Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 11:28
Behavioral task
behavioral1
Sample
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
Resource
win10v2004-20231127-en
General
-
Target
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
-
Size
5.4MB
-
MD5
cdf202517072460da0f60de563501961
-
SHA1
0fd1d45bcd92adb8828bc1b2ca6551f672f2ee4d
-
SHA256
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de
-
SHA512
c33e5073064ac4d80bb82ad55f89c1020205ad571075dd5b0a8045d9334993c604720749bf4824e754552521c0809ee050c3b74dac09b75cdb5e2f3d61596846
-
SSDEEP
98304:LW++hEZw5I/iyjVtLNHxDtdkOydIt1sBCJF7xBPyVyPCDxYWbE4WBZ2csxVhLs:L6Eriet5HxDtdW61sB6VuwPCDxYZYxVR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2708 Yloux.exe 2900 {EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe -
Loads dropped DLL 2 IoCs
pid Process 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe -
resource yara_rule behavioral1/memory/372-2-0x0000000000E40000-0x00000000016D5000-memory.dmp vmprotect behavioral1/memory/372-5-0x0000000000E40000-0x00000000016D5000-memory.dmp vmprotect behavioral1/memory/372-42-0x0000000000E40000-0x00000000016D5000-memory.dmp vmprotect behavioral1/memory/372-196-0x0000000000E40000-0x00000000016D5000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\Z: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\DuiLib_u.dll a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\sqlite3.dll a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\Yloux.exe a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\1.bin a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\WindowsTask.exe a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1701948509" {EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe 2708 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2708 Yloux.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 372 wrote to memory of 2708 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 28 PID 372 wrote to memory of 2708 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 28 PID 372 wrote to memory of 2708 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 28 PID 372 wrote to memory of 2708 372 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe"C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{5B3B6B6D-180D-4e89-AC5F-7762A6993DDE}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
215B
MD5cd4478ae7de2e99792473c749b6045f1
SHA11ed7d4ddbebfd55b53a87ee9bec241c400f25154
SHA256cf34fcddacd611b4fc813d1548a2828082c5b70ca78efe9aaee1b62d6b763dda
SHA5122df19b5922efb368f41dc23815fa3b64a28a530aac48f94a6a77c795fa8ed62cc4df1752950f997e581f7761941c99319d8c25bac96da8e01abe191d8d4916a5
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
325KB
MD5fff86732dd49317db08c940f362f5023
SHA179e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9
-
Filesize
176KB
MD5e8d22da772001f5b8e4036d8c0673e5f
SHA12dd5d03dad6e75e3c082b774a31a35ef7775a6cf
SHA25698de66877090c3d1b3ac1c2e732bccd9f271eaf4487cb6b2803da8eb0cbbb447
SHA51262ccedcedb86bd8e7afebdb0de2b60db2c9fbe56040874f001d5b74529c9f998061bce03058f362952a069435f6c42e0b361865daa2f32116ff6369b0852df10
-
Filesize
325KB
MD5fff86732dd49317db08c940f362f5023
SHA179e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
325KB
MD5fff86732dd49317db08c940f362f5023
SHA179e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9