Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/07/2024, 20:23

General

  • Target

    31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe

  • Size

    289KB

  • MD5

    5e6849658c66ec6b6e83708ea8282abe

  • SHA1

    c9372cb19e1dda2bc97da79d42c61bb13880726e

  • SHA256

    31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a

  • SHA512

    f6a1034c65069c670898f9e521e4dee3c8985a2f584e8c8d7764ce974bbe526beaaa8f83f049c020ca1dca8256d000347562546cacde629faa781e354b8cc799

  • SSDEEP

    6144:9OMJqCoAe4irtAIVGKaW04YG5kECzJLaQVbU5:9OMJqS8rcRW0k5klJLJbU5

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe
    "C:\Users\Admin\AppData\Local\Temp\31a2990045c4c617a5ba3f72d8958925f41807593ff2d38304c02e543ffe767a.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system32\YTH.exe.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\windows\SysWOW64\YTH.exe
        C:\windows\system32\YTH.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\YTH.exe.bat

    Filesize

    70B

    MD5

    75c9746cc4ea5828fe91ff2f3dd55fc8

    SHA1

    b5ef7df9713ae0dd0ea74852a94d9c985c08494b

    SHA256

    90f708a093c75b4c4eed2c30120e65e06fa626ad57f11dd49c846b42597d9238

    SHA512

    3494a86c2f99d1e12cebe4d40589f75f3feb3f8c4eece70c36563303004d95169bca4c46798bc3729b72a14edde2bfc36875abb1b71231e67fa79729c8180bfa

  • \Windows\SysWOW64\YTH.exe

    Filesize

    289KB

    MD5

    27c942879c2e562ee2a05590807ae26b

    SHA1

    b72f48447790ad22721b8608dcb759fb4c5245cd

    SHA256

    0bbdd338ed101e11714b00a23430250f73265dc2d5f06e07c2f5acc1bba37c83

    SHA512

    a641129f34a6012679cc3ddc480afbd431af68385bdcb2b7e396f727ca5585ded9b2bff078386fe9010a6dc24bf973ff68daeca17abc609f7b90dc2d09f0ff1b

  • memory/2816-16-0x0000000000180000-0x00000000001BF000-memory.dmp

    Filesize

    252KB

  • memory/2816-19-0x0000000000180000-0x00000000001BF000-memory.dmp

    Filesize

    252KB

  • memory/2836-20-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2836-21-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2972-0-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2972-12-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB