4ac4b8cd40a3955fa6876a1865cd7c56399b26670469d559588799434b43a9b6

General

Target

9f273f59ffaf82c65485ac3ea2108b50N.exe
Size

1.0MB
MD5

9f273f59ffaf82c65485ac3ea2108b50
SHA1

459756f0bf0f5fd1008e074439b8faa4114b17a1
SHA256

4ac4b8cd40a3955fa6876a1865cd7c56399b26670469d559588799434b43a9b6
SHA512

128b15cc0853a0f2a9ef4e97d35d1522674608206a66fc51e17486c2ce489243385059d8aa99bbcaca921826736638c3d76facd97d1a94effc5e46c68ad8b84f
SSDEEP

12288:M8kxNhOZElO5kkWjhD4AyCGtAtScw3qEKZGtAtScw3qEKBYGtAtScw3qEK:jqEkfFa1456145v145

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3784	YPVK.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	YPVK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\HLWAFL.EXE \"%1\" %*"	YPVK.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4852-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-10.dat	upx
behavioral2/files/0x000a00000002346c-21.dat	upx
behavioral2/memory/4852-24-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/3784-28-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FCGN.EXE = "C:\\Windows\\XQDDFM.EXE"	9f273f59ffaf82c65485ac3ea2108b50N.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\V:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\K:	YPVK.EXE
File opened (read-only)	\??\U:	YPVK.EXE
File opened (read-only)	\??\J:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\R:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\U:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\L:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\M:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\P:	YPVK.EXE
File opened (read-only)	\??\R:	YPVK.EXE
File opened (read-only)	\??\M:	YPVK.EXE
File opened (read-only)	\??\E:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\G:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\N:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\S:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\E:	YPVK.EXE
File opened (read-only)	\??\H:	YPVK.EXE
File opened (read-only)	\??\P:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\Q:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\Q:	YPVK.EXE
File opened (read-only)	\??\I:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\O:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\T:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\J:	YPVK.EXE
File opened (read-only)	\??\K:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\L:	YPVK.EXE
File opened (read-only)	\??\O:	YPVK.EXE
File opened (read-only)	\??\G:	YPVK.EXE
File opened (read-only)	\??\I:	YPVK.EXE
File opened (read-only)	\??\N:	YPVK.EXE
File opened (read-only)	\??\S:	YPVK.EXE
File opened (read-only)	\??\T:	YPVK.EXE
File opened (read-only)	\??\V:	YPVK.EXE

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\YPVK.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened for modification	C:\Program Files\YPVK.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File created	C:\Program Files\QEAT.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened for modification	C:\Program Files\QEAT.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\FBYTEJ.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened for modification	C:\Windows\FBYTEJ.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File created	C:\Windows\XQDDFM.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File created	C:\Windows\HLWAFL.EXE	YPVK.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YPVK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f273f59ffaf82c65485ac3ea2108b50N.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\QEAT.EXE \"%1\" %*"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\FBYTEJ.EXE \"%1\""	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\QEAT.EXE \"%1\""	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\HLWAFL.EXE \"%1\" %*"	YPVK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	YPVK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\YPVK.EXE %1"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Windows\\FBYTEJ.EXE %1"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\QEAT.EXE %1"	9f273f59ffaf82c65485ac3ea2108b50N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3784	YPVK.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3784	4852	9f273f59ffaf82c65485ac3ea2108b50N.exe	86
PID 4852 wrote to memory of 3784	4852	9f273f59ffaf82c65485ac3ea2108b50N.exe	86
PID 4852 wrote to memory of 3784	4852	9f273f59ffaf82c65485ac3ea2108b50N.exe	86

C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe
"C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files\YPVK.EXE
  "C:\Program Files\YPVK.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\YPVK.EXE

Filesize
1.0MB

MD5
d5159bb7ac9308ce52dbe386ac7ef4ab

SHA1
0f8b6549532aa79c02c8369327f03f445bff5c08

SHA256
a60b40b16a8279ced256cab6bb772a822de1b38d2bd07d1cba7f78f84a33b41c

SHA512
149198bfdaf5fa7b070d12150689db745a0a46d139941715e393b5c0fdd8761dff869fd50591723caf141e8b61f9f88ee8c90ff8623e20106b9bcf620c000079

Download Submit
C:\Windows\FBYTEJ.EXE

Filesize
1.0MB

MD5
c60e43e1444972c4371f5f054d68ab76

SHA1
07176849afb35a8f797d4c7e18d2322697396990

SHA256
52d715ce6e7736ce165ec88bffc659739afd3a9cd779de6ca72f1f1b0d7c2cc0

SHA512
193454b0c5efd089bb2c496ca6409c96decd3d5938acb4a008f28e58cd72fc00f3d018bb92724e18eb95637ae971f91d167a24ee299b5012d20e06c3caa3433e

Download Submit
\??\c:\filedebug

Filesize
254B

MD5
aade3641af5db8c041289386db2f5aca

SHA1
85b06788952a8923f90cab1b56ddddcb77674487

SHA256
325d6c8375cde875113e4ef6802e1b8becb0d9d6c87d72fe7b9d3208c9800fc2

SHA512
8538c20bb4224902d480577e37ccd03d1a4192592c4b6a1bceac908de21899e7049c8b1a233db98c0fb83082dd8e81930e4c2c4a9975c5d5a8ea9ece932e76e3

Download Submit
memory/3784-23-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3784-28-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3784-29-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4852-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4852-1-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/4852-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads