41764a72aea16530ba5e4ecc6c5af4d1bd723185823a5000d33154c7ace4faad

Analysis

max time kernel
158s
max time network
159s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

美洽在线聊天.exe
Size

107.0MB
MD5

09d347a7bc1607ce40da64f8fa026416
SHA1

ee60594ea13b57181168849b39fa10074bd53019
SHA256

41764a72aea16530ba5e4ecc6c5af4d1bd723185823a5000d33154c7ace4faad
SHA512

ac06dcf79a69ab71c769d2d7e80bfadb5ad565da1f307a103af4df0aa1684babc04682a0ab4e5cb3c15434bb10f17f8eb60a9c1e892a6e39fe5f838a45fd565e
SSDEEP

3145728:qo31qNM5L5y+SiPXzQBtaf0WprGY+PDA:q9q58fiPXSRWpiYQA

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2572	lytsts.exe
2392	Yloux.exe
1680	{B5E32792-1E65-4332-8C83-D7AC60FD6208}.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	美洽在线聊天.exe
2572	lytsts.exe
2572	lytsts.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2348-36-0x0000000000400000-0x0000000001400000-memory.dmp	vmprotect
behavioral1/files/0x00290000000146e9-40.dat	vmprotect
behavioral1/files/0x00290000000146e9-43.dat	vmprotect
behavioral1/files/0x00290000000146e9-44.dat	vmprotect
behavioral1/memory/2572-48-0x0000000000A60000-0x0000000001394000-memory.dmp	vmprotect
behavioral1/memory/2572-51-0x0000000000A60000-0x0000000001394000-memory.dmp	vmprotect
behavioral1/memory/2572-89-0x0000000000A60000-0x0000000001394000-memory.dmp	vmprotect
behavioral1/memory/2572-256-0x0000000000A60000-0x0000000001394000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	Yloux.exe
File opened (read-only)	\??\R:	Yloux.exe
File opened (read-only)	\??\U:	Yloux.exe
File opened (read-only)	\??\Y:	Yloux.exe
File opened (read-only)	\??\K:	Yloux.exe
File opened (read-only)	\??\L:	Yloux.exe
File opened (read-only)	\??\N:	Yloux.exe
File opened (read-only)	\??\X:	Yloux.exe
File opened (read-only)	\??\Z:	Yloux.exe
File opened (read-only)	\??\H:	Yloux.exe
File opened (read-only)	\??\E:	Yloux.exe
File opened (read-only)	\??\I:	Yloux.exe
File opened (read-only)	\??\M:	Yloux.exe
File opened (read-only)	\??\Q:	Yloux.exe
File opened (read-only)	\??\T:	Yloux.exe
File opened (read-only)	\??\W:	Yloux.exe
File opened (read-only)	\??\B:	Yloux.exe
File opened (read-only)	\??\J:	Yloux.exe
File opened (read-only)	\??\P:	Yloux.exe
File opened (read-only)	\??\S:	Yloux.exe
File opened (read-only)	\??\V:	Yloux.exe
File opened (read-only)	\??\G:	Yloux.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\WindowsTask.exe	lytsts.exe
File created	C:\windows\Runn\DuiLib_u.dll	lytsts.exe
File created	C:\windows\Runn\sqlite3.dll	lytsts.exe
File created	C:\windows\Runn\Yloux.exe	lytsts.exe
File created	C:\windows\Runn\1.bin	lytsts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1697987710"	{B5E32792-1E65-4332-8C83-D7AC60FD6208}.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2348	美洽在线聊天.exe
2348	美洽在线聊天.exe
2572	lytsts.exe
2572	lytsts.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe
2392	Yloux.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2348	美洽在线聊天.exe
2348	美洽在线聊天.exe
2392	Yloux.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2572	2348	美洽在线聊天.exe	30
PID 2348 wrote to memory of 2572	2348	美洽在线聊天.exe	30
PID 2348 wrote to memory of 2572	2348	美洽在线聊天.exe	30
PID 2348 wrote to memory of 2572	2348	美洽在线聊天.exe	30
PID 2572 wrote to memory of 2392	2572	lytsts.exe	33
PID 2572 wrote to memory of 2392	2572	lytsts.exe	33
PID 2572 wrote to memory of 2392	2572	lytsts.exe	33
PID 2572 wrote to memory of 2392	2572	lytsts.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\美洽在线聊天.exe
"C:\Users\Admin\AppData\Local\Temp\美洽在线聊天.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\ProgramData\lytsts.exe
  C:\ProgramData\lytsts.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\windows\Runn\Yloux.exe
    "C:\windows\Runn\Yloux.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2392

C:\Users\Admin\AppData\Local\Temp\{B5E32792-1E65-4332-8C83-D7AC60FD6208}.exe
"C:\Users\Admin\AppData\Local\Temp\{B5E32792-1E65-4332-8C83-D7AC60FD6208}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{DC10E3C9-E4EA-44ed-8BC6-7CAA426044BE}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lytsts.exe

Filesize
5.7MB

MD5
91629d01d51365c021b4a8eb8e02c79c

SHA1
8415ae7359c0ff94c32760a55fd9907b160ec986

SHA256
8b95ffcaa2f6ade3a3cf6034d216a24c974afd273022410d3b3436d69f0cef78

SHA512
257a748c72d3fc3b1270752f2b900cfa4654e49fb20b984b425439bef58de1ecb3b8db89dd1a4d3c0c285cf041c0024b7f34c518fbefe83c108f498cc4e59bd9

