Analysis
-
max time kernel
1049s -
max time network
878s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 11:48
Static task
static1
Behavioral task
behavioral1
Sample
YandereSimulatorLauncher.exe
Resource
win11-20240426-en
General
-
Target
YandereSimulatorLauncher.exe
-
Size
4.7MB
-
MD5
ab495cbad9cce547dc6b9d53d375305d
-
SHA1
558090bb37ad5d7eca7579268695363f380bf81e
-
SHA256
f4911aca41a0bf0a0aea29ef832965123d794bac2e8c6e9f36986f640c45f19b
-
SHA512
3e90c455ada7ad2eaeba31d330c875cb945babb55dce613aa900e1178438499eb4883e8f07bec760f621283daa3f6a41904a2e96bf70e10b7cf8a14091cff85b
-
SSDEEP
98304:ZRXG+U5FP7zOnKWjcghx10+HvYOumBfEzsTb6S6yhv1M9lc:5UzfOKWF3gOumBf/lbv69
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: YandereSimulatorLauncher.exe File opened (read-only) \??\N: YandereSimulatorLauncher.exe File opened (read-only) \??\R: YandereSimulatorLauncher.exe File opened (read-only) \??\T: YandereSimulatorLauncher.exe File opened (read-only) \??\U: YandereSimulatorLauncher.exe File opened (read-only) \??\W: YandereSimulatorLauncher.exe File opened (read-only) \??\B: YandereSimulatorLauncher.exe File opened (read-only) \??\I: YandereSimulatorLauncher.exe File opened (read-only) \??\J: YandereSimulatorLauncher.exe File opened (read-only) \??\O: YandereSimulatorLauncher.exe File opened (read-only) \??\Q: YandereSimulatorLauncher.exe File opened (read-only) \??\E: YandereSimulatorLauncher.exe File opened (read-only) \??\H: YandereSimulatorLauncher.exe File opened (read-only) \??\K: YandereSimulatorLauncher.exe File opened (read-only) \??\S: YandereSimulatorLauncher.exe File opened (read-only) \??\X: YandereSimulatorLauncher.exe File opened (read-only) \??\A: YandereSimulatorLauncher.exe File opened (read-only) \??\G: YandereSimulatorLauncher.exe File opened (read-only) \??\L: YandereSimulatorLauncher.exe File opened (read-only) \??\P: YandereSimulatorLauncher.exe File opened (read-only) \??\V: YandereSimulatorLauncher.exe File opened (read-only) \??\Y: YandereSimulatorLauncher.exe File opened (read-only) \??\Z: YandereSimulatorLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor YandereSimulatorLauncher.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YandereSimulatorLauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz YandereSimulatorLauncher.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor YandereSimulatorLauncher.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3062789476-783164490-2318012559-1000\{9AE84341-125F-4F62-8B93-9052875AEC9E} YandereSimulatorLauncher.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeDebugPrivilege 3108 YandereSimulatorLauncher.exe Token: 33 1684 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1684 AUDIODG.EXE Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe Token: SeCreatePagefilePrivilege 3108 YandereSimulatorLauncher.exe Token: SeShutdownPrivilege 3108 YandereSimulatorLauncher.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3108 YandereSimulatorLauncher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YandereSimulatorLauncher.exe"C:\Users\Admin\AppData\Local\Temp\YandereSimulatorLauncher.exe"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3108
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD51a0295014678e91e7fea0a79074d6ffc
SHA1f93a33dfd19a09d92174a17f0912440ddb1479a0
SHA256fba2e401545352472136e5c71b0596b9125ddcfe2b87c439d8567cb2dad16745
SHA512d7aec99cf127bf009bad534f293b65ce93ed08c650312a32ea670b0cf09dcaa0906962d9b29ce6c078396885e8ce55bf5ae5598c2480fd508ebddd111bd6c882
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
2.5MB
MD542d071324f3a2d8ee2f67c49fded4f32
SHA12f91d68905ede16c22bdad2687f3df38641b2706
SHA25615d880ab2da5eecc1ea9d3349341eefd6d19118c772da1314ce09f1febb0df90
SHA512ccdf815463b30deb7c1d4afa292b0dc7735ce7218ce17d339bd8c103f2b72d1f59f50f0d9aee72c63bf6282dbea08cd8b00867c596150a16f04c2747e56e7577