network
130s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ying-UnInstall.exe | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| File created | C:\Windows\SysWOW64\YingInstall\409.ini | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\yybrowser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Token: 33 | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Public\Documents\yybrowser.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 2744 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 2744 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
| PID 2744 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\217.exe | C:\Users\Public\Documents\yybrowser.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\217.exe
"C:\Users\Admin\AppData\Local\Temp\217.exe"
C:\Users\Public\Documents\yybrowser.exe
C:\Users\Public\Documents\yybrowser.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oggfcv.lol | udp |
| SG | 206.238.220.217:2025 | oggfcv.lol | tcp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
| SG | 206.238.220.217:8888 | oggfcv.lol | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\2023120804332370~YingInstall-TopFramePicture.bmp
| MD5 | a528a1efb19f5bee2fa74cd8650dab24 |
| SHA1 | 51b72c994283ec899a32732bc60655d3039138a8 |
| SHA256 | d9295a5e215cf9f1c2dd5b9aa5deb1ee46619202b5814296ca73777506846608 |
| SHA512 | bcf8db6c25868a5d48ef887046143ed504690084673ff71c886dc17de8f65482e773b3a5867cab89e310ac03f1a37f3661d1117230fbcb7d85071fcf2b34c15a |
\Users\Public\Documents\yybrowser.exe
| MD5 | 46343a46271dcaddf9f5192118d4190a |
| SHA1 | 998d84a369d392c76b60082f9e4da31bfff4dc53 |
| SHA256 | f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001 |
| SHA512 | 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d |
C:\Users\Public\Documents\yybrowser.exe
| MD5 | 46343a46271dcaddf9f5192118d4190a |
| SHA1 | 998d84a369d392c76b60082f9e4da31bfff4dc53 |
| SHA256 | f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001 |
| SHA512 | 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d |
C:\Users\Public\Documents\yybrowser.exe
| MD5 | 46343a46271dcaddf9f5192118d4190a |
| SHA1 | 998d84a369d392c76b60082f9e4da31bfff4dc53 |
| SHA256 | f8c240a51a27735b4f5ee856fb7a9a01aa0d89351f326ee4892a3ca34fbd2001 |
| SHA512 | 2a5f642ab06f91907fc9eafeac9325709e318d11813f76da5bc15eb81f06d43832cde850dd10e24b8d8dc2893a15dce7a76389a199a9cb11d4ffdf864190e03d |
C:\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
\Users\Public\Documents\meshrpc.dll
| MD5 | 007b92f069cc2445120bcd55ffb01f86 |
| SHA1 | 20c368c75a7f27985d3ba025d96de4404fdbcbd2 |
| SHA256 | 6626e0372f50083c275eb1803c6d04fb29a201d731918f0c4e00a0aa4576a548 |
| SHA512 | bb9a763961f070c43a48a7a257830b4273a1d1b91f17aa496f851a1a1286b3e070167c6a657b99333a1c4c36e2d04210de661ce74792d4fe6dc12581f340ef8e |
C:\Users\Public\Documents\MSVCP140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
\Users\Public\Documents\msvcp140.dll
| MD5 | 8b1d762ddec577e6bee5ceff79d34811 |
| SHA1 | d8a266dab792952415f7bea84843c412418627d5 |
| SHA256 | 75c8af58e84c4992d4d2013641e2916310c71d292bb808083077510ef5163610 |
| SHA512 | dd38a5db80b7755c5543e0d3a16fdf6fc2075d80d7a24e5b4a99e5e6dbeda6fc061ee182586363a79bacd1fb831a6399eed2b56af4351ba2ecd30aa8177fb7f4 |
C:\Users\Public\Documents\VCRUNTIME140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
\Users\Public\Documents\vcruntime140.dll
| MD5 | ac85fa80b4c9bcab021ba214c56f7f3e |
| SHA1 | f4a03bed71041c21b4f0b56039f207f8ad97662e |
| SHA256 | 23c50ab4a82ab5017f90d4b48d4589a48c501437590cfd94b0e8d29aa3ccfede |
| SHA512 | 8e3770cf11695da9182d664f46ddd28d6b213f080f6af57ce3c2525a7308822dffc558ee725f16686440c7e485d913012a0914b822c45708c1a9766c6cb84928 |
C:\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
C:\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
\Users\Public\Documents\dwutility.dll
| MD5 | 71918ce3973e4741542022287de9f947 |
| SHA1 | 21baae8623f8ade60954193cf6b2899ff868ccab |
| SHA256 | d0ad9d27d1d1e6926cc8be711f0bfb53d7e19eddfc4b7e94d5f0aa20641a6ae0 |
| SHA512 | f58e7409b7a7e085bf36e9ec1c123409a75b71f1a09a4c85a59ff7436a7cf1020b2acd2782c92dd28141affacd996512fb6acfa9621000ebac08c0257dca8aaf |
\Users\Public\Documents\libcurl.dll
| MD5 | 7870f90ed274348346f499dca9716c6d |
| SHA1 | a898355b54b17a80b298210ccb00228384dd2e85 |
| SHA256 | d4e407cdc4a38416c2f512c021a70117f8114964a622957098f8d8d062056f3d |
| SHA512 | 68969b34d54ba961490cbeb832daa0c5b315289881dcce7ad0561938f413b1a19e23c3947ef93e0b5ddd1335f120ef4da6eb955e8b66a1391895c950da9c767b |
C:\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
\Users\Public\Documents\dwbase.dll
| MD5 | b87e123f675b38a7e5b15b0515040bed |
| SHA1 | fe5a958192effbf379f8a3331863069bb1d886a2 |
| SHA256 | 5a8d4d49185c6589314c50dccdf4a178337ec92cb18533c770cf29571c6f0b05 |
| SHA512 | 531620d704c70a7ca77ce91e9788d55217adbaa8053ea912ede7ff5c44792ca0cb43fe08d0fb5173d0bb48a678887d697aab71c2447d378c497d41f4d53281d1 |
memory/2296-61-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/2296-62-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/2296-64-0x0000000000500000-0x0000000000501000-memory.dmp
memory/2296-66-0x0000000000560000-0x00000000005BF000-memory.dmp
memory/2296-67-0x0000000003430000-0x00000000035B9000-memory.dmp
memory/2296-71-0x0000000003430000-0x00000000035B9000-memory.dmp
memory/2296-72-0x0000000003430000-0x00000000035B9000-memory.dmp
memory/2296-70-0x0000000003430000-0x00000000035B9000-memory.dmp
memory/2296-73-0x0000000003430000-0x00000000035B9000-memory.dmp
memory/2296-75-0x0000000003430000-0x00000000035B9000-memory.dmp
memory/2296-83-0x0000000010000000-0x00000000100A0000-memory.dmp
memory/2296-85-0x0000000003430000-0x00000000035B9000-memory.dmp