Download Submit
C:\ProgramData\lytsts.exe

Filesize
5.7MB

MD5
91629d01d51365c021b4a8eb8e02c79c

SHA1
8415ae7359c0ff94c32760a55fd9907b160ec986

SHA256
8b95ffcaa2f6ade3a3cf6034d216a24c974afd273022410d3b3436d69f0cef78

SHA512
257a748c72d3fc3b1270752f2b900cfa4654e49fb20b984b425439bef58de1ecb3b8db89dd1a4d3c0c285cf041c0024b7f34c518fbefe83c108f498cc4e59bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5E32792-1E65-4332-8C83-D7AC60FD6208}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DC10E3C9-E4EA-44ed-8BC6-7CAA426044BE}

Filesize
215B

MD5
59eff0d5634b9af7035a2ca388f03476

SHA1
c15056b4bdf594de2f8fd7bb9eb51e424adff7bc

SHA256
5d5dd476beb63411d00d84c091fd0ca16118f0c0cd27c80b8085f4f907ca2124

SHA512
cb8d6e18d2a026856759f6518d48d859d59c7db962bace7d874f53a4af307e7c652e3a27b64bff9f57891f1bab9e1c98811f6f1d4c795796103798e1971435f2

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
e2afee96ff3cbc1b5b35a38186d8b39e

SHA1
3564bf9a4d2a4740a8abf4532cacf403f6a66137

SHA256
5d88486be7c9e3725b44f83a6ff7dd34fd904a7c1150f681536a2b0bad763a87

SHA512
ba22ada42bc1c76c032ae91ebbd76ef246a33222c5673ee7b7dcfd87ac1cf2b17ad65a1218742dc16d2035fe3397e1d92ff20a2c2dc7e097b35b08eafa898b2f

Download Submit
C:\windows\Runn\1.bin

Filesize
378KB

MD5
1cf48ca2ae8f8113c5f6028dd42855ad

SHA1
084d7b4693ac808bec8832bbde2b79140ff3b54e

SHA256
748e26fecae889826be5e1f8c2fe2b0bc5a13f5f2c89568416422b6d2c6c7c9e

SHA512
6a125bef297f630e6a10ccf79bff0a3199204f21e98e9c01ea2c6fc44378e7ea7a36d2d894c185c1c6c0c94db9755bc69a7289ae75b682d57ff2143d799fb949

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
e2afee96ff3cbc1b5b35a38186d8b39e

SHA1
3564bf9a4d2a4740a8abf4532cacf403f6a66137

SHA256
5d88486be7c9e3725b44f83a6ff7dd34fd904a7c1150f681536a2b0bad763a87

SHA512
ba22ada42bc1c76c032ae91ebbd76ef246a33222c5673ee7b7dcfd87ac1cf2b17ad65a1218742dc16d2035fe3397e1d92ff20a2c2dc7e097b35b08eafa898b2f

Download Submit
\ProgramData\lytsts.exe

Filesize
5.7MB

MD5
91629d01d51365c021b4a8eb8e02c79c

SHA1
8415ae7359c0ff94c32760a55fd9907b160ec986

SHA256
8b95ffcaa2f6ade3a3cf6034d216a24c974afd273022410d3b3436d69f0cef78

SHA512
257a748c72d3fc3b1270752f2b900cfa4654e49fb20b984b425439bef58de1ecb3b8db89dd1a4d3c0c285cf041c0024b7f34c518fbefe83c108f498cc4e59bd9

Download Submit
\Users\Admin\AppData\Local\Temp\{B5E32792-1E65-4332-8C83-D7AC60FD6208}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
\Windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
e2afee96ff3cbc1b5b35a38186d8b39e

SHA1
3564bf9a4d2a4740a8abf4532cacf403f6a66137

SHA256
5d88486be7c9e3725b44f83a6ff7dd34fd904a7c1150f681536a2b0bad763a87

SHA512
ba22ada42bc1c76c032ae91ebbd76ef246a33222c5673ee7b7dcfd87ac1cf2b17ad65a1218742dc16d2035fe3397e1d92ff20a2c2dc7e097b35b08eafa898b2f

Download Submit
memory/2348-5-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2348-34-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2348-17-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2348-19-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2348-22-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2348-24-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2348-27-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2348-29-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2348-30-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2348-32-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2348-35-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2348-14-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2348-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2348-12-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2348-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-9-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2348-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2348-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2392-271-0x0000000002BF0000-0x0000000002C2C000-memory.dmp

Filesize
240KB

Download
memory/2392-273-0x0000000002C30000-0x0000000002C72000-memory.dmp

Filesize
264KB

Download
memory/2392-281-0x0000000002C30000-0x0000000002C72000-memory.dmp

Filesize
264KB

Download
memory/2392-106-0x0000000000330000-0x000000000038F000-memory.dmp

Filesize
380KB

Download
memory/2572-48-0x0000000000A60000-0x0000000001394000-memory.dmp

Filesize
9.2MB

Download
memory/2572-71-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2572-83-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2572-84-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2572-69-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2572-66-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2572-64-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2572-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2572-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2572-54-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2572-88-0x0000000003CA0000-0x0000000004331000-memory.dmp

Filesize
6.6MB

Download
memory/2572-89-0x0000000000A60000-0x0000000001394000-memory.dmp

Filesize
9.2MB

Download
memory/2572-256-0x0000000000A60000-0x0000000001394000-memory.dmp

Filesize
9.2MB

Download
memory/2572-56-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2572-51-0x0000000000A60000-0x0000000001394000-memory.dmp

Filesize
9.2MB

Download
memory/2572-50-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2572-47-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download