fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

General

Target

fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
Size

192KB
MD5

9e8baf127b832943d4fae218ce90191a
SHA1

449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70
SHA256

fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0
SHA512

9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114
SSDEEP

6144:b05H0JNb+gzTy9ZRTbPG9rYxf2hnbSayKTTfq+T/ur:A+uHG9rYxf2hnbSayKTTfq+T/ur

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe

Executes dropped EXE 2 IoCs

Processes:

yar.exeyar.exe

pid process

4768 yar.exe
1688 yar.exe

pid	process
4768	yar.exe
1688	yar.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yar = "C:\\Users\\Admin\\AppData\\Roaming\\yar.exe"	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1536 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4920 timeout.exe

pid	process
1536	schtasks.exe

pid	process
4920	timeout.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exeyar.exeyar.exe

description	pid	process
Token: SeDebugPrivilege	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
Token: SeDebugPrivilege	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
Token: SeDebugPrivilege	4768	yar.exe
Token: SeDebugPrivilege	1688	yar.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.execmd.exe

description	pid	process	target process
PID 2724 wrote to memory of 1536	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe	schtasks.exe
PID 2724 wrote to memory of 1536	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe	schtasks.exe
PID 2724 wrote to memory of 2120	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe	schtasks.exe
PID 2724 wrote to memory of 2120	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe	schtasks.exe
PID 2724 wrote to memory of 4368	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe	cmd.exe
PID 2724 wrote to memory of 4368	2724	fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe	cmd.exe
PID 4368 wrote to memory of 4920	4368	cmd.exe	timeout.exe
PID 4368 wrote to memory of 4920	4368	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe
"C:\Users\Admin\AppData\Local\Temp\fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1536
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "yar"
  2⤵
  PID:2120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1C.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4920

C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yar.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1C.tmp.bat

Filesize
215B

MD5
c1c6a86da12e4595aafbb3300b21abe8

SHA1
cc8f7e3a59590564aa367df4bde457b8991636ad

SHA256
d99b9db6902341158e73e20b66208322528a4284280b330af20b1363388cb50d

SHA512
25172cb2706aae44d0f775b0a4eed0e4fb138f84e5bec34938f410e504d8e2833a40e9be4b9f68d3f6fbaf0e45bc8f8ae154185075f234f68b6d5a920af942ba

Download Submit
C:\Users\Admin\AppData\Roaming\yar.exe

Filesize
192KB

MD5
9e8baf127b832943d4fae218ce90191a

SHA1
449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70

SHA256
fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

SHA512
9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

Download Submit
memory/2724-1-0x0000000000DE0000-0x0000000000E18000-memory.dmp

Filesize
224KB

Download
memory/2724-0-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

Filesize
8KB

Download
memory/2724-2-0x00000000013B0000-0x00000000013B6000-memory.dmp

Filesize
24KB

Download
memory/2724-3-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

Filesize
10.8MB

Download
memory/2724-5-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

Filesize
8KB

Download
memory/2724-6-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

Filesize
10.8MB

Download
memory/2724-17-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

Filesize
10.8MB

Download
memory/4768-9-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

Filesize
10.8MB

Download
memory/4768-11-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads