Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
Resource
win10v2004-20240412-en
General
-
Target
b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
-
Size
152KB
-
MD5
d2ae3500c76510d75b6d0c7fc4c11ff9
-
SHA1
f101a55d55ff777128e4405f8251ab40de90a0a6
-
SHA256
b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6
-
SHA512
15da3ba37313526ec6df62ba9dc371e5c75fad55e14f35d3e9c4f922e1738fe56e9eeb6ab603b1eb63a49e9f293c00b84251ea3c3ed7ba154a54dc9dd26c8e9f
-
SSDEEP
3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dIz:OPjEl6jLiQ1JW+Oy3p/k
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \??\c:\Program Files\aoswd\yswwv.dll acprotect -
Deletes itself 1 IoCs
Processes:
axszw.exepid process 4716 axszw.exe -
Executes dropped EXE 2 IoCs
Processes:
axszw.exeysww.exepid process 4716 axszw.exe 4264 ysww.exe -
Loads dropped DLL 1 IoCs
Processes:
ysww.exepid process 4264 ysww.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ysww.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\aoswd\\ysww.exe \"c:\\Program Files\\aoswd\\yswwv.dll\",SetHandle" ysww.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ysww.exedescription ioc process File opened (read-only) \??\a: ysww.exe File opened (read-only) \??\b: ysww.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ysww.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 ysww.exe -
Drops file in Program Files directory 4 IoCs
Processes:
axszw.exedescription ioc process File created \??\c:\Program Files\aoswd\ysww.exe axszw.exe File opened for modification \??\c:\Program Files\aoswd\ysww.exe axszw.exe File opened for modification \??\c:\Program Files\aoswd axszw.exe File created \??\c:\Program Files\aoswd\yswwv.dll axszw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ysww.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ysww.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ysww.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ysww.exepid process 4264 ysww.exe 4264 ysww.exe 4264 ysww.exe 4264 ysww.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ysww.exedescription pid process Token: SeDebugPrivilege 4264 ysww.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exeaxszw.exepid process 2256 b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe 4716 axszw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.execmd.exeaxszw.exedescription pid process target process PID 2256 wrote to memory of 2460 2256 b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe cmd.exe PID 2256 wrote to memory of 2460 2256 b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe cmd.exe PID 2256 wrote to memory of 2460 2256 b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe cmd.exe PID 2460 wrote to memory of 4792 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 4792 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 4792 2460 cmd.exe PING.EXE PID 2460 wrote to memory of 4716 2460 cmd.exe axszw.exe PID 2460 wrote to memory of 4716 2460 cmd.exe axszw.exe PID 2460 wrote to memory of 4716 2460 cmd.exe axszw.exe PID 4716 wrote to memory of 4264 4716 axszw.exe ysww.exe PID 4716 wrote to memory of 4264 4716 axszw.exe ysww.exe PID 4716 wrote to memory of 4264 4716 axszw.exe ysww.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\axszw.exe "C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\axszw.exeC:\Users\Admin\AppData\Local\Temp\\axszw.exe "C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\Program Files\aoswd\ysww.exe"c:\Program Files\aoswd\ysww.exe" "c:\Program Files\aoswd\yswwv.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\axszw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\aoswd\ysww.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Users\Admin\AppData\Local\Temp\axszw.exeFilesize
153KB
MD574e8d003edde5dc345f8d7e09f850ed1
SHA19a61d8f77777caef166f86cd01156ee714520f23
SHA256d51543d91bbcc197d50d361e3b76d7b8371fcd57d58497c043a12f27548c6f6a
SHA5121bdcb523e2c84d6c3504b19f49093cff375e79e7ba82274d345c1a3c394fb3e2a71fd13a7fb436c2dd2db508d6d53ba7864646980519fbd9310c825b223839be
-
\??\c:\Program Files\aoswd\yswwv.dllFilesize
128KB
MD5751d7896341061c4b9575b4924707279
SHA19b250ad0e6840dccf2f125698a24540791badb71
SHA256858c3ae27cd16b926e733592399a10cc3f4bc34a55107b59d65f3e5582cdd5c0
SHA5124626be1c090ee37232c93c1fab7c8eeb4c3fab1966f36eda41e1a71ee36f11da0b6d542e3030aa4ab714e0f89bdb2a95e47430a42dede9e3a3f0dea190e0056a
-
memory/2256-0-0x0000000000400000-0x000000000042F036-memory.dmpFilesize
188KB
-
memory/2256-2-0x0000000000400000-0x000000000042F036-memory.dmpFilesize
188KB
-
memory/4264-15-0x0000000010000000-0x0000000010048000-memory.dmpFilesize
288KB
-
memory/4264-16-0x0000000010000000-0x0000000010048000-memory.dmpFilesize
288KB
-
memory/4264-18-0x0000000010000000-0x0000000010048000-memory.dmpFilesize
288KB
-
memory/4716-6-0x0000000000400000-0x000000000042F036-memory.dmpFilesize
188KB
-
memory/4716-11-0x0000000000400000-0x000000000042F036-memory.dmpFilesize
188KB