2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2

General

Target

2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
Size

5.4MB
MD5

c1aea0eb312aa84403059dad41768624
SHA1

5e5629028375e0ce6cfa803dfbfe77ab6534395d
SHA256

2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2
SHA512

494ed13b832133c717651acf1a5533cb8ba76ff893f7eadd0f492572037d1be41510f532e8a2efa18dcefe0bc7bbdc4655756d99b6c68f384bfda3ee75c38d3e
SSDEEP

98304:HdPFf4k/ErSZKmxN3l9slFgx4HBDeSPn/IkJJMinZ1iAFYG8uL:Hdtf4wQgN1bx4HBDeSokJ2inZ17FzL

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2560	Yloux.exe
1944	{3A151204-958B-4cb6-8A20-1F19B3D7C9EB}.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Yloux.exe
File opened (read-only)	\??\L:	Yloux.exe
File opened (read-only)	\??\B:	Yloux.exe
File opened (read-only)	\??\E:	Yloux.exe
File opened (read-only)	\??\J:	Yloux.exe
File opened (read-only)	\??\X:	Yloux.exe
File opened (read-only)	\??\Y:	Yloux.exe
File opened (read-only)	\??\Z:	Yloux.exe
File opened (read-only)	\??\N:	Yloux.exe
File opened (read-only)	\??\R:	Yloux.exe
File opened (read-only)	\??\S:	Yloux.exe
File opened (read-only)	\??\M:	Yloux.exe
File opened (read-only)	\??\U:	Yloux.exe
File opened (read-only)	\??\G:	Yloux.exe
File opened (read-only)	\??\H:	Yloux.exe
File opened (read-only)	\??\I:	Yloux.exe
File opened (read-only)	\??\T:	Yloux.exe
File opened (read-only)	\??\V:	Yloux.exe
File opened (read-only)	\??\W:	Yloux.exe
File opened (read-only)	\??\O:	Yloux.exe
File opened (read-only)	\??\P:	Yloux.exe
File opened (read-only)	\??\Q:	Yloux.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\WindowsTask.exe	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
File created	C:\windows\Runn\DuiLib_u.dll	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
File created	C:\windows\Runn\sqlite3.dll	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
File created	C:\windows\Runn\Yloux.exe	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
File created	C:\windows\Runn\1.bin	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1699710577"	{3A151204-958B-4cb6-8A20-1F19B3D7C9EB}.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe
2560	Yloux.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2560	Yloux.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2560	2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe	28
PID 2252 wrote to memory of 2560	2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe	28
PID 2252 wrote to memory of 2560	2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe	28
PID 2252 wrote to memory of 2560	2252	2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
"C:\Users\Admin\AppData\Local\Temp\2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252
- C:\windows\Runn\Yloux.exe
  "C:\windows\Runn\Yloux.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2560

C:\Users\Admin\AppData\Local\Temp\{3A151204-958B-4cb6-8A20-1F19B3D7C9EB}.exe
"C:\Users\Admin\AppData\Local\Temp\{3A151204-958B-4cb6-8A20-1F19B3D7C9EB}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{8BFA6E53-2A93-4294-9CAB-F07052BE504E}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A151204-958B-4cb6-8A20-1F19B3D7C9EB}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
335KB

MD5
04df97d03e04be2564d2840cc38b8972

SHA1
5288fb5c2e6e187348a392b565c3d73552131490

SHA256
78a52dda357dfc0d26a5bc5abdde97b46439fcd6cb0d9d2a0bb5c51fef6b23ce

SHA512
771357d49980b0ff665fd5086861c27edc4f70b9b5e26bd9d467e7f93bda5abef32aebcc72b06c37141693304464fbf11f3ea5fab7a8f57c058cce036aed8b95

Download Submit
C:\windows\Runn\1.bin

Filesize
176KB

MD5
758d06af8e7717885864e76d2dcabdf5

SHA1
d1b40373854f40eebf9c445c6e1a6143d56a0d4b

SHA256
6844de58de61e2c3cb67706f3dbb91d0d245c64740c7d139517fc0b335183b7e

SHA512
499702f7aff6b63195af1d234648dd4814fe7a099ddbad177ade49d1f4aa0926ed5cce7a7369f8a7f480c20957b52416184deb5d85290e70f326875bb8503e23

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
335KB

MD5
04df97d03e04be2564d2840cc38b8972

SHA1
5288fb5c2e6e187348a392b565c3d73552131490

SHA256
78a52dda357dfc0d26a5bc5abdde97b46439fcd6cb0d9d2a0bb5c51fef6b23ce

SHA512
771357d49980b0ff665fd5086861c27edc4f70b9b5e26bd9d467e7f93bda5abef32aebcc72b06c37141693304464fbf11f3ea5fab7a8f57c058cce036aed8b95

Download Submit
\Users\Admin\AppData\Local\Temp\{3A151204-958B-4cb6-8A20-1F19B3D7C9EB}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
\Windows\Runn\Yloux.exe

Filesize
335KB

MD5
04df97d03e04be2564d2840cc38b8972

SHA1
5288fb5c2e6e187348a392b565c3d73552131490

SHA256
78a52dda357dfc0d26a5bc5abdde97b46439fcd6cb0d9d2a0bb5c51fef6b23ce

SHA512
771357d49980b0ff665fd5086861c27edc4f70b9b5e26bd9d467e7f93bda5abef32aebcc72b06c37141693304464fbf11f3ea5fab7a8f57c058cce036aed8b95

Download Submit
memory/2252-7-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2252-13-0x0000000010000000-0x0000000010351000-memory.dmp

Filesize
3.3MB

Download
memory/2252-12-0x0000000002C30000-0x0000000002F7D000-memory.dmp

Filesize
3.3MB

Download
memory/2252-11-0x0000000000F90000-0x000000000182B000-memory.dmp

Filesize
8.6MB

Download
memory/2252-9-0x0000000077920000-0x0000000077921000-memory.dmp

Filesize
4KB

Download
memory/2252-0-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2252-5-0x0000000000F90000-0x000000000182B000-memory.dmp

Filesize
8.6MB

Download
memory/2252-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2252-48-0x0000000000F90000-0x000000000182B000-memory.dmp

Filesize
8.6MB

Download
memory/2252-2-0x0000000000F90000-0x000000000182B000-memory.dmp

Filesize
8.6MB

Download
memory/2560-44-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-42-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-41-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-35-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-189-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-190-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-191-0x0000000002800000-0x000000000283E000-memory.dmp

Filesize
248KB

Download
memory/2560-192-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2560-194-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/2560-195-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/2560-196-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/2560-197-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/2560-29-0x0000000000460000-0x000000000048D000-memory.dmp

Filesize
180KB

Download
memory/2560-199-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/2560-204-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-206-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2560-207-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/2560-208-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing