db095ed9c0740d273fd252bb0a810fe27d775867056fe91b1dd8363c82e2ba3e

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMPImages/ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
Size

1.4MB
MD5

bf65dfb2aeda35035da3da41e915ae9b
SHA1

93ea59d699dd09a12e7c8564a3f099c8dd3eca2e
SHA256

f428afbb4557bc04306fda55b5cab2c9e0fbe3565c5f4915d671acd725475c5a
SHA512

da329070bb96eafc954d150bc24afaa5569bb66a92a7445b16e20c527df52792ac94345dec7937502cf717df6d954bc340696d38e0cbb7d2e390a16ad20274e4
SSDEEP

24576:xOAQjtWVKLnTxTybPswTYzrhA1ot6yAW1liYiCKXXbQMTfz4sz4NJpsVucT1hG:4AEsKLVTybPswErhM3yAW1loLQQL4sz0

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe

Loads dropped DLL 19 IoCs

pid	Process
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
4812	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe

C:\Users\Admin\AppData\Local\Temp\$TEMPImages\ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPImages\ytb_7.0.9.0_1.5.1_pub_uber_setup_.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsnA6D0.tmp\InstallOptions.dll

Filesize
12KB

MD5
29459d9ee2bce32ed937fb1f965f9d5e

SHA1
8fff45ed45f3af8f8c248eba9a1c02c9c5fc911d

SHA256
ad07968b7d93ef19e10e1deb52e0c912e96dde30c0a49a0239daf176fd4c9ef5

SHA512
d4ef4eadb0f53e7086a1d242bf7f745ad79d83d9ecbfaa283cf0dd499271a804589a575040bb20d5c98e86197cc65ca05ab1a358c556ea82a3e297d0255015a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA6D0.tmp\System.dll

Filesize
9KB

MD5
6621d1f4e191c018a0d8abb5c610d1aa

SHA1
c3af35a5df9361e2805bd84d3e3144e0b9c44d5b

SHA256
d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5

SHA512
6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA6D0.tmp\welcome.ini

Filesize
1KB

MD5
2cbdaca17d4bdab289c3e8e31ce8e691

SHA1
80f8fa7d17e5e4829d91f7a90e14f6c479d181e9

SHA256
07b117b75c47348ee8c0d3c40cf7c17f26ef8f0ba4f4f617315c46e8cda90dbf

SHA512
d1ac2d9abfccd3483c5fdebc47581eb91a80bdb3cd212e0dc4ffcd9b893a4f7dbcb832852eb3de623c863403f61844108665640336aadc1ad517dcb92f28bee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA6D0.tmp\welcome.ini

Filesize
1KB

MD5
1c9a6f3551d8d7d238ef43ee7089ee6f

SHA1
6dac781c8cf9d13edca0412ad418b09c4e464087

SHA256
5b7a6e625e0b85f2c882be58df17568a58a202ae26a8cca0f754f6f6a66a12f5

SHA512
2fb882c618724966917348e115fc6abd10b3fd11a1e1393067ebd34bb5241c9cdc0dbbf428e422e44ab96876585efe45e2a97af92068995f6f01b95ff1e07ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA6D0.tmp\welcome.ini

Filesize
1KB

MD5
47170d27ca10a4c9385693de4d3cac08

SHA1
3dc586194f1be48f0dc97e2edf0459e142b99936

SHA256
41221a59986b3a5ba48155ebf81f570525e58d988a5e3f5382b5f663f5f2ae20

SHA512
0a036feb58c538b0f81cede2efbde1115ef784764d8ea6f06143c2edddfcdedae57d91aebba53f278d7b9813f015979ffa913c1263cad1d453ab5aca95e780bb

Download Submit