30a0910cd7513bdd6351944564021794967722820a4f6ee57c4e8c7e96628928

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/YahooChecker2.exe
Size

110KB
MD5

1393c45423cb78470dd37af0c384b675
SHA1

e2d8b673aad1b05d729513ce88094fec651c4f50
SHA256

b242a04a4275e0fdb122bccbf3a620a13f55eb0cfc02d476286171e60822f65e
SHA512

b192512c1db7df14eb469dc5d4c60516f6b5c84c15ed3025a20bf2deb18e68a02db4d627df97f77cfc3f6ef254eec7119bb9eeaa00b753abe59454779fb791af
SSDEEP

3072:+gXdZt9P6D3XJ5cu0ZJlImSRedkQ67psmHJwgeu:+e34rcBlhSUdkQ6O4Jwg

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	YDetect.exe

Executes dropped EXE 1 IoCs

pid	Process
920	YDetect.exe

Loads dropped DLL 5 IoCs

pid	Process
920	YDetect.exe
920	YDetect.exe
920	YDetect.exe
920	YDetect.exe
920	YDetect.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 920	216	YahooChecker2.exe	87
PID 216 wrote to memory of 920	216	YahooChecker2.exe	87
PID 216 wrote to memory of 920	216	YahooChecker2.exe	87

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\YahooChecker2.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\YahooChecker2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\YDetect.exe
  C:\Users\Admin\AppData\Local\Temp\YDetect.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb710A.tmp\System.dll

Filesize
9KB

MD5
ae182dc797cd9ad2c025066692fc041b

SHA1
7ee5f057be9febfa77f698a1b12213a5bbdd4742

SHA256
b214f6d6c4d27f749105f7e8846a7c2d475dbcc966876370b5a7dab6e4b8a471

SHA512
2a9a200d067df47638a86f4f058c6d78fb59bd064c65650cae5022a62a3714e33f93f6af1dd599fda180d5af18f432835a1f909807f4fb459aa9d6c24e3fbab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydetect.exe

Filesize
77KB

MD5
48a2afeb63131a434bcc00335e656a0f

SHA1
c7eca0cbed929fd30a110d61ba1b419a4be85327

SHA256
1330f6cd27c84e9c2011111a9ca179c1eadd755b3a17059c9e73f08d3f4b5ddf

SHA512
25a6b6081f3edef1ff46452cfaca710773fae721037fe90acc053d7108a29853b68ac80a14b265a810aa0d2cabf9a2ba909bf38721e9192b37b2db40f9781185

Download Submit