f9ceb47834651e67fc99d1ca578bc6a72373ec281ca9e5b678e86a879b0da4a4

Resubmissions

13-11-2024 08:48

241113-kqly5ayfmm 10

13-11-2024 08:46

241113-kpsqaa1rfr 10

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yef.exe
Size

1.2MB
MD5

58991bbcf8a974e128ba64f3bcb31e6e
SHA1

645a5096283c1f0b63ff07f3927534e44804114d
SHA256

d05f328df78420b8d97cb7205cccee30617ebeff333ac8d5ed32f6da69563baa
SHA512

76c35a2b6b787ded9c049b189b8844019720f47c0f2e07ced1c9b9b7622382d50062770f222ad1a0a626e66498be3d3e6cc22ca9c7fbf72d3b29b7f59e881eb6
SSDEEP

24576:rwVTXJvatkjAE+k/7aygMpbUdtoQVj020iDqxJooLUcdJYRk:KTQujL+hMyhVj8y8J7UcG

Score

6^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1892	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
304	yef.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	304	yef.exe
Token: SeDebugPrivilege	1892	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1892	304	yef.exe	31
PID 304 wrote to memory of 1892	304	yef.exe	31
PID 304 wrote to memory of 1892	304	yef.exe	31
PID 304 wrote to memory of 1892	304	yef.exe	31
PID 304 wrote to memory of 1884	304	yef.exe	33
PID 304 wrote to memory of 1884	304	yef.exe	33
PID 304 wrote to memory of 1884	304	yef.exe	33
PID 304 wrote to memory of 1884	304	yef.exe	33
PID 304 wrote to memory of 2100	304	yef.exe	34
PID 304 wrote to memory of 2100	304	yef.exe	34
PID 304 wrote to memory of 2100	304	yef.exe	34
PID 304 wrote to memory of 2100	304	yef.exe	34
PID 304 wrote to memory of 1888	304	yef.exe	35
PID 304 wrote to memory of 1888	304	yef.exe	35
PID 304 wrote to memory of 1888	304	yef.exe	35
PID 304 wrote to memory of 1888	304	yef.exe	35
PID 304 wrote to memory of 2892	304	yef.exe	36
PID 304 wrote to memory of 2892	304	yef.exe	36
PID 304 wrote to memory of 2892	304	yef.exe	36
PID 304 wrote to memory of 2892	304	yef.exe	36
PID 304 wrote to memory of 2896	304	yef.exe	37
PID 304 wrote to memory of 2896	304	yef.exe	37
PID 304 wrote to memory of 2896	304	yef.exe	37
PID 304 wrote to memory of 2896	304	yef.exe	37

C:\Users\Admin\AppData\Local\Temp\yef.exe
"C:\Users\Admin\AppData\Local\Temp\yef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\yef.exe
  #cmd
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\yef.exe
  #cmd
  2⤵
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\yef.exe
  #cmd
  2⤵
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\yef.exe
  #cmd
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\yef.exe
  #cmd
  2⤵
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/304-1-0x0000000000300000-0x0000000000436000-memory.dmp

Filesize
1.2MB

Download
memory/304-5-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/1892-6-0x0000000074732000-0x0000000074734000-memory.dmp

Filesize
8KB

Download
memory/1892-7-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-9-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-8-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1892-10-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download