eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
Size

128KB
MD5

335fb257c43adb07144cc7969d3c9240
SHA1

5215187049881cca84d48dd8587aa0b55e511e8f
SHA256

eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561
SHA512

cb93ced175d6e315b141e45031557cb2bd3e11a2bc0c72832ef67e9aaa785b22c0595a3af7e6d12270bfdc5c7b9634723a2dcb64567233b781f59819106f05dc
SSDEEP

1536:KeJsio03hgIuFQFvHwd6PXOYb7gXWgWKsEHXNeG0h/y:dJsio0xg/FQByYb7gvsEwq

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yioobu.exe

Executes dropped EXE 1 IoCs

pid	Process
492	yioobu.exe

Loads dropped DLL 2 IoCs

pid	Process
1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /g"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /S"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /F"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /X"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /w"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /d"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /E"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /M"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /B"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /v"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /L"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /A"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /b"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /I"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /q"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /C"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /N"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /e"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /p"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /f"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /W"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /Q"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /O"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /P"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /H"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /S"	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /D"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /r"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /t"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /G"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /U"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /l"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /V"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /i"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /Y"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /x"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /o"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /T"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /z"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /Z"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /K"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /s"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /n"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /h"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /j"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /u"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /y"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /m"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /a"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /k"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /J"	yioobu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\yioobu = "C:\\Users\\Admin\\yioobu.exe /c"	yioobu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yioobu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe
492	yioobu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
492	yioobu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 492	1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe	31
PID 1576 wrote to memory of 492	1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe	31
PID 1576 wrote to memory of 492	1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe	31
PID 1576 wrote to memory of 492	1576	eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe	31

C:\Users\Admin\AppData\Local\Temp\eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe
"C:\Users\Admin\AppData\Local\Temp\eac22093c6aeb6e2c5281d58f707e23b6cc68b9f48905be075b72a35d1b20561N.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\yioobu.exe
  "C:\Users\Admin\yioobu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\yioobu.exe

Filesize
128KB

MD5
f15b7d471f60b2aa6078b9f933dedaea

SHA1
b79bf34ab7a6249d2c247f1464728176a09008ee

SHA256
58d144cc8f68de102808307469e7d203df95f71ef75ad90a92b03adc2cab0272

SHA512
cc3985e75ec73f31b50977bd15257ef553de3c030f1b33502b8049c3bd12f6404c7e6ed8ae6d514efea2b95d072e402b311025faf1b7aeea646ee6edaf804f8d

Download Submit