Analysis
-
max time kernel
122s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
YNAB 4_4.3.857_Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
YNAB 4_4.3.857_Setup.exe
Resource
win10v2004-20240221-en
General
-
Target
YNAB 4_4.3.857_Setup.exe
-
Size
20.2MB
-
MD5
a25c0a73350a99559f1e30c2f86ad0b9
-
SHA1
e537d5658b67739724e5ee38f9075b453052f1cf
-
SHA256
f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6
-
SHA512
7c5fc8e35fb0bb009c01fd9f4784bb2902b3298cd644fa8664c2fcfd44f2ad0dc0c20990f2d02408a1a3fdc9b8afcf80f433b8e23b9e988f5358266cf80a0de3
-
SSDEEP
393216:GMBVYD1nCAMtsTDzoFYJ3wERZRdW/r7wPLSSkkUYkNMYlC7Ele8lW4a4oUJmGx9P:GMvYpAtsT3oiVfK/APLS/+u87we8UbU9
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2264 YNAB 4_4.3.857_Setup.tmp 2444 YNAB 4.exe -
Loads dropped DLL 6 IoCs
pid Process 1640 YNAB 4_4.3.857_Setup.exe 2264 YNAB 4_4.3.857_Setup.tmp 2264 YNAB 4_4.3.857_Setup.tmp 2264 YNAB 4_4.3.857_Setup.tmp 2264 YNAB 4_4.3.857_Setup.tmp 2444 YNAB 4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\YNAB 4\is-JRBJD.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-6QMF7.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-72U5T.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\is-S010J.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-NUAB5.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-IDGSF.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-GE2E7.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-EQG4J.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-UTC62.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-BPOO5.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-7P1J0.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-S10BN.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-UGN59.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-KARNU.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\unins000.dat YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-PNHHU.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-57EM6.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-Q4CO8.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-9DEOM.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-S0K0A.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-E1RJN.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-0RFTF.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-IIA8L.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-JBOVM.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\META-INF\is-1GQOD.tmp YNAB 4_4.3.857_Setup.tmp File opened for modification C:\Program Files (x86)\YNAB 4\unins000.dat YNAB 4_4.3.857_Setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz YNAB 4.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 YNAB 4.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ynab4 YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\ = "com.ynab.YNAB4.qfx" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qfx\Extension = ".qfx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ofx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qif YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4 YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\Content Type = "application/vnd.ynab.ofx" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qif\Extension = ".qif" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\ = "Bank File (Opened by YNAB 4)" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\ = "Bank File (Opened by YNAB 4)" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\ = "com.ynab.YNAB4.qif" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\Content Type = "application/vnd.ynab.qif" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\ = "com.ynab.YNAB4.ynab4" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qif YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qfx YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\ = "Bank File (Opened by YNAB 4)" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\Content Type = "application/vnd.ynab.ynab4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\Content Type = "application/vnd.ynab.qfx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ofx\Extension = ".ofx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\ = "com.ynab.YNAB4.ofx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4 YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ynab4\Extension = ".ynab4" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\ = "YNAB 4 Budget File" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx YNAB 4_4.3.857_Setup.tmp -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 YNAB 4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 YNAB 4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 YNAB 4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2264 YNAB 4_4.3.857_Setup.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2444 YNAB 4.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 1640 wrote to memory of 2264 1640 YNAB 4_4.3.857_Setup.exe 28 PID 2264 wrote to memory of 2444 2264 YNAB 4_4.3.857_Setup.tmp 29 PID 2264 wrote to memory of 2444 2264 YNAB 4_4.3.857_Setup.tmp 29 PID 2264 wrote to memory of 2444 2264 YNAB 4_4.3.857_Setup.tmp 29 PID 2264 wrote to memory of 2444 2264 YNAB 4_4.3.857_Setup.tmp 29 PID 2444 wrote to memory of 1864 2444 YNAB 4.exe 35 PID 2444 wrote to memory of 1864 2444 YNAB 4.exe 35 PID 2444 wrote to memory of 1864 2444 YNAB 4.exe 35 PID 2444 wrote to memory of 1864 2444 YNAB 4.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SUONG.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$70124,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Program Files (x86)\YNAB 4\YNAB 4.exe"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\WINDOWS\SysWOW64\hostname.exe"C:\WINDOWS\system32\hostname.exe"4⤵PID:1864
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5c083f8f26617d6adb86d2415a1bd42ff
SHA1db6e31df956d3ba91f9e355a7b03de9f323b66b9
SHA25639842ff576bca2d34a50ecfe8dcb04f3ff524aac0263cc456f9e7e872f7bb788
SHA5127578012b40902dd63b57d265c13b71617327296908674f1daaa5f29c75b09075834386868776a26bc1fd8a944c899c9e8e3691c901e1d1c67e355dc176380e37
-
Filesize
2KB
MD58f7487c76b681fba22a05c595f39b8bf
SHA187e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d
SHA256ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255
SHA5125b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e
-
Filesize
2.0MB
MD58d8732d0f71ec7f42ed3a4c25e5df1f8
SHA1577b068c905fc0d446466af506bbad11d3f46c38
SHA25654d1285f133a9fa0e34a7fca7aeef572e14a98d784e296180c0ff30c971314d8
SHA512330a477c4cdd024b22f3e64c2c4add5ace8511f2866fc810f61651e31bd6a95ab0dc66719bcf15eeab2784e960fb06b1b6e46b2044de7397c95ee77a60d12125
-
Filesize
1.1MB
MD5d8fa8b1d79c4fddd83b920382ea6b0db
SHA1f7095bb39def83997ba9f340eb2aebe88af98976
SHA25679ff741d4a04dd58e1db3735a676562a3d15a25697ceab4f876197bb885dda76
SHA512948b812916f99f2d58f7fe24b034bed43c2bcc15ea5c45c7196052923190e66a3071bd20b252bf606598bbc2041f0155407e4e7ec5495cf8d48863e59d5125cb
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
12.4MB
MD5241b62402135af6850d8060eea33b87f
SHA1ef054b48ef6265c5d9e3880233710b5bfce82055
SHA256b081e922ade2d47f8b3f4e632f6a4edcfd263086e36b86f9e2d3a90c7227eb61
SHA512a7a7c03844d41d7a25bc20550f864b520e0f163c0ac6c60925f2315177471df99d3fe38efbaf56bc84e8bc6ddd62cd4a7f24c43eae91220bc3a36e599afce6d5
-
Filesize
211KB
MD58498b21d1c4582162ae4e100822babe5
SHA17f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e
SHA256160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327
SHA5120b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.2MB
MD529f9be62944155dbb6b0b4f07138ea96
SHA15095375e40047d1b0daa4527c5de271ab23cd2f0
SHA256168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f
SHA512fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd