99262ab91de9e9ddcab93e1f3f67cf356cbdb11bff959a05a51abbe1562f2366

Analysis

max time kernel
1509s
max time network
1484s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18/08/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PID Key Checker/PID Key Checker.exe
Size

9.7MB
MD5

cfae82ef8329044b196c682444c2060e
SHA1

e7bdd49030e7a6b8efef1a4201e95f2a385a06f6
SHA256

22fc1ce3806264ff01abc40e818a70bc467027b9dea29422a362d15e48e108bd
SHA512

783ae2588d9a557be59eabe4107e0fdd7c97f3173f3e11bb4ade53c19e16d8497a71599492408849a5eeb7a56278f3d50a3417971c8d1b388fc550731aa30037
SSDEEP

98304:z2xA9DMbJcioxcKK2SewFiYCJc7vfmIAh19DMbJcioxcKK2SewFiYCJc7vfmIqNn:ytAAqMsiD6Gu

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PID Key Checker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	PID Key Checker.exe
Token: SeDebugPrivilege	1824	wyUpdate.exe
Token: SeDebugPrivilege	1328	wyUpdate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1824	2756	PID Key Checker.exe	84
PID 2756 wrote to memory of 1824	2756	PID Key Checker.exe	84
PID 2756 wrote to memory of 1328	2756	PID Key Checker.exe	85
PID 2756 wrote to memory of 1328	2756	PID Key Checker.exe	85

C:\Users\Admin\AppData\Local\Temp\PID Key Checker\PID Key Checker.exe
"C:\Users\Admin\AppData\Local\Temp\PID Key Checker\PID Key Checker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\PID Key Checker\wyUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PID Key Checker\wyUpdate.exe" /autoupdate
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\PID Key Checker\wyUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PID Key Checker\wyUpdate.exe" /autoupdate
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\64D93295DA4D0800723C885BB4F0F064

Filesize
1KB

MD5
5da262790fec27334733361b17737615

SHA1
2ba5e22ca81f8b5ffd8eb23c0e7394a474fbb142

SHA256
2bb13b12acc346d4ff9dc7d3e311bbfbf8272db830a969d26f6c399cf878c632

SHA512
3a36d053415c3be31d531c7f5d9cda27275a3e3d0852a5100d35a38e12cfde511accc2599f3e15e5bf7a8fdc1bc05076ef273d9acda9796381a0bc1b37e8c77d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_C2688E7E72687DD043BCBD8B517F78DA

Filesize
1KB

MD5
ec72a4b7881a88f207db9ca93c8fe0d0

SHA1
4d7ed922133c1e9caebf0f8ff00f90d4c3c5351d

SHA256
17e271ca9144a49167d8916c233173bd8fd07c5278d38aca66fe85fc44d33aba

SHA512
d954b2628562bacf31428be5e8f4e08d225a9b37c85610c456834e29689434ff51b5127ef4596b238d270ef90e9e2143ce071d007c04e8c41b9bbe9b6c9d77fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F64202D7CEB5DA9D6F0F0D20562C7C92_6BB3B3AF049F0B897B10C8554E6BB697

Filesize
509B

MD5
b7d9453d16b9acd08d4f0ab6fb2f9985

SHA1
64ab3f1fbeecb6137b1c0d18f06682051e81c934

SHA256
676e221cdb0ecdc6be2848abf5b8b59f25015a258d50a83be40b1574c28601db

SHA512
961a3cb43cd08e884a1f36a7286971c0fb215e5c5c5e0e9aeee93d23240f35a7ff4b27b2f71bafd4cc9c495f026a92bd332ac0587e0f4fc9a065ff014d468da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
398B

MD5
07e2ff4a7e9cbc281256ba5fabb31d28

SHA1
81d0cc5b0bb79c441c9ce3bff29fdaa0613479e0

SHA256
d698758801c5b9900b2f8b0db9dd885a8ce498a6cecf3b5099dd3eed1954634a

SHA512
24b6f59e88bb3da3c0ac1cf4e2b32f4e9259bdd6c56be56b693f60f5650a03a66ffffe6e11e3d13712e11637bbd55f27483fcd3ffff8e68202aa307c312b9b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\64D93295DA4D0800723C885BB4F0F064

Filesize
298B

MD5
ae76612e7d97b52115fe870c5f9c3f06

SHA1
5ba15a793243d29bd7f50b11f540064929e5fd3a

SHA256
aa522e4f3dd16ef1fc9ab35aa7c2612624508847a26d28877476a032c986976f

SHA512
8419d766627d139a0cbc109c36192f3bfab6b348204724666b7f134a6c0397bae782a5e3733a1805cf0252e77f3b2f7f81667bf16f08ed3c29655fa0817fbba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_C2688E7E72687DD043BCBD8B517F78DA

Filesize
500B

MD5
1821550e5cc1ca2b54b6e932814ec809

SHA1
7f66dc2f0c6b8a2694e06786297db40b83d88ffb

SHA256
db80b6b74dc841d7c918905e04ea94b60845c02d04cfb85683823a5478404989

SHA512
ae0336e50da65c1ee6f06ee8d4317cc52a71d5ff7bfbd7b676573684407b15e7558b1b4038f64f8f5069e51a3e24cf878a486e34ab6fbcdc7243c37740c65abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F64202D7CEB5DA9D6F0F0D20562C7C92_6BB3B3AF049F0B897B10C8554E6BB697

