Overview

overview

10

Static

static

3

YUPDR_file.exe

windows7-x64

10

YUPDR_file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 14:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YUPDR_file.exe

  • Size

    2.6MB

  • MD5

    6ed3ec59a37199546b8d9893d3df0992

  • SHA1

    54c6360d1f5ae9ddd734a976c388184426a9a195

  • SHA256

    b24ad548d9f0b3a3878994cf3cc97f23db47bbd1421866a2fd69bbbb2bbcd046

  • SHA512

    f421b945c387bde993f26e36b83773871e9436031aa1e329bc8c8cace0a182ff7a4b759a2736d163e67a6740f4e127d0390a447eb81987af3686d3049a0d3cde

  • SSDEEP

    24576:Sj5KN2/7t1B8VXwWXqoiJ7XY3/cqwwFPFNd0dioa6Gd8xDnblctGo/hjrYZh1ECq:u5KN2/7gXpcu8Gd8xDn+Pa1e3H

Score
10/10
discoveryevasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YUPDR_file.exe
    "C:\Users\Admin\AppData\Local\Temp\YUPDR_file.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Windows security modification
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2116

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.190.18.2.in-addr.arpa
    IN PTR
    Response
    82.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    82.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2116-0-0x0000000000A10000-0x0000000000CBA000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2116-1-0x0000000000A10000-0x0000000000CBA000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2116-2-0x0000000000A10000-0x0000000000CBA000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2116-4-0x0000000000A10000-0x0000000000CBA000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2116-7-0x0000000000A10000-0x0000000000CBA000-memory.dmp

    Filesize

    2.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.