Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
Yak_Final.cmd
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Yak_Final.cmd
Resource
win10v2004-20241007-en
General
-
Target
Yak_Final.cmd
-
Size
5.9MB
-
MD5
93cf021d6428cc6c1ce36f3cb2d1c9fc
-
SHA1
1a0098f9caa910f5d0c1a6af25899b1ddab5e201
-
SHA256
eadc263384b1edbcc520dc606f55cd99f32b6fe467d81629d6450646f5ab9326
-
SHA512
54137f76c92aba7b997a627c72bbebbc1f4b64a5b0869470951b9047838f027b73032789ec18045e7d6e528550d9c2aef21557b923cf8bce8ecdea514d1843ae
-
SSDEEP
49152:+YgKDrMK7zkw382ZhC9BX9p80u1Iv29j+mQ0+o0H+wZhuzmFjss8oj0xm/Ja3cZE:h
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
pid Process 2944 alpha.exe 2148 alpha.exe 2340 kn.exe 2800 alpha.exe 2704 kn.exe 2932 AnyDesk.COM 2740 alpha.exe 2096 alpha.exe -
Loads dropped DLL 7 IoCs
pid Process 2128 cmd.exe 2128 cmd.exe 2148 alpha.exe 2128 cmd.exe 2800 alpha.exe 988 WerFault.exe 988 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 988 2932 WerFault.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.COM -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2932 AnyDesk.COM -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1824 2128 cmd.exe 31 PID 2128 wrote to memory of 1824 2128 cmd.exe 31 PID 2128 wrote to memory of 1824 2128 cmd.exe 31 PID 2128 wrote to memory of 2944 2128 cmd.exe 32 PID 2128 wrote to memory of 2944 2128 cmd.exe 32 PID 2128 wrote to memory of 2944 2128 cmd.exe 32 PID 2944 wrote to memory of 3064 2944 alpha.exe 33 PID 2944 wrote to memory of 3064 2944 alpha.exe 33 PID 2944 wrote to memory of 3064 2944 alpha.exe 33 PID 2128 wrote to memory of 2148 2128 cmd.exe 34 PID 2128 wrote to memory of 2148 2128 cmd.exe 34 PID 2128 wrote to memory of 2148 2128 cmd.exe 34 PID 2148 wrote to memory of 2340 2148 alpha.exe 35 PID 2148 wrote to memory of 2340 2148 alpha.exe 35 PID 2148 wrote to memory of 2340 2148 alpha.exe 35 PID 2128 wrote to memory of 2800 2128 cmd.exe 36 PID 2128 wrote to memory of 2800 2128 cmd.exe 36 PID 2128 wrote to memory of 2800 2128 cmd.exe 36 PID 2800 wrote to memory of 2704 2800 alpha.exe 37 PID 2800 wrote to memory of 2704 2800 alpha.exe 37 PID 2800 wrote to memory of 2704 2800 alpha.exe 37 PID 2128 wrote to memory of 2932 2128 cmd.exe 38 PID 2128 wrote to memory of 2932 2128 cmd.exe 38 PID 2128 wrote to memory of 2932 2128 cmd.exe 38 PID 2128 wrote to memory of 2932 2128 cmd.exe 38 PID 2128 wrote to memory of 2740 2128 cmd.exe 39 PID 2128 wrote to memory of 2740 2128 cmd.exe 39 PID 2128 wrote to memory of 2740 2128 cmd.exe 39 PID 2128 wrote to memory of 2096 2128 cmd.exe 40 PID 2128 wrote to memory of 2096 2128 cmd.exe 40 PID 2128 wrote to memory of 2096 2128 cmd.exe 40 PID 2932 wrote to memory of 988 2932 AnyDesk.COM 42 PID 2932 wrote to memory of 988 2932 AnyDesk.COM 42 PID 2932 wrote to memory of 988 2932 AnyDesk.COM 42 PID 2932 wrote to memory of 988 2932 AnyDesk.COM 42
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Yak_Final.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:1824
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:3064
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Yak_Final.cmd" "C:\\Users\\Public\\AnyDesk.3gp" 32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Yak_Final.cmd" "C:\\Users\\Public\\AnyDesk.3gp" 33⤵
- Executes dropped EXE
PID:2340
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.3gp" "C:\\Users\\Public\\Libraries\\AnyDesk.COM" 102⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.3gp" "C:\\Users\\Public\\Libraries\\AnyDesk.COM" 103⤵
- Executes dropped EXE
PID:2704
-
-
-
C:\Users\Public\Libraries\AnyDesk.COMC:\Users\Public\Libraries\AnyDesk.COM2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 6923⤵
- Loads dropped DLL
- Program crash
PID:988
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.3gp" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2096
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5a85d94bb80f4303965ee81aacd785379
SHA167879ea0939b19a63f2be9989d82f9221227c54f
SHA2560710797c70dfb3c9a1dbdb1601951aa7f7b66ec5667e5a5f7ccbe9a98a281fd1
SHA5127be72148ec6289f9ea2716dfd256ef84a4ccc30592f5d09f21b275cf416caef0ae4d27b2b9b86fd322d273b5240707539848b6751c64df2a72921232b090a3dd
-
Filesize
1.2MB
MD577187f3d0cd4152c91602206c56f7102
SHA157b3be44b8fcda9b462a8ae0f0667a6f7b327dfa
SHA2567e881ff53628c844f573e4076cb743bfe3f862686b822a5e79a1aa0c0626c822
SHA512b93180f52de0fe1aaf9ee0a2d04a4cec0856514b852bea5d30b24916a60b01afccad870b958ccb646141cd539838d7e186424c2513e23050b8e5cb5c8b8c73c8
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2