Overview

overview

8

Static

static

3

2744ee2205...f2.exe

windows7-x64

8

2744ee2205...f2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2023 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe

  • Size

    5.4MB

  • MD5

    c1aea0eb312aa84403059dad41768624

  • SHA1

    5e5629028375e0ce6cfa803dfbfe77ab6534395d

  • SHA256

    2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2

  • SHA512

    494ed13b832133c717651acf1a5533cb8ba76ff893f7eadd0f492572037d1be41510f532e8a2efa18dcefe0bc7bbdc4655756d99b6c68f384bfda3ee75c38d3e

  • SSDEEP

    98304:HdPFf4k/ErSZKmxN3l9slFgx4HBDeSPn/IkJJMinZ1iAFYG8uL:Hdtf4wQgN1bx4HBDeSokJ2inZ17FzL

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe
    "C:\Users\Admin\AppData\Local\Temp\2744ee22053b9e8b2189f58be6f1b7f2dfd1e7515d831168d733c149788153f2.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\windows\Runn\Yloux.exe
      "C:\windows\Runn\Yloux.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4012
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2116
    • C:\Users\Admin\AppData\Local\Temp\{CD780E8C-3CE6-4b7e-8D88-1E799156DCA9}.exe
      "C:\Users\Admin\AppData\Local\Temp\{CD780E8C-3CE6-4b7e-8D88-1E799156DCA9}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{32022D8C-6C21-4aec-B2A8-E519E2110B38}"
      1⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
      Filesize

      1KB

      MD5

      453a5be3cb26851af55ce4b62829f0ab

      SHA1

      9b2d74e0d4a8d711f91f577fafe5c52e67e679e3

      SHA256

      5dc56b7f3742d72aa5d77662e1e89f16d9430e2a284c7d23c7fdb6fc07b44ff7

      SHA512

      3ec3b923448babcaf7242a8a8be836d203dccd56409503c0f007e0a9a88116dabf2f27a4cbe2f7a748456a79ca9a18ae70aa7a0ff05661ed733e1e99bb3bd00c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
      Filesize

      2KB

      MD5

      ff0c7c2667dff4f3ed588f40d047c642

      SHA1

      1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

      SHA256

      02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

      SHA512

      539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
      Filesize

      354B

      MD5

      369433e7b0e08cd5fe41dc447f082739

      SHA1

      15759a7e3c41db372bf273a236fefc9675a74396

      SHA256

      12525c1b541a187c87ec547e052277af35e0ba49209875ed749541c094718d7a

      SHA512

      53f10464cbd7c168305c1002382282fc4eca808673a537110c68cdae151ef87c3b462a613b88c3d7cf5ae0aa9f8df0e08399fc77feb227db31836313750e73dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{32022D8C-6C21-4aec-B2A8-E519E2110B38}
      Filesize

      215B

      MD5

      3249b8e295b1d72ccd6101a00dc5373f

      SHA1

      da716273ca03b8a73a5b8f20d05e4fd3fc43808f

      SHA256

      afeb9b6905cd31b2f50ef8a03ac61837a6f410640f0d7e7fd1bd951e30c6d7fe

      SHA512

      7b85e298a321c842cf9cf2905b04a521e9276e417e93fe137273832864e34f43e947d54f1396f2c6ae1875484aed0e9576191c1717d0d01e683eadd61e63583c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{CD780E8C-3CE6-4b7e-8D88-1E799156DCA9}.exe
      Filesize

      1.0MB

      MD5

      217dc98e219a340cb09915244c992a52

      SHA1

      a04f101ca7180955d62e4a1aaeccdcca489209da

      SHA256

      27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

      SHA512

      dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{CD780E8C-3CE6-4b7e-8D88-1E799156DCA9}.exe
      Filesize

      1.0MB

      MD5

      217dc98e219a340cb09915244c992a52

      SHA1

      a04f101ca7180955d62e4a1aaeccdcca489209da

      SHA256

      27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

      SHA512

      dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

      Download Submit

    • C:\Windows\Runn\Yloux.exe
      Filesize

      335KB

      MD5

      04df97d03e04be2564d2840cc38b8972

      SHA1

      5288fb5c2e6e187348a392b565c3d73552131490

      SHA256

      78a52dda357dfc0d26a5bc5abdde97b46439fcd6cb0d9d2a0bb5c51fef6b23ce

      SHA512

      771357d49980b0ff665fd5086861c27edc4f70b9b5e26bd9d467e7f93bda5abef32aebcc72b06c37141693304464fbf11f3ea5fab7a8f57c058cce036aed8b95

      Download Submit

    • C:\Windows\Runn\Yloux.exe
      Filesize

      335KB

      MD5

      04df97d03e04be2564d2840cc38b8972

      SHA1

      5288fb5c2e6e187348a392b565c3d73552131490

      SHA256

      78a52dda357dfc0d26a5bc5abdde97b46439fcd6cb0d9d2a0bb5c51fef6b23ce

      SHA512

      771357d49980b0ff665fd5086861c27edc4f70b9b5e26bd9d467e7f93bda5abef32aebcc72b06c37141693304464fbf11f3ea5fab7a8f57c058cce036aed8b95

      Download Submit

    • C:\windows\Runn\1.bin
      Filesize

      176KB

      MD5

      758d06af8e7717885864e76d2dcabdf5

      SHA1

      d1b40373854f40eebf9c445c6e1a6143d56a0d4b

      SHA256

      6844de58de61e2c3cb67706f3dbb91d0d245c64740c7d139517fc0b335183b7e

      SHA512

      499702f7aff6b63195af1d234648dd4814fe7a099ddbad177ade49d1f4aa0926ed5cce7a7369f8a7f480c20957b52416184deb5d85290e70f326875bb8503e23

      Download Submit

    • C:\windows\Runn\Yloux.exe
      Filesize

      335KB

      MD5

      04df97d03e04be2564d2840cc38b8972

      SHA1

      5288fb5c2e6e187348a392b565c3d73552131490

      SHA256

      78a52dda357dfc0d26a5bc5abdde97b46439fcd6cb0d9d2a0bb5c51fef6b23ce

      SHA512

      771357d49980b0ff665fd5086861c27edc4f70b9b5e26bd9d467e7f93bda5abef32aebcc72b06c37141693304464fbf11f3ea5fab7a8f57c058cce036aed8b95

      Download Submit

    • memory/3784-3-0x00000000001C0000-0x0000000000A5B000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/3784-193-0x00000000001C0000-0x0000000000A5B000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/3784-0-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3784-1-0x00000000001C0000-0x0000000000A5B000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/3784-7-0x0000000010000000-0x0000000010351000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3784-6-0x0000000002EE0000-0x000000000322D000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3784-5-0x00000000001C0000-0x0000000000A5B000-memory.dmp

      Filesize

      8.6MB

      Download

    • memory/4012-188-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-194-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4012-186-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-187-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-30-0x00000000001A0000-0x00000000001CD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4012-191-0x0000000002510000-0x000000000254E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4012-190-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4012-41-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-192-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4012-42-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-195-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4012-35-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-197-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4012-200-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4012-203-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-205-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4012-206-0x0000000180000000-0x0000000180033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4012-207-0x0000000002ED0000-0x0000000002F14000-memory.dmp

      Filesize

      272KB

      Download