fd84148426c6188c0bdec2e66d1f4fda9392342adb0c225d64aaacce24ce8653

Analysis

max time kernel
241s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

396KB
MD5

d1550649c3e2ebe1bf11949fa7a7d5f2
SHA1

a672c879062b8f1b6a84c12fecfc3b96883d36b8
SHA256

384df588fa4fb60c4986a1156b21314ce7c66468f9f4c8fac1a6b3a3cde1fe58
SHA512

824914391491b4e3e02cf5dd87a43c2429a75085343b206a71c2b3889ef3efdd92f015356584cee373e6c20ffdaf5d918fa033cc2e8b65a363e161c92d8f1603
SSDEEP

12288:jANwRo+mv8QD4+0V16nkFkkk2kyWs/S4REn+58zOG:jAT8QE+kHW+S4REn+K

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

FYDownloader.exeBox.exeBox.exe

pid process

1944 FYDownloader.exe
1224 Box.exe
1216 Box.exe
Loads dropped DLL 2 IoCs

Processes:

installer.exe

pid process

2096 installer.exe
2096 installer.exe

pid	process
1944	FYDownloader.exe
1224	Box.exe
1216	Box.exe

pid	process
2096	installer.exe
2096	installer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FYDownloader.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\FYDownloader.exe"	FYDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\FYDownloader.exe"	installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

Processes:

installer.exe

description	ioc	process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\FYDownloader.exe	installer.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	installer.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	installer.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Box.exeinstaller.exeBox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

FYDownloader.exe

pid process

1944 FYDownloader.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

FYDownloader.exe

pid process

1944 FYDownloader.exe

pid	process
1944	FYDownloader.exe

pid	process
1944	FYDownloader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

installer.exeFYDownloader.exe

description	pid	process	target process
PID 2096 wrote to memory of 1944	2096	installer.exe	FYDownloader.exe
PID 2096 wrote to memory of 1944	2096	installer.exe	FYDownloader.exe
PID 2096 wrote to memory of 1944	2096	installer.exe	FYDownloader.exe
PID 2096 wrote to memory of 1944	2096	installer.exe	FYDownloader.exe
PID 1944 wrote to memory of 1224	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1224	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1224	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1224	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1216	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1216	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1216	1944	FYDownloader.exe	Box.exe
PID 1944 wrote to memory of 1216	1944	FYDownloader.exe	Box.exe

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\FYDownloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\FYDownloader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

Filesize
440KB

MD5
698746928e12831d6982b4e260a9da3a

SHA1
c87945b0f3f19d3fa07f64b5454f588f568a94e7

SHA256
63a6c3864b0a51c790d8d0312137995eb16710178aaaebfe34fa5e57caff9b36

SHA512
8680e690337afa911471680aeb0ea6242e7cf68d83043e83b91bd6ffbe0af1af8aac140ecec8958ac6831a4b9f8401ac086e8322d6638144e5501df949594ea0

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\FYDownloader.exe

Filesize
153KB

MD5
2180b98e4c566222685de6195f7909ce

SHA1
f93144312441d0c52a479579d66cb7908b232f48

SHA256
1773047424aee73a01753cdd5c5214e35a3b8a4a7d899e5c86bf3e970ece8dda

SHA512
21b2dbac5d08242f39a05537bb404daa7034bad68b227d6baf334bcd98df14fb3d93086d1183cb6fcfe7fb62465667a23ec20d2ac82f83d0dfa87602ffde1824

Download Submit
memory/1224-37-0x00000000011F0000-0x0000000001264000-memory.dmp

Filesize
464KB

Download
memory/1944-29-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/1944-30-0x00000000003E0000-0x000000000040E000-memory.dmp

Filesize
184KB

Download
memory/1944-31-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-32-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-33-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/1944-34-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download