28eb8aa1c3e34a85b09ae93bbbcb690ee1a6c5a497eea0dda524f4737928d2c0

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 05:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
Size

240KB
MD5

098c1f8f1207b9e5aa4c4a82fc1cfb59
SHA1

d43366546518c246bfc6b9b5b52d4504bb122967
SHA256

28eb8aa1c3e34a85b09ae93bbbcb690ee1a6c5a497eea0dda524f4737928d2c0
SHA512

e78abf0f533d0c014d7ddd8a08c6874966a6ab9a85b08baf51205250bc93d35fd3d1366e275dbe76559559edd9886a68da46311b8399381086e0037cd3ad96e4
SSDEEP

6144:10B3dwqsNTNEXGlQR58EqxF6snji81RUinKq3aEESliDnl:10NdQKjeaEEpZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yhnoed.exe

Executes dropped EXE 1 IoCs

pid	Process
1384	yhnoed.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /x"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /i"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /m"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /d"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /y"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /v"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /q"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /e"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /u"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /v"	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /j"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /o"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /f"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /n"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /s"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /h"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /w"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /t"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /r"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /c"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /b"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /p"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /g"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /l"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /k"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /z"	yhnoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\yhnoed = "C:\\Users\\Admin\\yhnoed.exe /a"	yhnoed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe
1384	yhnoed.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
1384	yhnoed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1384	1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe	28
PID 1524 wrote to memory of 1384	1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe	28
PID 1524 wrote to memory of 1384	1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe	28
PID 1524 wrote to memory of 1384	1524	098c1f8f1207b9e5aa4c4a82fc1cfb59.exe	28

C:\Users\Admin\AppData\Local\Temp\098c1f8f1207b9e5aa4c4a82fc1cfb59.exe
"C:\Users\Admin\AppData\Local\Temp\098c1f8f1207b9e5aa4c4a82fc1cfb59.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\yhnoed.exe
  "C:\Users\Admin\yhnoed.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yhnoed.exe

Filesize
240KB

MD5
75821ce9399412df999d0661d80e0ed4

SHA1
eca89c0aa1e5eb97eeb8b4b8a5419ffde894da9a

SHA256
6e8732b15e1a6bcc605482dbe034b740d5b00600fd48dc363589efe5e1192e7e

SHA512
4e9118d8643984b4e4e27efcf76e012bce7ae13d3ec670087dd11935ce95003d27debeae80227b0c4442073456ac3af439ebb73dd9fc1f3188fc83e6b9601dbe

Download Submit