Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 11:28
Behavioral task
behavioral1
Sample
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
Resource
win10v2004-20231127-en
General
-
Target
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe
-
Size
5.4MB
-
MD5
cdf202517072460da0f60de563501961
-
SHA1
0fd1d45bcd92adb8828bc1b2ca6551f672f2ee4d
-
SHA256
a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de
-
SHA512
c33e5073064ac4d80bb82ad55f89c1020205ad571075dd5b0a8045d9334993c604720749bf4824e754552521c0809ee050c3b74dac09b75cdb5e2f3d61596846
-
SSDEEP
98304:LW++hEZw5I/iyjVtLNHxDtdkOydIt1sBCJF7xBPyVyPCDxYWbE4WBZ2csxVhLs:L6Eriet5HxDtdW61sB6VuwPCDxYZYxVR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe -
Executes dropped EXE 1 IoCs
pid Process 2964 Yloux.exe -
resource yara_rule behavioral2/memory/180-1-0x00000000000D0000-0x0000000000965000-memory.dmp vmprotect behavioral2/memory/180-3-0x00000000000D0000-0x0000000000965000-memory.dmp vmprotect behavioral2/memory/180-43-0x00000000000D0000-0x0000000000965000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\Y: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\WindowsTask.exe a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\DuiLib_u.dll a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\sqlite3.dll a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\Yloux.exe a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe File created C:\windows\Runn\1.bin a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 180 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 180 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe 2964 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2964 Yloux.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 180 wrote to memory of 2964 180 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 100 PID 180 wrote to memory of 2964 180 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:180 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD5fff86732dd49317db08c940f362f5023
SHA179e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9
-
Filesize
325KB
MD5fff86732dd49317db08c940f362f5023
SHA179e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9
-
Filesize
176KB
MD5e8d22da772001f5b8e4036d8c0673e5f
SHA12dd5d03dad6e75e3c082b774a31a35ef7775a6cf
SHA25698de66877090c3d1b3ac1c2e732bccd9f271eaf4487cb6b2803da8eb0cbbb447
SHA51262ccedcedb86bd8e7afebdb0de2b60db2c9fbe56040874f001d5b74529c9f998061bce03058f362952a069435f6c42e0b361865daa2f32116ff6369b0852df10
-
Filesize
325KB
MD5fff86732dd49317db08c940f362f5023
SHA179e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9