b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6

General

Target

b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
Size

152KB
MD5

d2ae3500c76510d75b6d0c7fc4c11ff9
SHA1

f101a55d55ff777128e4405f8251ab40de90a0a6
SHA256

b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6
SHA512

15da3ba37313526ec6df62ba9dc371e5c75fad55e14f35d3e9c4f922e1738fe56e9eeb6ab603b1eb63a49e9f293c00b84251ea3c3ed7ba154a54dc9dd26c8e9f
SSDEEP

3072:oZpYg19EeiLLmjempGuCYooEK1JWaCItULG3rt2Wcora4dIz:OPjEl6jLiQ1JW+Oy3p/k

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\??\c:\Program Files\aoswd\yswwv.dll	acprotect

Deletes itself 1 IoCs

Processes:

axszw.exe

pid process

4716 axszw.exe
Executes dropped EXE 2 IoCs

Processes:

axszw.exeysww.exe

pid process

4716 axszw.exe
4264 ysww.exe
Loads dropped DLL 1 IoCs

Processes:

ysww.exe

pid process

4264 ysww.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4716	axszw.exe

pid	process
4716	axszw.exe
4264	ysww.exe

pid	process
4264	ysww.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ysww.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Linycpy = "c:\\Program Files\\aoswd\\ysww.exe \"c:\\Program Files\\aoswd\\yswwv.dll\",SetHandle"	ysww.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

ysww.exe

description ioc process

File opened (read-only) \??\a: ysww.exe
File opened (read-only) \??\b: ysww.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ysww.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 ysww.exe

description	ioc	process
File opened (read-only)	\??\a:	ysww.exe
File opened (read-only)	\??\b:	ysww.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	ysww.exe

Drops file in Program Files directory 4 IoCs

Processes:

axszw.exe

description	ioc	process
File created	\??\c:\Program Files\aoswd\ysww.exe	axszw.exe
File opened for modification	\??\c:\Program Files\aoswd\ysww.exe	axszw.exe
File opened for modification	\??\c:\Program Files\aoswd	axszw.exe
File created	\??\c:\Program Files\aoswd\yswwv.dll	axszw.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ysww.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ysww.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ysww.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4792 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ysww.exe

pid process

4264 ysww.exe
4264 ysww.exe
4264 ysww.exe
4264 ysww.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ysww.exe

description pid process

Token: SeDebugPrivilege 4264 ysww.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exeaxszw.exe

pid process

2256 b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
4716 axszw.exe

pid	process
4792	PING.EXE

pid	process
4264	ysww.exe
4264	ysww.exe
4264	ysww.exe
4264	ysww.exe

description	pid	process
Token: SeDebugPrivilege	4264	ysww.exe

pid	process
2256	b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
4716	axszw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.execmd.exeaxszw.exe

description	pid	process	target process
PID 2256 wrote to memory of 2460	2256	b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe	cmd.exe
PID 2256 wrote to memory of 2460	2256	b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe	cmd.exe
PID 2256 wrote to memory of 2460	2256	b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe	cmd.exe
PID 2460 wrote to memory of 4792	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 4792	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 4792	2460	cmd.exe	PING.EXE
PID 2460 wrote to memory of 4716	2460	cmd.exe	axszw.exe
PID 2460 wrote to memory of 4716	2460	cmd.exe	axszw.exe
PID 2460 wrote to memory of 4716	2460	cmd.exe	axszw.exe
PID 4716 wrote to memory of 4264	4716	axszw.exe	ysww.exe
PID 4716 wrote to memory of 4264	4716	axszw.exe	ysww.exe
PID 4716 wrote to memory of 4264	4716	axszw.exe	ysww.exe

C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe
"C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\axszw.exe "C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:4792

C:\Users\Admin\AppData\Local\Temp\axszw.exe
C:\Users\Admin\AppData\Local\Temp\\axszw.exe "C:\Users\Admin\AppData\Local\Temp\b4ac3a06dcd0a654e17c8d7065ed55c72e2bab72ddb12bca646c03b872a9a4c6.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716

\??\c:\Program Files\aoswd\ysww.exe
"c:\Program Files\aoswd\ysww.exe" "c:\Program Files\aoswd\yswwv.dll",SetHandle C:\Users\Admin\AppData\Local\Temp\axszw.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aoswd\ysww.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Users\Admin\AppData\Local\Temp\axszw.exe
Filesize
153KB

MD5
74e8d003edde5dc345f8d7e09f850ed1

SHA1
9a61d8f77777caef166f86cd01156ee714520f23

SHA256
d51543d91bbcc197d50d361e3b76d7b8371fcd57d58497c043a12f27548c6f6a

SHA512
1bdcb523e2c84d6c3504b19f49093cff375e79e7ba82274d345c1a3c394fb3e2a71fd13a7fb436c2dd2db508d6d53ba7864646980519fbd9310c825b223839be

Download Submit
\??\c:\Program Files\aoswd\yswwv.dll
Filesize
128KB

MD5
751d7896341061c4b9575b4924707279

SHA1
9b250ad0e6840dccf2f125698a24540791badb71

SHA256
858c3ae27cd16b926e733592399a10cc3f4bc34a55107b59d65f3e5582cdd5c0

SHA512
4626be1c090ee37232c93c1fab7c8eeb4c3fab1966f36eda41e1a71ee36f11da0b6d542e3030aa4ab714e0f89bdb2a95e47430a42dede9e3a3f0dea190e0056a

Download Submit
memory/2256-0-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/2256-2-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/4264-15-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4264-16-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4264-18-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4716-6-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download
memory/4716-11-0x0000000000400000-0x000000000042F036-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads