41764a72aea16530ba5e4ecc6c5af4d1bd723185823a5000d33154c7ace4faad

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

美洽在线聊天.exe
Size

107.0MB
MD5

09d347a7bc1607ce40da64f8fa026416
SHA1

ee60594ea13b57181168849b39fa10074bd53019
SHA256

41764a72aea16530ba5e4ecc6c5af4d1bd723185823a5000d33154c7ace4faad
SHA512

ac06dcf79a69ab71c769d2d7e80bfadb5ad565da1f307a103af4df0aa1684babc04682a0ab4e5cb3c15434bb10f17f8eb60a9c1e892a6e39fe5f838a45fd565e
SSDEEP

3145728:qo31qNM5L5y+SiPXzQBtaf0WprGY+PDA:q9q58fiPXSRWpiYQA

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	lytsts.exe

Executes dropped EXE 3 IoCs

pid	Process
2236	lytsts.exe
2252	Yloux.exe
1684	{9195DF8E-A2F0-4cdc-B7D1-E7D92FB1C54C}.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral3/memory/4360-8-0x0000000000400000-0x0000000001400000-memory.dmp	vmprotect
behavioral3/files/0x0009000000022d2f-13.dat	vmprotect
behavioral3/files/0x0009000000022d2f-14.dat	vmprotect
behavioral3/memory/2236-17-0x00000000009B0000-0x00000000012E4000-memory.dmp	vmprotect
behavioral3/memory/2236-20-0x00000000009B0000-0x00000000012E4000-memory.dmp	vmprotect
behavioral3/memory/2236-28-0x00000000009B0000-0x00000000012E4000-memory.dmp	vmprotect
behavioral3/memory/2236-207-0x00000000009B0000-0x00000000012E4000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	Yloux.exe
File opened (read-only)	\??\I:	Yloux.exe
File opened (read-only)	\??\J:	Yloux.exe
File opened (read-only)	\??\O:	Yloux.exe
File opened (read-only)	\??\Q:	Yloux.exe
File opened (read-only)	\??\T:	Yloux.exe
File opened (read-only)	\??\Y:	Yloux.exe
File opened (read-only)	\??\Z:	Yloux.exe
File opened (read-only)	\??\G:	Yloux.exe
File opened (read-only)	\??\K:	Yloux.exe
File opened (read-only)	\??\N:	Yloux.exe
File opened (read-only)	\??\S:	Yloux.exe
File opened (read-only)	\??\U:	Yloux.exe
File opened (read-only)	\??\X:	Yloux.exe
File opened (read-only)	\??\H:	Yloux.exe
File opened (read-only)	\??\R:	Yloux.exe
File opened (read-only)	\??\E:	Yloux.exe
File opened (read-only)	\??\L:	Yloux.exe
File opened (read-only)	\??\M:	Yloux.exe
File opened (read-only)	\??\P:	Yloux.exe
File opened (read-only)	\??\V:	Yloux.exe
File opened (read-only)	\??\W:	Yloux.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\sqlite3.dll	lytsts.exe
File created	C:\windows\Runn\Yloux.exe	lytsts.exe
File created	C:\windows\Runn\1.bin	lytsts.exe
File created	C:\windows\Runn\WindowsTask.exe	lytsts.exe
File created	C:\windows\Runn\DuiLib_u.dll	lytsts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	lytsts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1697987704"	{9195DF8E-A2F0-4cdc-B7D1-E7D92FB1C54C}.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4360	美洽在线聊天.exe
4360	美洽在线聊天.exe
4360	美洽在线聊天.exe
4360	美洽在线聊天.exe
2236	lytsts.exe
2236	lytsts.exe
2236	lytsts.exe
2236	lytsts.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe
2252	Yloux.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4360	美洽在线聊天.exe
4360	美洽在线聊天.exe
2252	Yloux.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2236	4360	美洽在线聊天.exe	90
PID 4360 wrote to memory of 2236	4360	美洽在线聊天.exe	90
PID 4360 wrote to memory of 2236	4360	美洽在线聊天.exe	90
PID 2236 wrote to memory of 2252	2236	lytsts.exe	93
PID 2236 wrote to memory of 2252	2236	lytsts.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\美洽在线聊天.exe
"C:\Users\Admin\AppData\Local\Temp\美洽在线聊天.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360
- C:\ProgramData\lytsts.exe
  C:\ProgramData\lytsts.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\windows\Runn\Yloux.exe
    "C:\windows\Runn\Yloux.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\{9195DF8E-A2F0-4cdc-B7D1-E7D92FB1C54C}.exe
"C:\Users\Admin\AppData\Local\Temp\{9195DF8E-A2F0-4cdc-B7D1-E7D92FB1C54C}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{3001C810-9730-4484-A5AD-D8919A2F1FF6}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lytsts.exe

Filesize
5.7MB

MD5
91629d01d51365c021b4a8eb8e02c79c

SHA1
8415ae7359c0ff94c32760a55fd9907b160ec986

SHA256
8b95ffcaa2f6ade3a3cf6034d216a24c974afd273022410d3b3436d69f0cef78

SHA512
257a748c72d3fc3b1270752f2b900cfa4654e49fb20b984b425439bef58de1ecb3b8db89dd1a4d3c0c285cf041c0024b7f34c518fbefe83c108f498cc4e59bd9

Download Submit
C:\ProgramData\lytsts.exe

Filesize
5.7MB

MD5
91629d01d51365c021b4a8eb8e02c79c

SHA1
8415ae7359c0ff94c32760a55fd9907b160ec986

SHA256
8b95ffcaa2f6ade3a3cf6034d216a24c974afd273022410d3b3436d69f0cef78

SHA512
257a748c72d3fc3b1270752f2b900cfa4654e49fb20b984b425439bef58de1ecb3b8db89dd1a4d3c0c285cf041c0024b7f34c518fbefe83c108f498cc4e59bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
1KB

MD5
3c2caaa6db392effb0bf6acb7f981f56

SHA1
96b6402bc71c46ccfa802f30b30043f59f82f4ab

SHA256
6acd03da0ed353d82c29dccbb6a171bef871d2243afcaef36df4845e90dc10f8

SHA512
bb238b11a833dbccb7ecc7fe410d13ca6f9ab25e6a7a147df6a1efccf5ff200aa0fc652864facc3c7efc7f07febf2f09d4df8368025110b6b2a618a8cf1fca49

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
862B

MD5
6867ce99d3a28431a063a78b32736a5a

SHA1
6fdeacc20a585a1925888ae9d435b5e86db12747

SHA256
444312c32242308ca1571a230ac09a940a14ad2facb81577bed2b14ed235eb9e

SHA512
b7415356c75709aebe36922fcbe003f2821fee9dd80a8ae02f6ffa5068a02fd3aee3e74612f0e4d46eeda31c5a210114369e5ee6b24e1e0eb1941249dfa83af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3001C810-9730-4484-A5AD-D8919A2F1FF6}

Filesize
215B

MD5
389c9921c042440fcc67af97f1ff56f5

SHA1
33c62bc66ef9900a547adae1a3db58fe6e3bf65f

SHA256
7c61ce7227ebdaf68f5b0d29639fa123fae77b18342feb198658042c99445bc6

SHA512
9a221d5a014b01ad29f9ee5d08db284ac36b1caa48a4edf94a938c8ebbd4036c120be695f07f1b3fbba7241789f0499ab82f6b936d37f0f6539edd0b94300205

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9195DF8E-A2F0-4cdc-B7D1-E7D92FB1C54C}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9195DF8E-A2F0-4cdc-B7D1-E7D92FB1C54C}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
e2afee96ff3cbc1b5b35a38186d8b39e

SHA1
3564bf9a4d2a4740a8abf4532cacf403f6a66137

SHA256
5d88486be7c9e3725b44f83a6ff7dd34fd904a7c1150f681536a2b0bad763a87

SHA512
ba22ada42bc1c76c032ae91ebbd76ef246a33222c5673ee7b7dcfd87ac1cf2b17ad65a1218742dc16d2035fe3397e1d92ff20a2c2dc7e097b35b08eafa898b2f

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
e2afee96ff3cbc1b5b35a38186d8b39e

SHA1
3564bf9a4d2a4740a8abf4532cacf403f6a66137

SHA256
5d88486be7c9e3725b44f83a6ff7dd34fd904a7c1150f681536a2b0bad763a87

SHA512
ba22ada42bc1c76c032ae91ebbd76ef246a33222c5673ee7b7dcfd87ac1cf2b17ad65a1218742dc16d2035fe3397e1d92ff20a2c2dc7e097b35b08eafa898b2f

Download Submit
C:\windows\Runn\1.bin

Filesize
378KB

MD5
1cf48ca2ae8f8113c5f6028dd42855ad

SHA1
084d7b4693ac808bec8832bbde2b79140ff3b54e

SHA256
748e26fecae889826be5e1f8c2fe2b0bc5a13f5f2c89568416422b6d2c6c7c9e

SHA512
6a125bef297f630e6a10ccf79bff0a3199204f21e98e9c01ea2c6fc44378e7ea7a36d2d894c185c1c6c0c94db9755bc69a7289ae75b682d57ff2143d799fb949

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
e2afee96ff3cbc1b5b35a38186d8b39e

SHA1
3564bf9a4d2a4740a8abf4532cacf403f6a66137

SHA256
5d88486be7c9e3725b44f83a6ff7dd34fd904a7c1150f681536a2b0bad763a87

SHA512
ba22ada42bc1c76c032ae91ebbd76ef246a33222c5673ee7b7dcfd87ac1cf2b17ad65a1218742dc16d2035fe3397e1d92ff20a2c2dc7e097b35b08eafa898b2f

Download Submit
memory/2236-18-0x0000000001790000-0x0000000001791000-memory.dmp

Filesize
4KB

Download
memory/2236-207-0x00000000009B0000-0x00000000012E4000-memory.dmp

Filesize
9.2MB

Download
memory/2236-20-0x00000000009B0000-0x00000000012E4000-memory.dmp

Filesize
9.2MB

Download
memory/2236-22-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/2236-21-0x00000000017E0000-0x00000000017E1000-memory.dmp

Filesize
4KB

Download
memory/2236-19-0x00000000017D0000-0x00000000017D1000-memory.dmp

Filesize
4KB

Download
memory/2236-23-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/2236-28-0x00000000009B0000-0x00000000012E4000-memory.dmp

Filesize
9.2MB

Download
memory/2236-29-0x0000000003F20000-0x00000000045B1000-memory.dmp

Filesize
6.6MB

Download
memory/2236-30-0x0000000010000000-0x0000000010695000-memory.dmp

Filesize
6.6MB

Download
memory/2236-16-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download
memory/2236-17-0x00000000009B0000-0x00000000012E4000-memory.dmp

Filesize
9.2MB

Download
memory/2236-15-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download
memory/2252-219-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-196-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-214-0x00000000035B0000-0x00000000035F2000-memory.dmp

Filesize
264KB

Download
memory/2252-218-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-216-0x00000000035B0000-0x00000000035F2000-memory.dmp

Filesize
264KB

Download
memory/2252-217-0x00000000035B0000-0x00000000035F2000-memory.dmp

Filesize
264KB

Download
memory/2252-215-0x00000000035B0000-0x00000000035F2000-memory.dmp

Filesize
264KB

Download
memory/2252-222-0x00000000035B0000-0x00000000035F2000-memory.dmp

Filesize
264KB

Download
memory/2252-203-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-202-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-48-0x0000000000BB0000-0x0000000000C0F000-memory.dmp

Filesize
380KB

Download
memory/2252-208-0x0000000000400000-0x00000000005A7000-memory.dmp

Filesize
1.7MB

Download
memory/2252-209-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-210-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-211-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2252-212-0x00000000027E0000-0x000000000281C000-memory.dmp

Filesize
240KB

Download
memory/4360-0-0x000000000D910000-0x000000000D911000-memory.dmp

Filesize
4KB

Download
memory/4360-2-0x000000000DA50000-0x000000000DA51000-memory.dmp

Filesize
4KB

Download
memory/4360-3-0x000000000DA80000-0x000000000DA81000-memory.dmp

Filesize
4KB

Download
memory/4360-4-0x000000000DA90000-0x000000000DA91000-memory.dmp

Filesize
4KB

Download
memory/4360-5-0x000000000DAA0000-0x000000000DAA1000-memory.dmp

Filesize
4KB

Download
memory/4360-7-0x000000000DAB0000-0x000000000DAB1000-memory.dmp

Filesize
4KB

Download
memory/4360-1-0x000000000D930000-0x000000000D931000-memory.dmp

Filesize
4KB

Download
memory/4360-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download