Analysis

  • max time kernel
    18s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2024, 18:49

General

  • Target

    YNAB 4_4.3.857_Setup.exe

  • Size

    20.2MB

  • MD5

    a25c0a73350a99559f1e30c2f86ad0b9

  • SHA1

    e537d5658b67739724e5ee38f9075b453052f1cf

  • SHA256

    f3021e45c82d72bd139d86f6a68c96af201bedf53a373f183dca037003b9cdc6

  • SHA512

    7c5fc8e35fb0bb009c01fd9f4784bb2902b3298cd644fa8664c2fcfd44f2ad0dc0c20990f2d02408a1a3fdc9b8afcf80f433b8e23b9e988f5358266cf80a0de3

  • SSDEEP

    393216:GMBVYD1nCAMtsTDzoFYJ3wERZRdW/r7wPLSSkkUYkNMYlC7Ele8lW4a4oUJmGx9P:GMvYpAtsT3oiVfK/APLS/+u87we8UbU9

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 56 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp" /SL5="$400F4,20782605,219136,C:\Users\Admin\AppData\Local\Temp\YNAB 4_4.3.857_Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Program Files (x86)\YNAB 4\YNAB 4.exe
        "C:\Program Files (x86)\YNAB 4\YNAB 4.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        PID:2500
  • C:\Program Files (x86)\YNAB 4\YNAB 4.exe
    "C:\Program Files (x86)\YNAB 4\YNAB 4.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    PID:2952
  • C:\Program Files (x86)\YNAB 4\YNAB 4.exe
    "C:\Program Files (x86)\YNAB 4\YNAB 4.exe"
    1⤵
      PID:1852

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

            Filesize

            2.9MB

            MD5

            3f9585968be04fec46d1f0e3abe09b1b

            SHA1

            f8b3f7d8b8e81125629dcdc54c7aea378d61bca2

            SHA256

            d00b2eff90913e2997db239f8967b37a436ae3d5870f4f75d097ca79f89e89e2

            SHA512

            27dafd908224546f3884208b450e1726ef43a511e5b27432ef43ff1a6a1c9e8f2df925290bb68b4116bfea552324fdba2f14d0ac3cb53b90bb6c5650b90177d3

          • C:\Program Files (x86)\YNAB 4\META-INF\AIR\application.xml

            Filesize

            2KB

            MD5

            8f7487c76b681fba22a05c595f39b8bf

            SHA1

            87e7b04dde3a8fa5dbfa57c6b8b8f1bb8a64989d

            SHA256

            ebdf4f7eaded6a910cc811b77fd89653baee2402dbdeb282358dc208471ce255

            SHA512

            5b4c9d195e91e27f4d2bb3a215a1099c31e25f0576b55b7233fbf5a4b27bdcad0e7e1dffc3acb0fd7424c7dc8c0b8ad5a9cbbaeb2dc1db1584e32ad4aa5afc2e

          • C:\Program Files (x86)\YNAB 4\YNAB 4.exe

            Filesize

            128KB

            MD5

            030a3bc512c0981a90149c5e2db3f348

            SHA1

            3967e08c546a77f327997a30cd05cff1d3d0bddb

            SHA256

            3c3cf54b228c5ab5cdc62da694e56ec99ac3a3ff6e073521cec7e31980f5eb92

            SHA512

            bbaa807abedef894e4dd1b4b51411629ca4c2faea199e4b69402f7c20066a9c02d61f01f0f5e06f0c1947098e6f441fbf9fecfbe97b75dad6df7ff7bc4c25e24

          • C:\Program Files (x86)\YNAB 4\YNAB.swf

            Filesize

            1.1MB

            MD5

            a6857bd683c10362bf0513034dc6dd91

            SHA1

            cc3a1839aaf3389bd2881f819eba30a7fb9e9ef5

            SHA256

            51e077287100d014acad98cfd9b0e2af9bcf244e02ee1e17796c17c58e7af3dc

            SHA512

            7d57bbfb078100253cccc8ee9f04ff5a0075d085f07935539fe778d2d8be1f9e84625b2ee31b9f4d919f48bc3ac80a53b20cff55cc8ebad3c03412387f649e5e

          • C:\Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp

            Filesize

            1007KB

            MD5

            64308ddd6c9807fd9bb0260c299b4072

            SHA1

            73a945f5b628103e76dfbeeac78fcc4bf27402cd

            SHA256

            7d204a50d0180545077609f87fbae45565e7f40dc857a123774609705ff488bb

            SHA512

            b246714b01450051498f3ac058a75eea6d9a9ea2694ca292e70238eb05645d20f8c45ec6cbf457dbb5363889ce2fc7538fcb48bbf42bc97f61d93787e531c503

          • \Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

            Filesize

            128KB

            MD5

            5230ff4bab65d45658816473c840b42c

            SHA1

            8893c1591a12b29c1f04b39970c710aeaf90755b

            SHA256

            8489bd42c4af2ddaf8fc23348f145dc7729b39eccffc1e1154805176854231c4

            SHA512

            32a1053a68cce9f5ff3a31b4704a829e655c0a2a031dface75a86b54124a7fc0d4fc283c682f4456e5efb62b7ab8f7b4d38a734401a48e22995e75524b2ec472

          • \Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

            Filesize

            1.6MB

            MD5

            8d631fce8d59ccf0a6425e2f5992fc50

            SHA1

            038a4c7e20ffb20bedc63bd1f6dc76ba8eeee66e

            SHA256

            1278e37b56ce892401c80105e0e00e89a0d9bdf03716e06ea28ff35a9a74d82a

            SHA512

            f8cc9c0dfb741eb993d109b9716e793dde583c1d0a5d6fcebc02c671dda73a8ab76fa5595617b994cbe4a2e1488f10eb21b1987038b9ff387f640c73646890f8

          • \Program Files (x86)\YNAB 4\Adobe AIR\Versions\1.0\Adobe AIR.dll

            Filesize

            3.0MB

            MD5

            81df1976f97b334794f3ab1782701215

            SHA1

            338d051f59d028f7c9a89786d143405855e5288c

            SHA256

            6a340a1e99ed774082033c8d9ba9aa0fb3b55b7fd3bed5c61a093f491b40f70b

            SHA512

            6df325dd354e36533e322da22eabeeb29fd06f2d66f61ec229563b3cf391c6dcf052bd7b727e115054ed3e4446acac525336ed1560e51b777c110915f57d1344

          • \Program Files (x86)\YNAB 4\YNAB 4.exe

            Filesize

            211KB

            MD5

            8498b21d1c4582162ae4e100822babe5

            SHA1

            7f4e05fe9eacbbb8a4fca9baf2fb0a5b732fd03e

            SHA256

            160256d4687b59be6202de349e777aaeac5e93c037c41304f24d34883f2d5327

            SHA512

            0b5e7afeb082a4cc76bd0284203ee635fc17f2a4163655b19bba7c8cb7642cfa61ec16b8b5be87557d051d89400a8b7fcd77e48b7618263221303401c6db2db1

          • \Users\Admin\AppData\Local\Temp\is-I98OU.tmp\_isetup\_shfoldr.dll

            Filesize

            22KB

            MD5

            92dc6ef532fbb4a5c3201469a5b5eb63

            SHA1

            3e89ff837147c16b4e41c30d6c796374e0b8e62c

            SHA256

            9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

            SHA512

            9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          • \Users\Admin\AppData\Local\Temp\is-RBJKR.tmp\YNAB 4_4.3.857_Setup.tmp

            Filesize

            1.2MB

            MD5

            29f9be62944155dbb6b0b4f07138ea96

            SHA1

            5095375e40047d1b0daa4527c5de271ab23cd2f0

            SHA256

            168e5bbfcc47229ae0375ece11b7c9dabeb0a6bc820058fc2c86f4682cd0388f

            SHA512

            fe9bf378c278986118a7e17d326c795796c6ff20e3c6770ceeffc5d3f948d552147e41d3364cb1e55919d1c54974d135e28fc0753fc555c56a6dd839e4b264fd

          • memory/1852-385-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-378-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-383-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-361-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-362-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-203-0x00000000001C0000-0x00000000001C1000-memory.dmp

            Filesize

            4KB

          • memory/1852-388-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-387-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-386-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-363-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-384-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-382-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-381-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-380-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-379-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-389-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-377-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-376-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-375-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-374-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-373-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-372-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-371-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-370-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-369-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-368-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/1852-367-0x0000000003670000-0x0000000003870000-memory.dmp

            Filesize

            2.0MB

          • memory/2204-14-0x00000000001D0000-0x00000000001D1000-memory.dmp

            Filesize

            4KB

          • memory/2204-85-0x0000000000400000-0x0000000000539000-memory.dmp

            Filesize

            1.2MB

          • memory/2500-79-0x0000000000240000-0x0000000000241000-memory.dmp

            Filesize

            4KB

          • memory/2952-215-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-247-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-270-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-272-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-274-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-276-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-278-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-280-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-282-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-284-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-266-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-264-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-262-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-260-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-258-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-256-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-254-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-251-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-249-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-268-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-245-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-243-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-241-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-239-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-237-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-235-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-233-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-231-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-229-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-227-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-225-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-223-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-90-0x0000000000230000-0x0000000000231000-memory.dmp

            Filesize

            4KB

          • memory/2952-213-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/2952-211-0x00000000038E0000-0x0000000003AE0000-memory.dmp

            Filesize

            2.0MB

          • memory/3000-1-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3000-86-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB