4edb1135db0ef587a2fc2fe749b60566cb3aaaac6fb81d04c7401c14b60225a5

General

Target

youdupdata.exe
Size

5.4MB
MD5

4309bcede75c0d955de1c59ab634d7e7
SHA1

73bb7a51945c60c2ae64e33b9728f43f2f2c83c4
SHA256

4edb1135db0ef587a2fc2fe749b60566cb3aaaac6fb81d04c7401c14b60225a5
SHA512

9d6a9be7dc544e80fa7e6cbb722e01b8a7e4b6e4c85f5a8dc89f6589f9d6dce9035afedf804c4deee6105bd562de925125a7fc2887af53e26a1d0ead85617e2b
SSDEEP

98304:1QGp99ObznpmJy2Ahua4MnQ7PRPH2u7gaQoZrIr56sF:1N90bTQs2bl/xXQkrIr5fF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2532	Yloux.exe

Loads dropped DLL 1 IoCs

pid	Process
2348	youdupdata.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Yloux.exe
File opened (read-only)	\??\M:	Yloux.exe
File opened (read-only)	\??\R:	Yloux.exe
File opened (read-only)	\??\S:	Yloux.exe
File opened (read-only)	\??\V:	Yloux.exe
File opened (read-only)	\??\Y:	Yloux.exe
File opened (read-only)	\??\E:	Yloux.exe
File opened (read-only)	\??\G:	Yloux.exe
File opened (read-only)	\??\N:	Yloux.exe
File opened (read-only)	\??\Q:	Yloux.exe
File opened (read-only)	\??\T:	Yloux.exe
File opened (read-only)	\??\H:	Yloux.exe
File opened (read-only)	\??\I:	Yloux.exe
File opened (read-only)	\??\Z:	Yloux.exe
File opened (read-only)	\??\B:	Yloux.exe
File opened (read-only)	\??\K:	Yloux.exe
File opened (read-only)	\??\P:	Yloux.exe
File opened (read-only)	\??\U:	Yloux.exe
File opened (read-only)	\??\W:	Yloux.exe
File opened (read-only)	\??\X:	Yloux.exe
File opened (read-only)	\??\J:	Yloux.exe
File opened (read-only)	\??\O:	Yloux.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\WindowsTask.exe	youdupdata.exe
File created	C:\windows\Runn\DuiLib_u.dll	youdupdata.exe
File created	C:\windows\Runn\sqlite3.dll	youdupdata.exe
File created	C:\windows\Runn\Yloux.exe	youdupdata.exe
File created	C:\windows\Runn\1.bin	youdupdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2348	youdupdata.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe
2532	Yloux.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	Yloux.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2532	2348	youdupdata.exe	28
PID 2348 wrote to memory of 2532	2348	youdupdata.exe	28
PID 2348 wrote to memory of 2532	2348	youdupdata.exe	28
PID 2348 wrote to memory of 2532	2348	youdupdata.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\youdupdata.exe
"C:\Users\Admin\AppData\Local\Temp\youdupdata.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348
- C:\windows\Runn\Yloux.exe
  "C:\windows\Runn\Yloux.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
f830fffb7313638a2479b84d64bde970

SHA1
b92867bdc8fd0fcc657eefa0529ba4d05409eee2

SHA256
81f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9

SHA512
c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f

Download Submit
C:\windows\Runn\1.bin

Filesize
176KB

MD5
7e9d02bca3ab745c84117057f48b1a97

SHA1
b17986a21b44749f042f4bf779c9b75ab7bce5bf

SHA256
a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f

SHA512
edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
f830fffb7313638a2479b84d64bde970

SHA1
b92867bdc8fd0fcc657eefa0529ba4d05409eee2

SHA256
81f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9

SHA512
c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f

Download Submit
\Windows\Runn\Yloux.exe

Filesize
3.1MB

MD5
f830fffb7313638a2479b84d64bde970

SHA1
b92867bdc8fd0fcc657eefa0529ba4d05409eee2

SHA256
81f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9

SHA512
c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f

Download Submit
memory/2348-44-0x0000000000170000-0x0000000000A16000-memory.dmp

Filesize
8.6MB

Download
memory/2348-40-0x0000000000170000-0x0000000000A16000-memory.dmp

Filesize
8.6MB

Download
memory/2348-10-0x0000000002E30000-0x0000000003439000-memory.dmp

Filesize
6.0MB

Download
memory/2348-11-0x0000000010000000-0x000000001060E000-memory.dmp

Filesize
6.1MB

Download
memory/2348-6-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2348-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2348-0-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2348-4-0x0000000000170000-0x0000000000A16000-memory.dmp

Filesize
8.6MB

Download
memory/2348-7-0x0000000077160000-0x0000000077161000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000170000-0x0000000000A16000-memory.dmp

Filesize
8.6MB

Download
memory/2532-32-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-51-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2532-39-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-45-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-47-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-46-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-48-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-49-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-50-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/2532-38-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-52-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-53-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-27-0x00000000006F0000-0x000000000071D000-memory.dmp

Filesize
180KB

Download
memory/2532-55-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-60-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-62-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-63-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/2532-64-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-70-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download
memory/2532-72-0x0000000002830000-0x0000000002874000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing