Overview

overview

5

Static

static

3

YT Saver 8...et.rar

windows11-21h2-x64

3

Setup.exe

windows11-21h2-x64

5

YT Saver ....ma.rar

windows11-21h2-x64

3

Hijack Pat...re.rar

windows11-21h2-x64

3

YAMA 1.jpg

windows11-21h2-x64

3

YAMA 2.jpg

windows11-21h2-x64

3

YAMA 3.jpg

windows11-21h2-x64

3

YAMA 4.jpg

windows11-21h2-x64

3

PYG64.dll

windows11-21h2-x64

5

YAMA INFO.txt

windows11-21h2-x64

3

winmm.dll

windows11-21h2-x64

1

ytsaverw H...64.exe

windows11-21h2-x64

3

Analysis

  • max time kernel
    1793s
  • max time network
    1490s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-08-2024 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    125.8MB

  • MD5

    19a5d56ca69da4d8d28a03a829ab79ee

  • SHA1

    594f2d1f89f37eac0c6ae26b4e41b4a6cbf1b0ad

  • SHA256

    e267a5db451e9854f3923365445ae472ce9fad00d374f3906202002f7088b32b

  • SHA512

    e20330a38f807cf4dc7006c49d53a19b432958887bd2611c321bddfa8944c19efea243be0a228727f8024f092c6a8f372a6cb52238d1ddd27789018494d916d0

  • SSDEEP

    3145728:PQiBxgw+mTCO+JE6R/Vt9b9bYdI3vXFajIdBumkNa:Pfx3TcJEOLUI/Xoj6Qa

Score
5/10
discovery

Malware Config

Signatures

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\is-659C2.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-659C2.tmp\Setup.tmp" /SL5="$8023A,131106242,784384,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c tasklist | findstr "ytsaverw.exe" > "C:\Users\Admin\AppData\Local\Temp\findProcessRes.txt"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
        • C:\Windows\SysWOW64\findstr.exe
          findstr "ytsaverw.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-659C2.tmp\Setup.tmp
    Filesize

    2.5MB

    MD5

    62fa0d69a07ae42df88c8239a2c3ebba

    SHA1

    8ace4ae21d2c77830735963cd767a2d77a6a6999

    SHA256

    5c63508013f481ac23fb254d0a075ae343a2ba0d1158c70c485da1ec6b1817fb

    SHA512

    19a3303696e45962d3ce9fa7b536a91da0806660ab91cbe38969708f9c32b7401fc56b226a6f7af221df690a16084d40fbc6caaa1176e52de825df6c092c1db5

    Download Submit

  • memory/224-6-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/224-9-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1368-1-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/1368-2-0x0000000000401000-0x00000000004A9000-memory.dmp

    Filesize

    672KB

    Download

  • memory/1368-8-0x0000000000400000-0x00000000004CD000-memory.dmp

    Filesize

    820KB

    Download