7089a8179efa6c83ec6cac9f54648e85fb903e56a966c3a5874c5a95a81c3638

General

Target

dashboard for all stealers (recomended for start)/paid dashboard.exe
Size

2.5MB
MD5

660e26001a8891e78135a09d3ec2623f
SHA1

bd95c1955be08eaecefa7b3dd1cbdac7387b6d06
SHA256

1811c7b5ddcc6637a782bf32db70b60bd0bf3ec2b3498716591f718cda25fd14
SHA512

590df723aaa52806f664adec89bf6e8e570a9c88b4858131fb59f23e31ab3302189393bceb58fe1aa71475065aefab2d093d5f8ad6296693d4124e5a10a34e92
SSDEEP

49152:cCEz1VWQraflEcY8GSFJ2CBUm5htDRvG0JuH0Xv6GVO8UKlo:cn14QilESfFim15rtxUuo

Score

10^/10

discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

bg.exeYSkullLock.exe

pid process

1532 bg.exe
1464 YSkullLock.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exe

pid process

2552 cmd.exe
2552 cmd.exe
2552 cmd.exe
2552 cmd.exe

pid	process
1532	bg.exe
1464	YSkullLock.exe

pid	process
2552	cmd.exe
2552	cmd.exe
2552	cmd.exe
2552	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2640-0-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx
behavioral1/memory/2640-83-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YellowSkull2 Special Program = "C:\\YSkullMBRSetup.exe"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "c:\\yellowskull.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exeYSkullLock.exerundll32.exerundll32.exereg.exereg.exereg.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exetaskkill.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exereg.exerundll32.exereg.exerundll32.exerundll32.exerundll32.exereg.exerundll32.exerundll32.exereg.exepaid dashboard.exerundll32.exerundll32.exebg.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.execmd.exereg.exerundll32.exerundll32.exerundll32.exeWScript.exerundll32.exerundll32.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSkullLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paid dashboard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2932 taskkill.exe
Modifies registry key 1 TTPs 7 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2340 reg.exe
2420 reg.exe
2512 reg.exe
600 reg.exe
2432 reg.exe
1916 reg.exe
1696 reg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2932 taskkill.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

YSkullLock.exe

pid process

1464 YSkullLock.exe

pid	process
2932	taskkill.exe

pid	process
2340	reg.exe
2420	reg.exe
2512	reg.exe
600	reg.exe
2432	reg.exe
1916	reg.exe
1696	reg.exe

description	pid	process
Token: SeDebugPrivilege	2932	taskkill.exe

pid	process
1464	YSkullLock.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

paid dashboard.execmd.exe

description	pid	process	target process
PID 2640 wrote to memory of 2552	2640	paid dashboard.exe	cmd.exe
PID 2640 wrote to memory of 2552	2640	paid dashboard.exe	cmd.exe
PID 2640 wrote to memory of 2552	2640	paid dashboard.exe	cmd.exe
PID 2640 wrote to memory of 2552	2640	paid dashboard.exe	cmd.exe
PID 2552 wrote to memory of 2572	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2572	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2572	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2572	2552	cmd.exe	reg.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2724	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2684	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2712	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2608	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2660	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 1760	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe
PID 2552 wrote to memory of 2720	2552	cmd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\dashboard for all stealers (recomended for start)\paid dashboard.exe
"C:\Users\Admin\AppData\Local\Temp\dashboard for all stealers (recomended for start)\paid dashboard.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\27CC.tmp\YellowSkull2.bat" "
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\yellowskull.bmp /f
3⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2572

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2760

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2684

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2712

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2608

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2660

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:1760

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2720

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2548

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2556

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2564

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2612

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2624

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2076

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2716

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:3048

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:3052

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:3060

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2172

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2244

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:1304

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:976

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2732

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2936

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2912

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2888

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2792

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2028

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:584

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2816

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2636

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2740

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2772

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2864

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
- System Location Discovery: System Language Discovery
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2340

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2420

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2512

C:\Users\Admin\AppData\Local\Temp\27CC.tmp\bg.exe
bg.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532

C:\Users\Admin\AppData\Local\Temp\27CC.tmp\YSkullLock.exe
YSkullLock.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "YellowSkull2 Special Program" /t REG_SZ /F /D "C:\YSkullMBRSetup.exe"
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27CC.tmp\k.vbs"
3⤵
- System Location Discovery: System Language Discovery
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27CC.tmp\YSkullMBRSetup.exe

Filesize
1.3MB

MD5
220303eb72ebde4605116640fb719b26

SHA1
2021794facb35a7a23796e74835d8cf93882ddaf

SHA256
f081c913488c3f22b62f906dac2a82a38d085ebe1d28701f0059dfdfbf1ccf42

SHA512
dc811be33365049b32c3a47de9b4f4e4f77be0a9dfd14bfcfce92a6f575cf9bbd4aa56fcc92a3d8bf7bd21354f6530f3cc50a1f185a5953861d3a73a3f1738fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\27CC.tmp\YellowSkull.bmp

Filesize
2.9MB

MD5
11bcda64d254ad8dc591b41f8fceb04d

SHA1
66d9dea8a7c3d0bb6e9924a4c86f5eef98317752

SHA256
84c5dad2d4cec5b636c1fae6f1e1482ada9f62363dcf269b4a86f6070d5b50fc

SHA512
b26287ed0de799b95a4bb1f18eb92e3a24dc8250eb09c669112d4b60e7e362012c564d0959ddfe128bc00a63601d9132160cc93276cb72ebc0e0ab2fc2d837b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\27CC.tmp\YellowSkull2.bat

Filesize
3KB

MD5
4671d5895d88bc19645cab0fc7ca398a

SHA1
d6b1ccef99793b0dcd09156a6460027271cde082

SHA256
dd8aa9f7955674a7a1b5b222d7c1809c583c705dae8bf476cdd42efcc0afabb5

SHA512
ea21a82ccbb1647bdd45890dadb1740a8dbb7d4cd7481a252545a6db2ce7fda1ce7c808b102bbd4dbd8764a6f824d6529044002f234bb5c255504f6b85ab926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\27CC.tmp\bg.exe

Filesize
102KB

MD5
12cf508e9058e3e67cf8a736557c2749

SHA1
8448240c260ccef2d23854e749387b65e4b6668e

SHA256
b3670ec42931e2dea3e03053eda32240d8b6db15bf89d0c74e23e99ecb0aaf49

SHA512
7a837b5a89f29974b1e305e2082d5f7aee46bee3cef7e8a8b47a877d5bd6280c359318d6002c2c283aed13054a8ee590778e99e423a25f84f3037b0249c6403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\27CC.tmp\bg.wav

Filesize
2.6MB

MD5
832b350b50a07906c630a2b8819fd209

SHA1
362d4d61df27a40f975e26b3d8ace1e8fac10f94

SHA256
94e1cecf8ed740ea45c87927de31005c3b2f9db261aae04fe56a81e337d1e8da

SHA512
cf267295d0248029e4a92d1052df1e24c93d3be79adb1efa9723c64e9c7bb52108a3bc194e772ff0e6dcb5b2208e9d7787a81a86e74ee11892571760e40abcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\27CC.tmp\k.vbs

Filesize
140B

MD5
126595a4087b9e1b9bac69aab147c97f

SHA1
ef079808ab8f7b762c413c5fa5844f4285f2848c

SHA256
4c59cedcafe3f5a1025960b344107f7e18c98ca569d2e6c8aa3d685b20754089

SHA512
41cc1badee06c16a0c65cbf7f38a420ca3c8e0ea459afd208b9b01cbeeef6724b8f2c04ecb41bec9d045492f9be0361612204db77eae7e1aeece8fe3761a7eb4

Download Submit
\Users\Admin\AppData\Local\Temp\27CC.tmp\YSkullLock.exe

Filesize
2.9MB

MD5
2191c3a14b53531e82726b17dd331cef

SHA1
9fdcc1ef73bbd08ac8f4cb3bdaf4c4ed26a99737

SHA256
3b2abd3773e4678100f197f53a886ec833fd2e26aa9a94d780a2d22befdf7d44

SHA512
93dc75ae619bcac6566c6e773c3628c2ef1326d988e592e59a1c8f9be304014a970caf40bf255a52b26fb37ca1d2625c8bf95b5dc749f378a0450a74aa3421f9

Download Submit
memory/1532-85-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2640-0-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/2640-83-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads