Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 00:32
Static task
static1
Behavioral task
behavioral1
Sample
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe
Resource
win10v2004-20241007-en
General
-
Target
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe
-
Size
414KB
-
MD5
8ed6fc461fb1cad41bbbe997fc33524b
-
SHA1
c8ab52a0ac4be3b5a87e029e4d19fae59318069e
-
SHA256
1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273
-
SHA512
9e18a5f23c9f27c8798b136c9d88ae2d918643623bf96c4c9f5b85aa85cc2bd26cb974b8f8376e34cc8cd8f13229a99921defb963456d7129c87fc74868970b7
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 24 3428 rundll32.exe 31 3428 rundll32.exe 32 3428 rundll32.exe 33 3428 rundll32.exe 47 3428 rundll32.exe 48 3428 rundll32.exe 57 3428 rundll32.exe 73 3428 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1632 yokty.exe -
Executes dropped EXE 1 IoCs
pid Process 1632 yokty.exe -
Loads dropped DLL 1 IoCs
pid Process 3428 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\atdmw\\yqamp.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3428 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\atdmw yokty.exe File created \??\c:\Program Files\atdmw\yqamp.dll yokty.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yokty.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3436 cmd.exe 2132 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2132 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe 3428 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3428 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2280 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 1632 yokty.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2280 wrote to memory of 3436 2280 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 85 PID 2280 wrote to memory of 3436 2280 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 85 PID 2280 wrote to memory of 3436 2280 1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe 85 PID 3436 wrote to memory of 2132 3436 cmd.exe 88 PID 3436 wrote to memory of 2132 3436 cmd.exe 88 PID 3436 wrote to memory of 2132 3436 cmd.exe 88 PID 3436 wrote to memory of 1632 3436 cmd.exe 90 PID 3436 wrote to memory of 1632 3436 cmd.exe 90 PID 3436 wrote to memory of 1632 3436 cmd.exe 90 PID 1632 wrote to memory of 3428 1632 yokty.exe 91 PID 1632 wrote to memory of 3428 1632 yokty.exe 91 PID 1632 wrote to memory of 3428 1632 yokty.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\yokty.exe "C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\yokty.exeC:\Users\Admin\AppData\Local\Temp\\yokty.exe "C:\Users\Admin\AppData\Local\Temp\1f35a53d85676d42b288490df1629bcf32b66a883373238acfd891f1c5915273.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\atdmw\yqamp.dll",Verify C:\Users\Admin\AppData\Local\Temp\yokty.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD53c50782070f5ccad175c48a83abc605b
SHA1e13715edc0e50a552bd8c30bc197ba9c000fb450
SHA256db9f3c81166c2e24929b31a55da6e65b70e72e0a44e0cb0b068b26635669260b
SHA512cb98ad7258c503f20a088fff8ef26c8ae51276070f262557494e5fb7aaeb1e807411fc20456e9bc8691d66937b656ca54589fa30122174e4a49ad30f34b7fe61
-
Filesize
228KB
MD5b6a726eafb7e3265201e015195eaed40
SHA15bedaca3b024092c4bc68c7f2184bee7ce229bff
SHA25608e9ea35b7556bc84f5a18cdb65e362d8d907256e3b3024eb2434f1998def93a
SHA51208773e331d3652ce99ba54f29adbf67ed95bb71263746744746cae50123a8cfa4980958d8ba523ae8485f903a2f71ca376e0ea743d014c0f7ca620ac952ba60e