Filesize
494B

MD5
cd92e962482e6fe90f708f76b39b30c2

SHA1
e0d26ef159f8a6e5e9941f42855f2d053b9be8d8

SHA256
268f474c7ef4c0bfc153c6dc68aecdb68827e62801ef59adad481a6ee6584ffe

SHA512
bf04f00eead0f318c2e0b03d72adb561864a29c0f903bbbcc3a6ba5e34ad94e6fde5dc00d919043a947a585fa1b1f4aee8f15a90e34d33e3729917a4b431aed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\wyUpdate.exe.log

Filesize
676B

MD5
03be1c314e4ecfbea06d521c0663fb99

SHA1
0c498fb34a53a97b10c14ca75b37303f09f93437

SHA256
cf7aef87550ad73666b02faa240d17ccd8f869c36182f7f717701a78f7b129d0

SHA512
136a132f74128a631109ac5b7451875e90449f50434669454cb7318904266cccae84c68d0c179c719b59a4ebde1d41d8fbe1fff0c67f02c05ddd5bdf1cbd1bd8

Download Submit
C:\Users\Admin\wc\6\wyserver.wys

Filesize
517B

MD5
00c732fe22dd08913e9ee714bc9727b7

SHA1
409733555cfff6149a9d70e41eb8ff6b0d5648b1

SHA256
040914ccb8aa7fb7d8cdda2a216b267e42f84449f23d0bfa37aea93b8ebe4641

SHA512
2c952b450d578c948ffd2110ba69c5ed376109ab701dfe42cf53c807c9a388f90ba88c33b0618e4887d05a6d88a0a7c2df57bff6460fe41afde9e741a21f8897

Download Submit
memory/1824-62-0x00007FF9E8970000-0x00007FF9E9311000-memory.dmp

Filesize
9.6MB

Download
memory/1824-53-0x000000001DFE0000-0x000000001E000000-memory.dmp

Filesize
128KB

Download
memory/1824-52-0x00007FF9E8970000-0x00007FF9E9311000-memory.dmp

Filesize
9.6MB

Download
memory/1824-51-0x00007FF9E8970000-0x00007FF9E9311000-memory.dmp

Filesize
9.6MB

Download
memory/1824-50-0x000000001CA10000-0x000000001CA18000-memory.dmp

Filesize
32KB

Download
memory/1824-48-0x000000001C400000-0x000000001C8CE000-memory.dmp

Filesize
4.8MB

Download
memory/1824-49-0x000000001C970000-0x000000001CA0C000-memory.dmp

Filesize
624KB

Download
memory/1824-18-0x00007FF9E8C25000-0x00007FF9E8C26000-memory.dmp

Filesize
4KB

Download
memory/1824-19-0x00007FF9E8970000-0x00007FF9E9311000-memory.dmp

Filesize
9.6MB

Download
memory/2756-9-0x0000000006CB0000-0x0000000006CEA000-memory.dmp

Filesize
232KB

Download
memory/2756-63-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2756-16-0x00000000071E0000-0x00000000071F8000-memory.dmp

Filesize
96KB

Download
memory/2756-14-0x00000000744A0000-0x0000000074C51000-memory.dmp

Filesize
7.7MB

Download
memory/2756-11-0x00000000081F0000-0x000000000874E000-memory.dmp

Filesize
5.4MB

Download
memory/2756-12-0x0000000005750000-0x000000000576A000-memory.dmp

Filesize
104KB

Download
memory/2756-13-0x00000000089B0000-0x0000000008A0A000-memory.dmp

Filesize
360KB

Download
memory/2756-10-0x0000000006CF0000-0x000000000707A000-memory.dmp

Filesize
3.5MB

Download
memory/2756-64-0x00000000744A0000-0x0000000074C51000-memory.dmp

Filesize
7.7MB

Download
memory/2756-15-0x00000000744A0000-0x0000000074C51000-memory.dmp

Filesize
7.7MB

Download
memory/2756-65-0x00000000744A0000-0x0000000074C51000-memory.dmp

Filesize
7.7MB

Download
memory/2756-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/2756-7-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/2756-8-0x00000000744A0000-0x0000000074C51000-memory.dmp

Filesize
7.7MB

Download
memory/2756-6-0x0000000005FB0000-0x0000000006006000-memory.dmp

Filesize
344KB

Download
memory/2756-5-0x0000000005D60000-0x0000000005D6A000-memory.dmp

Filesize
40KB

Download
memory/2756-4-0x0000000005E00000-0x0000000005E92000-memory.dmp

Filesize
584KB

Download
memory/2756-3-0x0000000006310000-0x00000000068B6000-memory.dmp

Filesize
5.6MB

Download
memory/2756-2-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

Filesize
624KB

Download
memory/2756-1-0x0000000000860000-0x000000000121E000-memory.dmp

Filesize
9.7MB

Download