61fc5dd1e9e68899f94d104f97ec645915155281f46fb8b196197752c269e4a4

General

Target

Ykraine.exe
Size

285KB
MD5

a3b7f598164d20a997b359898c4e3117
SHA1

4f4880961c4228af91ab1e84e14df3a778ad2fa4
SHA256

61fc5dd1e9e68899f94d104f97ec645915155281f46fb8b196197752c269e4a4
SHA512

e0401fb98133f0ed04586f2b158fe17eeb8684fe2b95021fdcf255158743e08db6c0a12fa684d3733342318d960f42fea25b99555d59ff6c8012b22f20dbc6d1
SSDEEP

6144:LjyGJCMfnZtZ6yrsAqRuIGa1TGOh8gj0DSA90GIlACUGgTl1mfcsoS:LmcnZt8yJqRuIT1C/40DPCLACUGgB1mJ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2264-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2264-40-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2696	WScript.exe
Token: SeIncBasePriorityPrivilege	2696	WScript.exe
Token: SeDebugPrivilege	3060	taskmgr.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe
3060	taskmgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1840	2264	Ykraine.exe	28
PID 2264 wrote to memory of 1840	2264	Ykraine.exe	28
PID 2264 wrote to memory of 1840	2264	Ykraine.exe	28
PID 2264 wrote to memory of 1840	2264	Ykraine.exe	28
PID 1840 wrote to memory of 2696	1840	cmd.exe	30
PID 1840 wrote to memory of 2696	1840	cmd.exe	30
PID 1840 wrote to memory of 2696	1840	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\Ykraine.exe
"C:\Users\Admin\AppData\Local\Temp\Ykraine.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FAA4.tmp\FAA5.tmp\FAA6.bat C:\Users\Admin\AppData\Local\Temp\Ykraine.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\3.VBS"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FAA4.tmp\FAA5.tmp\FAA6.bat

Filesize
27B

MD5
7a5295d57ef4b05966f1d38e6ca27e3e

SHA1
2c4bf1d950942f774db103298bc8361a43e6a095

SHA256
864b0f302d3d30f02251779c64e23f02690b4e7e6195fdb126ede1d151b39d71

SHA512
95742bb8c4d39ba097294b51503ce65a20cf6ec42729cf516f942d6022279d712e3e9fad3c82e3178b0e9cbd7ef3def5f6067db090586cfc25e8f7d59f9c7722

Download Submit
C:\Users\Admin\AppData\Roaming\3.VBS

Filesize
113B

MD5
9c57cc702f58fb9b64dc76ec5089c79a

SHA1
a468d345c9876760184b061a1532fb673c60a7be

SHA256
81e7c9a93edd2121dea400df4c657fbcca573e02268a11be454576026935783f

SHA512
cac3766f84283b63818feb1e4a2c3beb503f444296d30a28d0cb1247a77250add522949171fec1984ae866e77ced86ff10c676915d3391d91c46f93a5329d710

Download Submit
C:\Users\Admin\AppData\Roaming\f.mp3

Filesize
242KB

MD5
600a04c10c4a486735a34181cc516578

SHA1
dc155b4356443cf35ab633f44b7221c0bd37042f

SHA256
abd2b31b6e487b46ba476e43ef35f1976c902c765f835cd9d31b8011867b284c

SHA512
7cd6211b2a73769632d82d6b90f88a0f01b9ab527b9838e3532b6c53221f7deb0da64de8db4db578133b12fd352f54554b4046b8fd6d20ed870959c8d276e0c7

Download Submit
memory/2264-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2264-40-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2696-39-0x000007FEF5D4C000-0x000007FEF5D57000-memory.dmp

Filesize
44KB

Download
memory/2696-41-0x000007FEF5D4C000-0x000007FEF5D57000-memory.dmp

Filesize
44KB

Download
memory/2696-44-0x000007FEF5D4C000-0x000007FEF5D57000-memory.dmp

Filesize
44KB

Download
memory/3060-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3060-46-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing