31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a

General

Target

31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
Size

289KB
MD5

5e6849658c66ec6b6e83708ea8282abe
SHA1

c9372cb19e1dda2bc97da79d42c61bb13880726e
SHA256

31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a
SHA512

f6a1034c65069c670898f9e521e4dee3c8985a2f584e8c8d7764ce974bbe526beaaa8f83f049c020ca1dca8256d000347562546cacde629faa781e354b8cc799
SSDEEP

6144:9OMJqCoAe4irtAIVGKaW04YG5kECzJLaQVbU5:9OMJqS8rcRW0k5klJLJbU5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	YTH.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	cmd.exe
2816	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\YTH.exe	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
File opened for modification	C:\windows\SysWOW64\YTH.exe	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
File created	C:\windows\SysWOW64\YTH.exe.bat	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
2836	YTH.exe
2836	YTH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
2836	YTH.exe
2836	YTH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2816	2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe	31
PID 2972 wrote to memory of 2816	2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe	31
PID 2972 wrote to memory of 2816	2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe	31
PID 2972 wrote to memory of 2816	2972	31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe	31
PID 2816 wrote to memory of 2836	2816	cmd.exe	33
PID 2816 wrote to memory of 2836	2816	cmd.exe	33
PID 2816 wrote to memory of 2836	2816	cmd.exe	33
PID 2816 wrote to memory of 2836	2816	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
"C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\YTH.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\windows\SysWOW64\YTH.exe
    C:\windows\system32\YTH.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\YTH.exe.bat

Filesize
70B

MD5
75c9746cc4ea5828fe91ff2f3dd55fc8

SHA1
b5ef7df9713ae0dd0ea74852a94d9c985c08494b

SHA256
90f708a093c75b4c4eed2c30120e65e06fa626ad57f11dd49c846b42597d9238

SHA512
3494a86c2f99d1e12cebe4d40589f75f3feb3f8c4eece70c36563303004d95169bca4c46798bc3729b72a14edde2bfc36875abb1b71231e67fa79729c8180bfa

Download Submit
\Windows\SysWOW64\YTH.exe

Filesize
289KB

MD5
27c942879c2e562ee2a05590807ae26b

SHA1
b72f48447790ad22721b8608dcb759fb4c5245cd

SHA256
0bbdd338ed101e11714b00a23430250f73265dc2d5f06e07c2f5acc1bba37c83

SHA512
a641129f34a6012679cc3ddc480afbd431af68385bdcb2b7e396f727ca5585ded9b2bff078386fe9010a6dc24bf973ff68daeca17abc609f7b90dc2d09f0ff1b

Download Submit
memory/2816-16-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/2816-19-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/2836-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing