5ad6465351e903a2704ff19670be91ef7bd41006ce7dee6e7ce95e747312ea7f

Analysis

max time kernel
1s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

196091083b65e4cf93b8a24a65e8e5ac.exe
Size

1.6MB
MD5

196091083b65e4cf93b8a24a65e8e5ac
SHA1

52b3a71d62cd616421a85edb40c2ee2d8052864d
SHA256

5ad6465351e903a2704ff19670be91ef7bd41006ce7dee6e7ce95e747312ea7f
SHA512

f671680aebe74a847571801e5c1ec94c2f21569c0117a00f4a9a7422690940c139cabf3074c8b382f2849053d3c36d83560eaf7794e971cdd87fd37b0662d482
SSDEEP

24576:979lQGJW/ALLIgJEkmg+V91Ub5geKO6I9EFocGxy3DJci+BJG:JYGmlt91IQZIun1w

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
3892	Yama.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4324	196091083b65e4cf93b8a24a65e8e5ac.exe
4324	196091083b65e4cf93b8a24a65e8e5ac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3892	4324	196091083b65e4cf93b8a24a65e8e5ac.exe	27
PID 4324 wrote to memory of 3892	4324	196091083b65e4cf93b8a24a65e8e5ac.exe	27
PID 4324 wrote to memory of 3892	4324	196091083b65e4cf93b8a24a65e8e5ac.exe	27

C:\Users\Admin\AppData\Local\Temp\196091083b65e4cf93b8a24a65e8e5ac.exe
"C:\Users\Admin\AppData\Local\Temp\196091083b65e4cf93b8a24a65e8e5ac.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\Yama.exe
  Yama.exe x -y dll.rar
  2⤵
  - Executes dropped EXE
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-11-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-0-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4324-14-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/4324-16-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download