944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d

General

Target

944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
Size

5.5MB
MD5

d7bafb9a979dd8d4398e49874b0658a0
SHA1

3bef518b3a2eae1fbc56aa5b464da7476ea7217d
SHA256

944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d
SHA512

3d6c755d63ab5afbb79161c83a39912270a086cb954ba59b91ad4231a8293c598c2f0d78735c9c2300ff9dcf8653ac0486b68ec4092cec0980b83c0713b619a1
SSDEEP

98304:9QqNNOWs0J5jnfZai4UZ0x+SKzHjn5jJujrqjne1uikKmkww91wjbLHbXpoq:9fN4W/rjhBhZ0Pmn5FpjniSI1ULHdN

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2760	Yloux.exe
580	{2113BA9C-2D32-4950-AFC3-AF051E8E19BE}.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2604-3-0x0000000001270000-0x0000000001B25000-memory.dmp	vmprotect
behavioral1/memory/2604-6-0x0000000001270000-0x0000000001B25000-memory.dmp	vmprotect
behavioral1/memory/2604-34-0x0000000001270000-0x0000000001B25000-memory.dmp	vmprotect
behavioral1/memory/2604-179-0x0000000001270000-0x0000000001B25000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Yloux.exe
File opened (read-only)	\??\Q:	Yloux.exe
File opened (read-only)	\??\R:	Yloux.exe
File opened (read-only)	\??\Y:	Yloux.exe
File opened (read-only)	\??\Z:	Yloux.exe
File opened (read-only)	\??\B:	Yloux.exe
File opened (read-only)	\??\E:	Yloux.exe
File opened (read-only)	\??\I:	Yloux.exe
File opened (read-only)	\??\K:	Yloux.exe
File opened (read-only)	\??\S:	Yloux.exe
File opened (read-only)	\??\T:	Yloux.exe
File opened (read-only)	\??\U:	Yloux.exe
File opened (read-only)	\??\X:	Yloux.exe
File opened (read-only)	\??\G:	Yloux.exe
File opened (read-only)	\??\H:	Yloux.exe
File opened (read-only)	\??\L:	Yloux.exe
File opened (read-only)	\??\V:	Yloux.exe
File opened (read-only)	\??\J:	Yloux.exe
File opened (read-only)	\??\M:	Yloux.exe
File opened (read-only)	\??\O:	Yloux.exe
File opened (read-only)	\??\P:	Yloux.exe
File opened (read-only)	\??\W:	Yloux.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\WindowsTask.exe	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\DuiLib_u.dll	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\sqlite3.dll	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\Yloux.exe	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
File created	C:\windows\Runn\1.bin	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1700530169"	{2113BA9C-2D32-4950-AFC3-AF051E8E19BE}.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe
2760	Yloux.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	Yloux.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2760	2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe	28
PID 2604 wrote to memory of 2760	2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe	28
PID 2604 wrote to memory of 2760	2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe	28
PID 2604 wrote to memory of 2760	2604	944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe
"C:\Users\Admin\AppData\Local\Temp\944650d3da8b81e951b69bf7572f3069eaa542eb8812d6d5785c9a5dc1e8820d.x.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\windows\Runn\Yloux.exe
  "C:\windows\Runn\Yloux.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2760

C:\Users\Admin\AppData\Local\Temp\{2113BA9C-2D32-4950-AFC3-AF051E8E19BE}.exe
"C:\Users\Admin\AppData\Local\Temp\{2113BA9C-2D32-4950-AFC3-AF051E8E19BE}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{E7B6AF26-F358-46b4-9DD8-581B590C05B9}"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2113BA9C-2D32-4950-AFC3-AF051E8E19BE}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E7B6AF26-F358-46b4-9DD8-581B590C05B9}

Filesize
215B

MD5
6a1c3fecfd7165643a07b1348d3244b3

SHA1
0c3b8b1796487e7e1b037eb82d4f7929df4847e4

SHA256
802a60cf636fefb93cebe548b9e397748a8e7bf618c219d035139def9f82a642

SHA512
de042dc477775e022afb1440bc2c24f26a7c50c29de1e523a92b1a01cd5308db327b7aa9a80ab6fd37b94632a835d37da045cd78fbb6090275f1778a38252521

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
324KB

MD5
f64170c793fb8568738cfd1857783a9d

SHA1
7f1acc4459e99996f025896894d697b7c2f0b84d

SHA256
4928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d

SHA512
3059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218

Download Submit
C:\windows\Runn\1.bin

Filesize
378KB

MD5
5a189470b11373b448bace9315c0f6ac

SHA1
add6f55b32662ace0599c28230fcc8b0f6f1042f

SHA256
f6b365099879bf8eee77206451634992da91e76c69606ccfcbc12a927c02873a

SHA512
6f0d8b3ad532bf22045cbb3362355711ce7c6d2a09c5b546572084eda12c0fab31d7fdd1f3ff22d016108f1ca5aa1b4ceefd2e5f904bf4d96cfc3291ac9dc09e

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
324KB

MD5
f64170c793fb8568738cfd1857783a9d

SHA1
7f1acc4459e99996f025896894d697b7c2f0b84d

SHA256
4928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d

SHA512
3059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218

Download Submit
\Users\Admin\AppData\Local\Temp\{2113BA9C-2D32-4950-AFC3-AF051E8E19BE}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
\Windows\Runn\Yloux.exe

Filesize
324KB

MD5
f64170c793fb8568738cfd1857783a9d

SHA1
7f1acc4459e99996f025896894d697b7c2f0b84d

SHA256
4928635e712fdfd584eb5d25278e42e69eb7ab6c12bc3c1fca95a0f71692c33d

SHA512
3059de955d256c098a84e71d04a31e81eeac8c2893971fabe8d4e18f0986241460911f455d00f5693720bc13c0edbe3c421d7f88788bc10027a75cf97a13b218

Download Submit
memory/2604-179-0x0000000001270000-0x0000000001B25000-memory.dmp

Filesize
8.7MB

Download
memory/2604-11-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/2604-3-0x0000000001270000-0x0000000001B25000-memory.dmp

Filesize
8.7MB

Download
memory/2604-10-0x0000000003130000-0x00000000034AD000-memory.dmp

Filesize
3.5MB

Download
memory/2604-34-0x0000000001270000-0x0000000001B25000-memory.dmp

Filesize
8.7MB

Download
memory/2604-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2604-8-0x0000000077940000-0x0000000077941000-memory.dmp

Filesize
4KB

Download
memory/2604-6-0x0000000001270000-0x0000000001B25000-memory.dmp

Filesize
8.7MB

Download
memory/2604-2-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2604-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2760-190-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-196-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/2760-187-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-180-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-191-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-193-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-194-0x0000000002110000-0x000000000214C000-memory.dmp

Filesize
240KB

Download
memory/2760-195-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/2760-186-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-197-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/2760-198-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/2760-199-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download
memory/2760-200-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-201-0x0000000180000000-0x0000000180066000-memory.dmp

Filesize
408KB

Download
memory/2760-28-0x0000000000650000-0x0000000000850000-memory.dmp

Filesize
2.0MB

Download
memory/2760-204-0x0000000000650000-0x0000000000850000-memory.dmp

Filesize
2.0MB

Download
memory/2760-206-0x0000000002AA0000-0x0000000002AE2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing