7462809739b96455ae2f24a3a0089574147185ae67d602d42db2314bdeb101b7

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe
Size

121.8MB
MD5

f456565c272ac8ad9d0751b76cc026bc
SHA1

d2f80b5f1d5756e890a89cca5532dabe8e466d11
SHA256

00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9
SHA512

a890eb73154f7c292f5b608646b5303f098423b1c3476f062b71accce0dbde9f41ab170cadfd26912d747524b5dede68d9b81c4eb5147571748a40a9033dc3bc
SSDEEP

393216:4ezBr1SCF0LIUYuFBmY54NEZPb+ON8BM+:4kBrxM5YuF4jNePbH2M+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
2332	YTDSetup.exe

Loads dropped DLL 12 IoCs

pid	Process
2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe
2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe
2332	YTDSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	YTDSetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2364 wrote to memory of 2256	2364	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe	28
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29
PID 2256 wrote to memory of 2332	2256	00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp	29

C:\Users\Admin\AppData\Local\Temp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe
"C:\Users\Admin\AppData\Local\Temp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\is-H9R1S.tmp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H9R1S.tmp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp" /SL5="$80120,126715381,999936,C:\Users\Admin\AppData\Local\Temp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\is-B2UHN.tmp\YTDSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-B2UHN.tmp\YTDSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-B2UHN.tmp\YTDSetup.exe

Filesize
4.1MB

MD5
143a039bc23cd6f43856acf35ff5ca40

SHA1
d30ec287389b6f923e0fb1f3932af5af246806f4

SHA256
09e689c5cd3afe91bc421eee5299f2728554f708d050b99e27588f4b9dd2322c

SHA512
fab2152117d1aafbf7bde75213c84bab6e746eb92c833d86196f4e1acabedef8540af4f03bde5cf78aef15bd36947596a77cb13492cc59a85f9c3df30b3e95ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B2UHN.tmp\YTDSetup.exe

Filesize
4.1MB

MD5
f4fbe99276cf4afc2abafb2f8ae1251f

SHA1
455b8e2e4f7837a6cdfd3ce1bd224cb676c32a72

SHA256
a1d23560664c7757b9e6cf41f001923f7284d7ce07c5a8bdd23bda2dbcb6991a

SHA512
9fc0e4b68e8cf236715d06ae273f136e426c73f59124218796652c72afc89f16a75208fd941f942e3ca3228e4e7fdfac680da0e0055cb0370ed63c779299aef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy5968.tmp\NSISHelper.dll

Filesize
401KB

MD5
373c6ac98ae82cf341394215d28b5830

SHA1
2e3542372f1e520cdd47d30035dda85fdd2b11f9

SHA256
5cfd1ab1740c4a68cae314157468423dcd7b0ffe873b91257e10fa28169a7d18

SHA512
6d0a31a6c5c4b965633f943eaa15d3495be072f035d97deac27690d6a6a6890a8f817b406153fbba5a8862675b4f3015ac9e93fc8b6d90b1c4b029857123a117

Download Submit
\Users\Admin\AppData\Local\Temp\is-B2UHN.tmp\YTDSetup.exe

Filesize
3.7MB

MD5
815996b98789cd1bdcacf71838ba7eda

SHA1
2a6832e335dbc0d1da01cfb06bbc03fb244fce03

SHA256
a0987e62bb195fba360e5c393fc1a6dc945e126eb6b3dff0cb3de068be31d2d4

SHA512
b59321ded09799db6eb062785d9490ba7e64e050575405d72259b98bd3bfc6df3f89d11f17a318a1f40a423f22c4d1ae6e836d897ae7c2c3190b5a4ae2996d5e

Download Submit
\Users\Admin\AppData\Local\Temp\is-B2UHN.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Local\Temp\is-H9R1S.tmp\00b4442af9d1fa3ed6dacb22bd133c65278f3c0aca9c331c16035f6b77c428f9.tmp

Filesize
3.2MB

MD5
f95ada73befa755b571eb48a45a9d3d2

SHA1
b9e468de9711bec40c2c7ad846fda0d28aadb78e

SHA256
b90ac9da590ba7de19414b7ba6fbece13ba0c507f1d6be2be2b647091f5779f0

SHA512
327c4b535e8b19bc1c4340e768ea025357f1e200c43ced9ebc92903cc6ae305c31fb57e0fb81ebad9e80a96fb2f6cadc97a7b8c6ff5c34bf5e07e58014b03399

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5968.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5968.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5968.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
\Users\Admin\AppData\Local\Temp\nsy5968.tmp\nsisdl.dll

Filesize
15KB

MD5
ba2cc9634ebed71cea697a31144af802

SHA1
8221c522b24f4808f66a476381db3e6455eab5c3

SHA256
9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba

SHA512
dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

Download Submit
memory/2256-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2256-70-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/2364-1-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2364-72-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download