c965ecc2b730fda4d78ac4affd191b84743da21aafa6e6a21ba967f5c7d7d05f

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yak_Final.cmd
Size

5.9MB
MD5

93cf021d6428cc6c1ce36f3cb2d1c9fc
SHA1

1a0098f9caa910f5d0c1a6af25899b1ddab5e201
SHA256

eadc263384b1edbcc520dc606f55cd99f32b6fe467d81629d6450646f5ab9326
SHA512

54137f76c92aba7b997a627c72bbebbc1f4b64a5b0869470951b9047838f027b73032789ec18045e7d6e528550d9c2aef21557b923cf8bce8ecdea514d1843ae
SSDEEP

49152:+YgKDrMK7zkw382ZhC9BX9p80u1Iv29j+mQ0+o0H+wZhuzmFjss8oj0xm/Ja3cZE:h

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 8 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAnyDesk.COMalpha.exealpha.exe

pid process

2944 alpha.exe
2148 alpha.exe
2340 kn.exe
2800 alpha.exe
2704 kn.exe
2932 AnyDesk.COM
2740 alpha.exe
2096 alpha.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exealpha.exealpha.exeWerFault.exe

pid process

2128 cmd.exe
2128 cmd.exe
2148 alpha.exe
2128 cmd.exe
2800 alpha.exe
988 WerFault.exe
988 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

988 2932 WerFault.exe AnyDesk.COM
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AnyDesk.COM

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.COM
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

AnyDesk.COM

pid process

2932 AnyDesk.COM

pid	process
2944	alpha.exe
2148	alpha.exe
2340	kn.exe
2800	alpha.exe
2704	kn.exe
2932	AnyDesk.COM
2740	alpha.exe
2096	alpha.exe

pid	process
2128	cmd.exe
2128	cmd.exe
2148	alpha.exe
2128	cmd.exe
2800	alpha.exe
988	WerFault.exe
988	WerFault.exe

pid	pid_target	process	target process
988	2932	WerFault.exe	AnyDesk.COM

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.COM

pid	process
2932	AnyDesk.COM

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exeAnyDesk.COM

description	pid	process	target process
PID 2128 wrote to memory of 1824	2128	cmd.exe	extrac32.exe
PID 2128 wrote to memory of 1824	2128	cmd.exe	extrac32.exe
PID 2128 wrote to memory of 1824	2128	cmd.exe	extrac32.exe
PID 2128 wrote to memory of 2944	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2944	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2944	2128	cmd.exe	alpha.exe
PID 2944 wrote to memory of 3064	2944	alpha.exe	extrac32.exe
PID 2944 wrote to memory of 3064	2944	alpha.exe	extrac32.exe
PID 2944 wrote to memory of 3064	2944	alpha.exe	extrac32.exe
PID 2128 wrote to memory of 2148	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2148	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2148	2128	cmd.exe	alpha.exe
PID 2148 wrote to memory of 2340	2148	alpha.exe	kn.exe
PID 2148 wrote to memory of 2340	2148	alpha.exe	kn.exe
PID 2148 wrote to memory of 2340	2148	alpha.exe	kn.exe
PID 2128 wrote to memory of 2800	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2800	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2800	2128	cmd.exe	alpha.exe
PID 2800 wrote to memory of 2704	2800	alpha.exe	kn.exe
PID 2800 wrote to memory of 2704	2800	alpha.exe	kn.exe
PID 2800 wrote to memory of 2704	2800	alpha.exe	kn.exe
PID 2128 wrote to memory of 2932	2128	cmd.exe	AnyDesk.COM
PID 2128 wrote to memory of 2932	2128	cmd.exe	AnyDesk.COM
PID 2128 wrote to memory of 2932	2128	cmd.exe	AnyDesk.COM
PID 2128 wrote to memory of 2932	2128	cmd.exe	AnyDesk.COM
PID 2128 wrote to memory of 2740	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2740	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2740	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2096	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2096	2128	cmd.exe	alpha.exe
PID 2128 wrote to memory of 2096	2128	cmd.exe	alpha.exe
PID 2932 wrote to memory of 988	2932	AnyDesk.COM	WerFault.exe
PID 2932 wrote to memory of 988	2932	AnyDesk.COM	WerFault.exe
PID 2932 wrote to memory of 988	2932	AnyDesk.COM	WerFault.exe
PID 2932 wrote to memory of 988	2932	AnyDesk.COM	WerFault.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Yak_Final.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:1824
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:3064
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Yak_Final.cmd" "C:\\Users\\Public\\AnyDesk.3gp" 3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Yak_Final.cmd" "C:\\Users\\Public\\AnyDesk.3gp" 3
    3⤵
    - Executes dropped EXE
    PID:2340
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.3gp" "C:\\Users\\Public\\Libraries\\AnyDesk.COM" 10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.3gp" "C:\\Users\\Public\\Libraries\\AnyDesk.COM" 10
    3⤵
    - Executes dropped EXE
    PID:2704
- C:\Users\Public\Libraries\AnyDesk.COM
  C:\Users\Public\Libraries\AnyDesk.COM
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 692
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:988
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.3gp" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\AnyDesk.3gp

Filesize
4.3MB

MD5
a85d94bb80f4303965ee81aacd785379

SHA1
67879ea0939b19a63f2be9989d82f9221227c54f

SHA256
0710797c70dfb3c9a1dbdb1601951aa7f7b66ec5667e5a5f7ccbe9a98a281fd1

SHA512
7be72148ec6289f9ea2716dfd256ef84a4ccc30592f5d09f21b275cf416caef0ae4d27b2b9b86fd322d273b5240707539848b6751c64df2a72921232b090a3dd

Download Submit
C:\Users\Public\Libraries\AnyDesk.COM

Filesize
1.2MB

MD5
77187f3d0cd4152c91602206c56f7102

SHA1
57b3be44b8fcda9b462a8ae0f0667a6f7b327dfa

SHA256
7e881ff53628c844f573e4076cb743bfe3f862686b822a5e79a1aa0c0626c822

SHA512
b93180f52de0fe1aaf9ee0a2d04a4cec0856514b852bea5d30b24916a60b01afccad870b958ccb646141cd539838d7e186424c2513e23050b8e5cb5c8b8c73c8

Download Submit
\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2932-29-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-30-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-41-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-39-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-38-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-37-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-31-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-40-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-95-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-94-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-93-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-92-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-91-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-90-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-89-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-87-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-86-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-84-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-82-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-81-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-79-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-78-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-76-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-75-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-74-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-73-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-71-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-70-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-68-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-66-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-63-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-59-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-57-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-55-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-53-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-52-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-51-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-47-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-46-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-44-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-88-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-85-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-83-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-80-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-77-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-72-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-69-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-67-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-36-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-65-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-64-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-35-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-62-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-61-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-60-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-58-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-56-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-34-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-54-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-50-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-49-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-48-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-45-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2932-42-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download