Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 18:44
Static task
static1
Behavioral task
behavioral1
Sample
YNAB 4_4.3.857_Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
YNAB 4_4.3.857_Setup.exe
Resource
win10v2004-20240221-en
General
-
Target
YNAB 4_4.3.857_Setup.exe
-
Size
20.2MB
-
MD5
a25c0a73350a99559f1e30c2f86ad0b9
-
SHA1
e537d5658b67739724e5ee38f9075b453052f1cf
-
SHA256
f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6
-
SHA512
7c5fc8e35fb0bb009c01fd9f4784bb2902b3298cd644fa8664c2fcfd44f2ad0dc0c20990f2d02408a1a3fdc9b8afcf80f433b8e23b9e988f5358266cf80a0de3
-
SSDEEP
393216:GMBVYD1nCAMtsTDzoFYJ3wERZRdW/r7wPLSSkkUYkNMYlC7Ele8lW4a4oUJmGx9P:GMvYpAtsT3oiVfK/APLS/+u87we8UbU9
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2288 YNAB 4_4.3.857_Setup.tmp 2416 YNAB 4.exe 4776 YNAB 4.exe 4252 YNAB 4.exe -
Loads dropped DLL 3 IoCs
pid Process 2416 YNAB 4.exe 4776 YNAB 4.exe 4252 YNAB 4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\YNAB 4\is-2SVT4.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-MH2F9.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-VK95I.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\unins000.dat YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-0QNMT.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-87E3O.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-QEL8A.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-IQEV2.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-2R9RQ.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-UCG51.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\META-INF\AIR\is-IED79.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-6QC48.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-5RG1A.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-GBS58.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-1BULP.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-2KHQS.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-U7I63.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-457GL.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\is-JR3F5.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\assets\is-UOSJN.tmp YNAB 4_4.3.857_Setup.tmp File opened for modification C:\Program Files (x86)\YNAB 4\unins000.dat YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-5ETBK.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\is-141Q1.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Resources\WebKit\is-NSQIV.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\META-INF\is-V3AG7.tmp YNAB 4_4.3.857_Setup.tmp File created C:\Program Files (x86)\YNAB 4\is-3B4FP.tmp YNAB 4_4.3.857_Setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz YNAB 4.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 YNAB 4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz YNAB 4.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 YNAB 4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz YNAB 4.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 YNAB 4.exe -
Modifies registry class 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ofx\Extension = ".ofx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\ = "Bank File (Opened by YNAB 4)" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\ = "com.ynab.YNAB4.ofx" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx\Content Type = "application/vnd.ynab.ofx" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\Content Type = "application/vnd.ynab.qif" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qfx\Extension = ".qfx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\ = "Bank File (Opened by YNAB 4)" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4 YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.ynab4\Extension = ".ynab4" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\ = "com.ynab.YNAB4.qfx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ynab.qif\Extension = ".qif" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\command YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qif YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open\command YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\ = "Bank File (Opened by YNAB 4)" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ynab4 YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\shell\open\ = "Open with YNAB 4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\ = "com.ynab.YNAB4.ynab4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ynab4\Content Type = "application/vnd.ynab.ynab4" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\shell\open\command\ = "\"C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe\" \"%1\"" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qfx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\shell\open YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qif\ = "com.ynab.YNAB4.qif" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qfx\Content Type = "application/vnd.ynab.qfx" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.qif YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/vnd.ynab.ofx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ofx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ofx\shell\open YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qif\DefaultIcon\ = "C:\\Program Files (x86)\\YNAB 4\\YNAB 4.exe,0" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4 YNAB 4_4.3.857_Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.ynab4\ = "YNAB 4 Budget File" YNAB 4_4.3.857_Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\com.ynab.YNAB4.qfx\DefaultIcon YNAB 4_4.3.857_Setup.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3040 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3040 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2288 YNAB 4_4.3.857_Setup.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2416 YNAB 4.exe 4252 YNAB 4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2288 2188 YNAB 4_4.3.857_Setup.exe 89 PID 2188 wrote to memory of 2288 2188 YNAB 4_4.3.857_Setup.exe 89 PID 2188 wrote to memory of 2288 2188 YNAB 4_4.3.857_Setup.exe 89 PID 2288 wrote to memory of 2416 2288 YNAB 4_4.3.857_Setup.tmp 96 PID 2288 wrote to memory of 2416 2288 YNAB 4_4.3.857_Setup.tmp 96 PID 2288 wrote to memory of 2416 2288 YNAB 4_4.3.857_Setup.tmp 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MR719.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$6006A,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Program Files (x86)\YNAB 4\YNAB 4.exe"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
-
C:\Program Files (x86)\YNAB 4\YNAB 4.exe"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4776 -
C:\WINDOWS\SysWOW64\hostname.exe"C:\WINDOWS\system32\hostname.exe"2⤵PID:2736
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x4bc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
C:\Program Files (x86)\YNAB 4\YNAB 4.exe"C:\Program Files (x86)\YNAB 4\YNAB 4.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5d30499473f649f35a9196f7a7c55ab96
SHA16f2997bf5679d427733a7c57b23a53f755a47e41
SHA256be5fb81ee431cc99f0af8caaac5ebee7000808bccc7a7ea1238f8ef12632d334
SHA51203715da6c38d3281ead876d0f0eb6a6c9a9d940f4c5c924fc1ae680cabca7146f63231d8a3eec20f8b19bf7eb895141e7375e3fbce4e7555fecd491dc881b262
-
Filesize
384KB
MD5712206a7d184dc40d36d7752bc572950
SHA117ea95e114a5f047f7697d080b213c68437bba84
SHA2561bb20a972c535a197268a7c9e75a7754cb6ab741f1ed9f8db5faa470c5d584cc
SHA512150283e0831afdda05438c25cd02f5c039d6a8bfea2bc687368a7668e9b88a291bd4317cf95fe067986c452419714e87bed3a1b819ed0cc19cc2c157e5679472
-
Filesize
13.9MB
MD5556f36c4681a5991dd00a894a418c8f5
SHA187198ce222fec384e7a5d8c2f30a9732a96b6ec3
SHA2563025ef1da177649b2bd4f6a632d03f3391490f58ad35a5dd9e88440f7b898c25
SHA51213cbd117503addcbfbff96f64c82f024e92a4790d4f4e184cad5f585a7a1b59228c9654226d77b39868d78758bbe43e9a56041f71130513ab29dcc5d7b6d580a
-
Filesize
15.4MB
MD5e35e24dcfe02348c8691098a6d90f5d2
SHA13d63d11798940b82a3b7259230b83495eedd830f
SHA2569fadb97b12990ed707a50ad11a7e57a5ab9eae7a7be08abca9d87828959d98c0
SHA512673867d835c145dc49004325d8385d7f668339a12aee3c6e88805d9e297829f823f88e081f967d54dfc0570eede372e52f26ad88909bb82c95da10c11e0ddb04
-
Filesize
2KB
MD58f7487c76b681fba22a05c595f39b8bf
SHA187e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d
SHA256ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255
SHA5125b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e
-
Filesize
211KB
MD58498b21d1c4582162ae4e100822babe5
SHA17f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e
SHA256160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327
SHA5120b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1
-
Filesize
1.2MB
MD529f9be62944155dbb6b0b4f07138ea96
SHA15095375e40047d1b0daa4527c5de271ab23cd2f0
SHA256168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f
SHA512fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd