Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
21/11/2023, 04:34
General
-
Target
youdupdata.exe
-
Size
5.4MB
-
MD5
4309bcede75c0d955de1c59ab634d7e7
-
SHA1
73bb7a51945c60c2ae64e33b9728f43f2f2c83c4
-
SHA256
4edb1135db0ef587a2fc2fe749b60566cb3aaaac6fb81d04c7401c14b60225a5
-
SHA512
9d6a9be7dc544e80fa7e6cbb722e01b8a7e4b6e4c85f5a8dc89f6589f9d6dce9035afedf804c4deee6105bd562de925125a7fc2887af53e26a1d0ead85617e2b
-
SSDEEP
98304:1QGp99ObznpmJy2Ahua4MnQ7PRPH2u7gaQoZrIr56sF:1N90bTQs2bl/xXQkrIr5fF
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\youdupdata.exe"C:\Users\Admin\AppData\Local\Temp\youdupdata.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\{6D4B9126-EEC6-4469-A518-017313D2F68D}.exe"C:\Users\Admin\AppData\Local\Temp\{6D4B9126-EEC6-4469-A518-017313D2F68D}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{EC66A39B-7DF8-4aba-AD79-4B4A975B521C}"1⤵
- Executes dropped EXE
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
215B
MD5cc3c3e4f7ab5db485e6cf9e1d2a52916
SHA15d46d46c571d04b13a4eda0714b8a1f70f5ca0af
SHA2566b59dcb78fd39d16cd97684034115afe7c47271f8812c918cc00f4c0f89bca04
SHA512087ee869c3d3587b6b51489152af2750a9af3ab37a69965351e4ac01a66e5d952760c02122eeb55d31b10e711c64c81721c5810ecee6a0b2a4733550fa421b22
-
Filesize
3.1MB
MD5f830fffb7313638a2479b84d64bde970
SHA1b92867bdc8fd0fcc657eefa0529ba4d05409eee2
SHA25681f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9
SHA512c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f
-
Filesize
176KB
MD57e9d02bca3ab745c84117057f48b1a97
SHA1b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae
-
Filesize
3.1MB
MD5f830fffb7313638a2479b84d64bde970
SHA1b92867bdc8fd0fcc657eefa0529ba4d05409eee2
SHA25681f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9
SHA512c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
180KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
248KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
6.1MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
6.0MB
-
Filesize
8.6MB
-
Filesize
4KB