850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606

General

Target

7a39783b4df44b14c0bc4a9ab62c2870.exe
Size

18.9MB
MD5

7a39783b4df44b14c0bc4a9ab62c2870
SHA1

1278ed63bad5d24546584f274527a7c314df8867
SHA256

850a2cee4c34bee8c6ee76162c2ead42a8f537e59d257e495b3f0d190c8fd606
SHA512

d20beda7af98aea8d27e7423aa1fcb979bd966996848be2cccf9041a6545882be2c241c83d93df318818d7495262020927e0d82abfffe6ef5495415fd9106ca2
SSDEEP

393216:rIJm/0ywuOkd8cKjti/2gRJl9Y06abayqgiJXfd9lYbhsk8:rIJVz483iugR39YMsgqXfzlYbm

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	Host file.exe

Loads dropped DLL 4 IoCs

pid	Process
780	7a39783b4df44b14c0bc4a9ab62c2870.exe
780	7a39783b4df44b14c0bc4a9ab62c2870.exe
780	7a39783b4df44b14c0bc4a9ab62c2870.exe
780	7a39783b4df44b14c0bc4a9ab62c2870.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YTD\YTD\Uninstall.ini	7a39783b4df44b14c0bc4a9ab62c2870.exe
File opened for modification	C:\Program Files (x86)\YTD\YTD\ytd6-setup.exe	7a39783b4df44b14c0bc4a9ab62c2870.exe
File opened for modification	C:\Program Files (x86)\YTD\YTD\Uninstall.exe	7a39783b4df44b14c0bc4a9ab62c2870.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3020	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	Host file.exe
Token: SeDebugPrivilege	3020	Powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2676	780	7a39783b4df44b14c0bc4a9ab62c2870.exe	28
PID 780 wrote to memory of 2676	780	7a39783b4df44b14c0bc4a9ab62c2870.exe	28
PID 780 wrote to memory of 2676	780	7a39783b4df44b14c0bc4a9ab62c2870.exe	28
PID 780 wrote to memory of 2676	780	7a39783b4df44b14c0bc4a9ab62c2870.exe	28
PID 2676 wrote to memory of 3020	2676	Host file.exe	29
PID 2676 wrote to memory of 3020	2676	Host file.exe	29
PID 2676 wrote to memory of 3020	2676	Host file.exe	29
PID 2676 wrote to memory of 3020	2676	Host file.exe	29

C:\Users\Admin\AppData\Local\Temp\7a39783b4df44b14c0bc4a9ab62c2870.exe
"C:\Users\Admin\AppData\Local\Temp\7a39783b4df44b14c0bc4a9ab62c2870.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Roaming\Host file.exe
  "C:\Users\Admin\AppData\Roaming\Host file.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell" Copy-Item 'C:\Users\Admin\AppData\Roaming\Host file.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe'
    3⤵
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
375KB

MD5
3b5028a2d0941b8c251d9e1b54a498e0

SHA1
8743535cb2d6255ab527724f7ad7cf8ae21820c7

SHA256
197aa9b61d526ad5d6d3dc5303c27e914e7da35025bae9f77d409c33b96557bb

SHA512
5ebb5225657ea6c43bd02445a3bc59a5272a7d08cedf6c895e6886b6bd25f6687ee05226fca5c22720ed3c9314f27f503df91be982c65e4d813310244075c011

Download Submit
C:\Users\Admin\AppData\Roaming\Host file.exe

Filesize
640KB

MD5
c8d2bf10b5984639d0978a376c188f22

SHA1
4aec3555c0077b99383828d37113de5c9df0d0e0

SHA256
cceb592fdf3febdc10e629b5dca6d3f1323910562ff090b7206147988f26fbe8

SHA512
321137646b3cc94ffe4241110838b4e972e5f9df49ce0fe96ebbcd671f2063e1dad0e235054bb4cedd3e97143c903f1156404ddb72c3588e8733d6d9f37d7048

Download Submit
memory/780-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/780-31-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/780-50-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2676-70-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-62-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-52-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-53-0x00000000051A0000-0x00000000051E0000-memory.dmp

Filesize
256KB

Download
memory/2676-54-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2676-74-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-72-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-46-0x00000000000B0000-0x0000000000156000-memory.dmp

Filesize
664KB

Download
memory/2676-68-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-55-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-56-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-58-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-60-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-47-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-66-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/2676-64-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/3020-80-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/3020-82-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/3020-81-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/3020-79-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-84-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-78-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing