0fd0899e365646ef59c5971addf8666f066015bfe400d7977291ebb145f9937e

General

Target

88b328a1ccd518514da2fe88c61bfee2.exe
Size

364KB
MD5

88b328a1ccd518514da2fe88c61bfee2
SHA1

594b94463da34d5b23068a0c37197989728a243a
SHA256

0fd0899e365646ef59c5971addf8666f066015bfe400d7977291ebb145f9937e
SHA512

cc16ea812fa3deac3418e1c48a6eef398f609958178ccc85152a91f90d48796f9aef0c7c32a6350fab96fee742f97d47dc29347296fd126d921ed8bb16ba1d08
SSDEEP

6144:Xn8ukcbLviSGqJjW8lE0crUTMX+82IXpW0vH66RVas3Gmxq2/2eW/ZDUp/fIIbGi:Xn8HcbL6Sdvu0YUTk1ZW0vH66vW92/Cu

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

isys.exe

pid process

2908 isys.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/952-0-0x0000000000400000-0x0000000000536000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Yvol\isys.exe	upx
behavioral2/memory/2908-9-0x0000000000400000-0x0000000000536000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

isys.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{465E9DB8-556D-BCA0-3DB4-9673F0418C71} = "C:\\Users\\Admin\\AppData\\Roaming\\Yvol\\isys.exe"	isys.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

88b328a1ccd518514da2fe88c61bfee2.exe

description pid process target process

PID 952 set thread context of 3560 952 88b328a1ccd518514da2fe88c61bfee2.exe cmd.exe

description	pid	process	target process
PID 952 set thread context of 3560	952	88b328a1ccd518514da2fe88c61bfee2.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

88b328a1ccd518514da2fe88c61bfee2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Privacy	88b328a1ccd518514da2fe88c61bfee2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	88b328a1ccd518514da2fe88c61bfee2.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

isys.exe

pid	process
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe
2908	isys.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

88b328a1ccd518514da2fe88c61bfee2.exe

description	pid	process
Token: SeSecurityPrivilege	952	88b328a1ccd518514da2fe88c61bfee2.exe
Token: SeSecurityPrivilege	952	88b328a1ccd518514da2fe88c61bfee2.exe
Token: SeSecurityPrivilege	952	88b328a1ccd518514da2fe88c61bfee2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88b328a1ccd518514da2fe88c61bfee2.exeisys.exe

description	pid	process	target process
PID 952 wrote to memory of 2908	952	88b328a1ccd518514da2fe88c61bfee2.exe	isys.exe
PID 952 wrote to memory of 2908	952	88b328a1ccd518514da2fe88c61bfee2.exe	isys.exe
PID 952 wrote to memory of 2908	952	88b328a1ccd518514da2fe88c61bfee2.exe	isys.exe
PID 2908 wrote to memory of 2488	2908	isys.exe	sihost.exe
PID 2908 wrote to memory of 2488	2908	isys.exe	sihost.exe
PID 2908 wrote to memory of 2488	2908	isys.exe	sihost.exe
PID 2908 wrote to memory of 2488	2908	isys.exe	sihost.exe
PID 2908 wrote to memory of 2488	2908	isys.exe	sihost.exe
PID 2908 wrote to memory of 2540	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 2540	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 2540	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 2540	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 2540	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 2776	2908	isys.exe	taskhostw.exe
PID 2908 wrote to memory of 2776	2908	isys.exe	taskhostw.exe
PID 2908 wrote to memory of 2776	2908	isys.exe	taskhostw.exe
PID 2908 wrote to memory of 2776	2908	isys.exe	taskhostw.exe
PID 2908 wrote to memory of 2776	2908	isys.exe	taskhostw.exe
PID 2908 wrote to memory of 3588	2908	isys.exe	Explorer.EXE
PID 2908 wrote to memory of 3588	2908	isys.exe	Explorer.EXE
PID 2908 wrote to memory of 3588	2908	isys.exe	Explorer.EXE
PID 2908 wrote to memory of 3588	2908	isys.exe	Explorer.EXE
PID 2908 wrote to memory of 3588	2908	isys.exe	Explorer.EXE
PID 2908 wrote to memory of 3760	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 3760	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 3760	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 3760	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 3760	2908	isys.exe	svchost.exe
PID 2908 wrote to memory of 3940	2908	isys.exe	DllHost.exe
PID 2908 wrote to memory of 3940	2908	isys.exe	DllHost.exe
PID 2908 wrote to memory of 3940	2908	isys.exe	DllHost.exe
PID 2908 wrote to memory of 3940	2908	isys.exe	DllHost.exe
PID 2908 wrote to memory of 3940	2908	isys.exe	DllHost.exe
PID 2908 wrote to memory of 4064	2908	isys.exe	StartMenuExperienceHost.exe
PID 2908 wrote to memory of 4064	2908	isys.exe	StartMenuExperienceHost.exe
PID 2908 wrote to memory of 4064	2908	isys.exe	StartMenuExperienceHost.exe
PID 2908 wrote to memory of 4064	2908	isys.exe	StartMenuExperienceHost.exe
PID 2908 wrote to memory of 4064	2908	isys.exe	StartMenuExperienceHost.exe
PID 2908 wrote to memory of 1460	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 1460	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 1460	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 1460	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 1460	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 3756	2908	isys.exe	SearchApp.exe
PID 2908 wrote to memory of 3756	2908	isys.exe	SearchApp.exe
PID 2908 wrote to memory of 3756	2908	isys.exe	SearchApp.exe
PID 2908 wrote to memory of 3756	2908	isys.exe	SearchApp.exe
PID 2908 wrote to memory of 3756	2908	isys.exe	SearchApp.exe
PID 2908 wrote to memory of 4228	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4228	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4228	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4228	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4228	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4652	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4652	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4652	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4652	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 4652	2908	isys.exe	RuntimeBroker.exe
PID 2908 wrote to memory of 2220	2908	isys.exe	TextInputHost.exe
PID 2908 wrote to memory of 2220	2908	isys.exe	TextInputHost.exe
PID 2908 wrote to memory of 2220	2908	isys.exe	TextInputHost.exe
PID 2908 wrote to memory of 2220	2908	isys.exe	TextInputHost.exe
PID 2908 wrote to memory of 2220	2908	isys.exe	TextInputHost.exe
PID 2908 wrote to memory of 952	2908	isys.exe	88b328a1ccd518514da2fe88c61bfee2.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1460

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4228

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2220

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\88b328a1ccd518514da2fe88c61bfee2.exe
  "C:\Users\Admin\AppData\Local\Temp\88b328a1ccd518514da2fe88c61bfee2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\Yvol\isys.exe
    "C:\Users\Admin\AppData\Roaming\Yvol\isys.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp16a16787.bat"
    3⤵
    PID:3560

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2540

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp16a16787.bat

Filesize
243B

MD5
86d6145467b95c796a8b8a1c07b7dde7

SHA1
564c9fc96ce8f909622e610d48b251fb130f029a

SHA256
0e0106c16052553ad5685cf8823040d78f24f08b37e860fe53584f3d4c6921de

SHA512
1fad632a46c4cb6c0c804f6f236422e155347c02909f535510757c69bf52708e191c18268edca32cd3c4550ef41509bc1fdf06dfe5db6a206fcb50c4b51e770e

Download Submit
C:\Users\Admin\AppData\Roaming\Goutof\raaf.bay

Filesize
366B

MD5
ef160094cceef5431263f430a99c6fcc

SHA1
3db716e85e3def7b6d5f3964b87b15c9ce779cce

SHA256
ad55f04404cea64b7611df3e3f29c52bf2d2b50ddb6b52d1e53689f7bb0d3de2

SHA512
0fd8caa79822877beff8e941d208e73be11e59d5a3d222460364b5fcc79053b2c5a58c0c0b8fbb584b63b7cecc8b76915b8be599f3d34c9ddf206d6aa16761f5

Download Submit
C:\Users\Admin\AppData\Roaming\Yvol\isys.exe

Filesize
364KB

MD5
6531f2fdaec385236fbe0edf0432f074

SHA1
315154059b161e5ae83b5c499f7ff11283765703

SHA256
877f600d8e288d495ffa5e645e2933c27f5f93e48f681e3b8e500e99770f8021

SHA512
4500945b2f141b495c086c87c72edba48485f813610f40769d4d59373bb68c15c0d7fcb7606c4d0635e78c634502173c6ca394fb29b13be8d6d99f7bdf232bba

Download Submit
memory/952-3-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/952-22-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/952-0-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/952-2-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/952-11-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/952-13-0x0000000077173000-0x0000000077174000-memory.dmp

Filesize
4KB

Download
memory/952-12-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/952-14-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/952-15-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/952-17-0x0000000002630000-0x000000000266F000-memory.dmp

Filesize
252KB

Download
memory/952-1-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-29-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-34-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-41-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-40-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-38-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-10-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-28-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-30-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-32-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-36-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2908-35-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3560-21-0x0000000000FA0000-0x0000000000FDF000-memory.dmp

Filesize
252KB

Download
memory/3560-26-0x0000000000FA0000-0x0000000000FDF000-memory.dmp

Filesize
252KB

Download
memory/3560-24-0x0000000077173000-0x0000000077174000-memory.dmp

Filesize
4KB

Download
memory/3560-23-0x0000000000FA0000-0x0000000000FDF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads