Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
21/11/2023, 04:34
General
-
Target
youdupdata.exe
-
Size
5.4MB
-
MD5
4309bcede75c0d955de1c59ab634d7e7
-
SHA1
73bb7a51945c60c2ae64e33b9728f43f2f2c83c4
-
SHA256
4edb1135db0ef587a2fc2fe749b60566cb3aaaac6fb81d04c7401c14b60225a5
-
SHA512
9d6a9be7dc544e80fa7e6cbb722e01b8a7e4b6e4c85f5a8dc89f6589f9d6dce9035afedf804c4deee6105bd562de925125a7fc2887af53e26a1d0ead85617e2b
-
SSDEEP
98304:1QGp99ObznpmJy2Ahua4MnQ7PRPH2u7gaQoZrIr56sF:1N90bTQs2bl/xXQkrIr5fF
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\youdupdata.exe"C:\Users\Admin\AppData\Local\Temp\youdupdata.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\{D6258ED5-879C-49f6-82CA-A368BE1B22C9}.exe"C:\Users\Admin\AppData\Local\Temp\{D6258ED5-879C-49f6-82CA-A368BE1B22C9}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{AD4A63E8-3533-43f0-AF7F-7AF367E7DBD3}"1⤵
- Executes dropped EXE
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538db71e26955b25f88381a49771382f9
SHA193f89681aafae4c7fd055b869df6657d9a465268
SHA256a9510ed4f90246fecd78e5cd9e47d9d382c34b7b6493d116a3d355144dfc6cc4
SHA5127fbb50c8b859a0ccf914006828d8e964acb5d020a629bb6fa06a17b5088c3ead6b13ec32d2d45603caa38ebc2ca2d778108d5f1d1233fc8adb73782895efe765
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
215B
MD50ad7d4c810308aa60a6338e533b44907
SHA18e263297b434d625a73344ad769a4f656a18c235
SHA256fdbb150701528541a4be3499933f070378c2683a664fd61ca92b84092ff29e67
SHA512838d93bed79d844c9660ba80f02c1460f9b746062337c2decae1f5fcc106dd0de920b21513745bb8d7e6557df05480ba767861e0ba44b2b5eb04adca13f58941
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
3.1MB
MD5f830fffb7313638a2479b84d64bde970
SHA1b92867bdc8fd0fcc657eefa0529ba4d05409eee2
SHA25681f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9
SHA512c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f
-
Filesize
3.1MB
MD5f830fffb7313638a2479b84d64bde970
SHA1b92867bdc8fd0fcc657eefa0529ba4d05409eee2
SHA25681f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9
SHA512c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f
-
Filesize
176KB
MD57e9d02bca3ab745c84117057f48b1a97
SHA1b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae
-
Filesize
3.1MB
MD5f830fffb7313638a2479b84d64bde970
SHA1b92867bdc8fd0fcc657eefa0529ba4d05409eee2
SHA25681f83d39a34e2b0a2f2aa30093e4913eeae5345c761f189a1fcb946420b2b5e9
SHA512c0fbdcf7d684039bc45037e2a9c178f4c662d7bffe01f0aaa7b743ebb9b2773547f5bf39b7358989646432bddc5029f36f0f3038a552bcf45dd92c969d1d593f
-
Filesize
8.6MB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
6.0MB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
180KB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
272KB