General
-
Target
yfga_game.exe
-
Size
10.9MB
-
Sample
240715-kxtybaybnj
-
MD5
f24b9a4537d2cf5cd04db5ef80453dd8
-
SHA1
69b201dd4b919afbb4bbe3a19e3e80097e2813bc
-
SHA256
f31ffc12e2212bd27a5e636aa3667451fe1772bea79cf411eea54b84ac31f107
-
SHA512
84936e358accff1767411b019639741ed051e7102a2ebde8bc6e74f87adc3e3f36495538ff53edd181eb9e48256a373f0e06da65ce0824680ff631fe09db90f1
-
SSDEEP
196608:Zw81jWusNrPGC0ePjqHbUjHicQskqPe1Cxcxk3ZAEUadzR8yc4ghrl:O8tWhTr0eqgDiDjqG1Fxk3mEUadzRURH
Static task
static1
Behavioral task
behavioral1
Sample
yfga_game.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
yfga_game.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
C:\Users\Admin\Desktop\yfga_game_c067ea18-32a0-4be7-9061-20af825cbd85\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
yfga_game.exe
-
Size
10.9MB
-
MD5
f24b9a4537d2cf5cd04db5ef80453dd8
-
SHA1
69b201dd4b919afbb4bbe3a19e3e80097e2813bc
-
SHA256
f31ffc12e2212bd27a5e636aa3667451fe1772bea79cf411eea54b84ac31f107
-
SHA512
84936e358accff1767411b019639741ed051e7102a2ebde8bc6e74f87adc3e3f36495538ff53edd181eb9e48256a373f0e06da65ce0824680ff631fe09db90f1
-
SSDEEP
196608:Zw81jWusNrPGC0ePjqHbUjHicQskqPe1Cxcxk3ZAEUadzR8yc4ghrl:O8tWhTr0eqgDiDjqG1Fxk3mEUadzRURH
-
Modifies visiblity of hidden/system files in Explorer
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Possible privilege escalation attempt
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
2File Deletion
2Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1