Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 08:49
Static task
static1
Behavioral task
behavioral1
Sample
Yolk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Yolk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
General
-
Target
Yolk.exe
-
Size
614KB
-
MD5
dc5a44ef4eb172240cdc8caf46c3b914
-
SHA1
e547ee256a1f4617959b1f1d0f7119b67d673793
-
SHA256
02287bb15e2cdc4638209d969bd8b88693e47c6fa30fddb6039adaf649bfb4ad
-
SHA512
77a5e75929f6f9bc2c14343d827ab0394b7d8bb46cec6760c96390cc3ae36a75d030b3d790ec5ae5b038fa7713a51fed6c23882589f8ac0d7f521bbdea251eb4
-
SSDEEP
12288:M4mjiqrwQ5hiqPwKfCs0mduQmhbefpMCTLwAQz5UTN9ELRVOwPwilZMc/3:sTfuqPw8CsTmReh3FQ1C6LRVOHilZMcv
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3716 Yolk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 41 drive.google.com 42 drive.google.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\masculate\stretman.ini Yolk.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2108 Yolk.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3716 Yolk.exe 2108 Yolk.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3716 set thread context of 2108 3716 Yolk.exe 101 PID 2108 set thread context of 3472 2108 Yolk.exe 57 PID 2108 set thread context of 4352 2108 Yolk.exe 106 PID 4352 set thread context of 3472 4352 fltMC.exe 57 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Rh33\varro\dissatisfying.ini Yolk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \Registry\User\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 fltMC.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 2108 Yolk.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 3716 Yolk.exe 2108 Yolk.exe 3472 Explorer.EXE 3472 Explorer.EXE 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe 4352 fltMC.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3472 Explorer.EXE Token: SeCreatePagefilePrivilege 3472 Explorer.EXE Token: SeShutdownPrivilege 3472 Explorer.EXE Token: SeCreatePagefilePrivilege 3472 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3716 wrote to memory of 2108 3716 Yolk.exe 101 PID 3716 wrote to memory of 2108 3716 Yolk.exe 101 PID 3716 wrote to memory of 2108 3716 Yolk.exe 101 PID 3716 wrote to memory of 2108 3716 Yolk.exe 101 PID 3716 wrote to memory of 2108 3716 Yolk.exe 101 PID 3472 wrote to memory of 4352 3472 Explorer.EXE 106 PID 3472 wrote to memory of 4352 3472 Explorer.EXE 106 PID 3472 wrote to memory of 4352 3472 Explorer.EXE 106 PID 4352 wrote to memory of 3164 4352 fltMC.exe 108 PID 4352 wrote to memory of 3164 4352 fltMC.exe 108 PID 4352 wrote to memory of 3164 4352 fltMC.exe 108
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\Yolk.exe"C:\Users\Admin\AppData\Local\Temp\Yolk.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\Yolk.exe"C:\Users\Admin\AppData\Local\Temp\Yolk.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2108
-
-
-
C:\Windows\SysWOW64\fltMC.exe"C:\Windows\SysWOW64\fltMC.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3164
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a4dd044bcd94e9b3370ccf095b31f896
SHA117c78201323ab2095bc53184aa8267c9187d5173
SHA2562e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA51287335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a