7b2b2bf953b870564bff1f308381d9e20e84c2577bd8c854710e4f71438b2981

Analysis

max time kernel
140s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMPYtbn/ytbsys.exe
Size

456KB
MD5

3f9428f9780fdf2e8940715906195ce2
SHA1

c821e03160dccf764b999255162e28a8835e1bc4
SHA256

5ff66c9607acab6bcf96f17d22ed896f753155df95b63f9115545bf1913ab587
SHA512

1461de4234045d0ab948f5ce4bdf923a0f911f096b38069183535a3869bbd13365577a4c7ce5ffd03edb3dc8d7c8eb9bc578da00e7ce41b4ffff24db9455b83f
SSDEEP

6144:XQqDFnqGSjfxJL05DhW3yMTOht7U08XWEEsEpGq1TxhtllOTR+jZlKGyKB6JKfM5:hfSjZKV3qS6fXWnZntuVeIPu0Ueaez

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4896	ytb_oc.exe
2064	ytb_c.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	ytbsys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytbsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytb_oc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytb_c.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	ytb_oc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	ytb_oc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	ytb_c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	ytb_c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4896	ytb_oc.exe
4896	ytb_oc.exe
4896	ytb_oc.exe
4896	ytb_oc.exe
2064	ytb_c.exe
2064	ytb_c.exe
2064	ytb_c.exe
2064	ytb_c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4896	1924	ytbsys.exe	84
PID 1924 wrote to memory of 4896	1924	ytbsys.exe	84
PID 1924 wrote to memory of 4896	1924	ytbsys.exe	84
PID 1924 wrote to memory of 2064	1924	ytbsys.exe	103
PID 1924 wrote to memory of 2064	1924	ytbsys.exe	103
PID 1924 wrote to memory of 2064	1924	ytbsys.exe	103

C:\Users\Admin\AppData\Local\Temp\$TEMPYtbn\ytbsys.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPYtbn\ytbsys.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\TempYtbn\ytb_oc.exe
  C:\Users\Admin\AppData\Local\TempYtbn\ytb_oc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4896
- C:\Users\Admin\AppData\Local\TempYtbn\ytb_c.exe
  C:\Users\Admin\AppData\Local\TempYtbn\ytb_c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
9bafbf1bf924e98d459234c969d9258f

SHA1
5d83b653adeb1ccb745c8638bbd6e59b8bafa20c

SHA256
218aa2d951d1319ff26d39274bcd08c39123b16891aed8f73d125028cc092763

SHA512
4d239e610e0fb8fbe05273a716a2e990b1c8383eb66cfa4001dd0479e9b4566b00d2e7ae545cb36b1fac43f26b07416c653126c2b1bba0e89be2878f74a88fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
315c9d49817aa5e26c8bbc032137f787

SHA1
33d5ebcbdb38728f2083b74c0a5c28bc58763fe8

SHA256
38be4321996d0e43496c341f0470949c1f1a100b2318719e7424b550aaac83c4

SHA512
3473059c138d9e53c7be9dc02340edaabb9831ae75d1e08b20a32dc13dd72587892ee160c77412bf17838271faa44022d03f532a7974e7db75ea20e555c75a6d

Download Submit
C:\Users\Admin\AppData\Local\TempYtbn\ytb_c.exe

Filesize
354KB

MD5
7d18bc75c1819350283c71c6fd3c4f58

SHA1
aa06961eb254365bf95ea1185932c3f71dfbbfa0

SHA256
9626df7ff25c020099504c1527025b056ef27b74e1d92d195996687344b1922b

SHA512
bd3d02f7e71aadb51f82b463826de1b0bcb4de18389c792783ae048e51fa11278f49118339a8b76f82b5d86af533e0b675a82e912196f4cadad5e199118cc941

Download Submit
C:\Users\Admin\AppData\Local\TempYtbn\ytb_oc.exe

Filesize
354KB

MD5
ed3e6f0637ea310cff9028c2ff310ee3

SHA1
1fd3563f0783b03e7ed2f9b5ee34b1cd5befbf90

SHA256
c08508d7deeb8f25e7d4a2c12030b4d9a4071152f6a2762351de02f7bca7d4a1

SHA512
9658d63b45e788740cefd7c107719379340d561697c5098bf22ba2217ed5936e40e17641d2eeab613aed58c186baeaf4b927d86326c348d4180e217ab9b18f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfAD48.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit