5ad6465351e903a2704ff19670be91ef7bd41006ce7dee6e7ce95e747312ea7f

General

Target

196091083b65e4cf93b8a24a65e8e5ac.exe
Size

1.6MB
MD5

196091083b65e4cf93b8a24a65e8e5ac
SHA1

52b3a71d62cd616421a85edb40c2ee2d8052864d
SHA256

5ad6465351e903a2704ff19670be91ef7bd41006ce7dee6e7ce95e747312ea7f
SHA512

f671680aebe74a847571801e5c1ec94c2f21569c0117a00f4a9a7422690940c139cabf3074c8b382f2849053d3c36d83560eaf7794e971cdd87fd37b0662d482
SSDEEP

24576:979lQGJW/ALLIgJEkmg+V91Ub5geKO6I9EFocGxy3DJci+BJG:JYGmlt91IQZIun1w

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
2380	Yama.exe

Loads dropped DLL 4 IoCs

pid	Process
2416	196091083b65e4cf93b8a24a65e8e5ac.exe
2416	196091083b65e4cf93b8a24a65e8e5ac.exe
2416	196091083b65e4cf93b8a24a65e8e5ac.exe
2416	196091083b65e4cf93b8a24a65e8e5ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	196091083b65e4cf93b8a24a65e8e5ac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	196091083b65e4cf93b8a24a65e8e5ac.exe
2416	196091083b65e4cf93b8a24a65e8e5ac.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2416	196091083b65e4cf93b8a24a65e8e5ac.exe
2416	196091083b65e4cf93b8a24a65e8e5ac.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2380	2416	196091083b65e4cf93b8a24a65e8e5ac.exe	28
PID 2416 wrote to memory of 2380	2416	196091083b65e4cf93b8a24a65e8e5ac.exe	28
PID 2416 wrote to memory of 2380	2416	196091083b65e4cf93b8a24a65e8e5ac.exe	28
PID 2416 wrote to memory of 2380	2416	196091083b65e4cf93b8a24a65e8e5ac.exe	28

C:\Users\Admin\AppData\Local\Temp\196091083b65e4cf93b8a24a65e8e5ac.exe
"C:\Users\Admin\AppData\Local\Temp\196091083b65e4cf93b8a24a65e8e5ac.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\Yama.exe
  Yama.exe x -y dll.rar
  2⤵
  - Executes dropped EXE
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.rar

Filesize
298KB

MD5
a3551e05fcfa735093ce1111d5dfb5ed

SHA1
9f7cb1fefa8b6ac23852317a598ede3b404a2f5e

SHA256
ec2633eddcc6a4c4969aed3c5e91f3f4dd22fffa067ad5b1c1fab77845d7ff50

SHA512
5b1d07c7b6a981b9864561fe35f724573ad85476904ab1c2fc3938554a6044e02a773e4b1632afe5bed3de4c35aa2c2a5b63e458c6e9a7aa7f7aa1c214fa9dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\libeay32.dll

Filesize
676KB

MD5
c1b41ce18f8065a5b0ce66a4fba48794

SHA1
1ee5afc40dc923bf6343618b50b445ba048bf60d

SHA256
3b6cfd63d6489e5c7358a0ab5075231f843adbde7f9a3379d8af2d8b9e101322

SHA512
f5d9d3ba13daa665f99922d9b05b9acdc947f3be1236938960b3ccc8c3be3c3b14d8ef909b5156df4f55b9a6644409170b62f891459d3bb4d6be7868aa571b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssleay32.dll

Filesize
148KB

MD5
d4c0d211332dec5b8c11899e97f1d27c

SHA1
92e7c1a1defbaaccb38b6653b0b47dd66951dc15

SHA256
4906d6651d4c21e209f6e6ac781c5924ac18facf099f8d3f1a9b5eb9498d7565

SHA512
e1058f9b6bda518fcb10b07ece629e4031d9fd080a0fc3ea67d6a6525f22bf3ddfb4a96e4e5c4394529c98066a95e25050dd756fa9c1da127c3ccf3bb47d81f6

Download Submit
\Users\Admin\AppData\Local\Temp\Yama.exe

Filesize
197KB

MD5
b9b7dc49d1b9919b0b4aca229521fbb8

SHA1
783a32af8d3f394a0f5b6daec0e18479adbd2d91

SHA256
2d04b17232e6e73f55e56816f5d28e1a9730e26b3c9679fb002a6d5e309113ed

SHA512
a94ef1b6aa7b60bcf59475f3888804c9e80e15bce5c9bb872aaf3067e28c2134da64761da21ae83b135d7bfb440d74a0b98ff82c59721856cecd2f19124a571e

Download Submit
memory/2380-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-25-0x0000000004EA0000-0x0000000004EC5000-memory.dmp

Filesize
148KB

Download
memory/2416-19-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-20-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-21-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2416-22-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2416-27-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-28-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-29-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-30-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-31-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-32-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-35-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-36-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-37-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-38-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2416-39-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing