716b70a7ef820ccc44a05f48de7b2dd51dc0704cf0abb44742d4badd90737354 | Triage

Analysis

max time kernel
67s
max time network
109s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 03:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

yeet.exe
Size

5.6MB
MD5

5b367be63703bf2397365dcb75d9e0c3
SHA1

66c2df96a67c96a62fd54300e095436c8689e08f
SHA256

716b70a7ef820ccc44a05f48de7b2dd51dc0704cf0abb44742d4badd90737354
SHA512

da07d9558b3a55c40d1374c9abe3552b9d2ec1189affe794069a0f81b8bfc9cf080444c869b53c34db4bb04472d037d8c76150b2c3e603c1c8d75bd5c39f2537
SSDEEP

49152:lOwTwoamxUhrz6eN/opCyUX03QLaBHZRx17qWFNTRSBgA5JLDvz71sUkgVFMsoG7:W4bt8Q5SUF2cDKKByIIOW

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1744	SilverClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2980	yeet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2492	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	SilverClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1744	2980	yeet.exe	29
PID 2980 wrote to memory of 1744	2980	yeet.exe	29
PID 2980 wrote to memory of 1744	2980	yeet.exe	29
PID 1744 wrote to memory of 2492	1744	SilverClient.exe	31
PID 1744 wrote to memory of 2492	1744	SilverClient.exe	31
PID 1744 wrote to memory of 2492	1744	SilverClient.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\yeet.exe
"C:\Users\Admin\AppData\Local\Temp\yeet.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\.tmpsSyjZF\SilverClient.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpsSyjZF\SilverClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "AudioDriver_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
    3⤵
    - Creates scheduled task(s)
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\.tmpsSyjZF\SilverClient.exe

Filesize
33KB

MD5
cb02076b204f559a572b77328052581e

SHA1
8df90ed8e79c31978c65f60c6037a0fdcaabd47a

SHA256
a8cc4be05affb76902d74b7bfea8e4f8178779764ec262c0faf4178e4b5cc531

SHA512
60a787a31a2b770edfc0c53417394646ad384d6d8aa36c92f71a1a380dd74b015324f1f716896264888786421ea634f32eeeee51625b5ddecc1397caa363b407

Download Submit
memory/1744-5-0x000000013FB40000-0x000000013FB4C000-memory.dmp

Filesize
48KB

Download
memory/1744-6-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/1744-7-0x000007FEF5FC0000-0x000007FEF69AC000-memory.dmp

Filesize
9.9MB

Download
memory/1744-8-0x00000000005B0000-0x0000000000630000-memory.dmp

Filesize
512KB

Download
memory/1744-21-0x00000000005B0000-0x0000000000630000-memory.dmp

Filesize
512KB

Download