Malware Analysis Report

2025-08-11 01:36

Sample ID 231207-nkzvksaa75
Target a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de
SHA256 a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de

Threat Level: Likely malicious

The file a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

VMProtect packed file

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 11:28

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 11:28

Reported

2023-12-07 11:30

Platform

win7-20231020-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1701948509" C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe

"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe

"C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{5B3B6B6D-180D-4e89-AC5F-7762A6993DDE}"

Network

Country Destination Domain Proto
US 38.54.101.34:80 tcp
US 38.60.205.234:52361 38.60.205.234 tcp
HK 43.249.31.126:18759 tcp
HK 43.249.31.126:18759 tcp
HK 43.249.31.126:18759 tcp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp

Files

memory/372-2-0x0000000000E40000-0x00000000016D5000-memory.dmp

memory/372-0-0x0000000000080000-0x0000000000081000-memory.dmp

memory/372-3-0x0000000000080000-0x0000000000081000-memory.dmp

memory/372-5-0x0000000000E40000-0x00000000016D5000-memory.dmp

memory/372-7-0x0000000000080000-0x0000000000081000-memory.dmp

memory/372-9-0x0000000077D80000-0x0000000077D81000-memory.dmp

memory/372-11-0x0000000002FB0000-0x0000000003300000-memory.dmp

memory/372-12-0x0000000010000000-0x0000000010354000-memory.dmp

\Windows\Runn\Yloux.exe

MD5 fff86732dd49317db08c940f362f5023
SHA1 79e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256 ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512 e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9

C:\Windows\Runn\Yloux.exe

MD5 fff86732dd49317db08c940f362f5023
SHA1 79e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256 ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512 e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9

C:\windows\Runn\1.bin

MD5 e8d22da772001f5b8e4036d8c0673e5f
SHA1 2dd5d03dad6e75e3c082b774a31a35ef7775a6cf
SHA256 98de66877090c3d1b3ac1c2e732bccd9f271eaf4487cb6b2803da8eb0cbbb447
SHA512 62ccedcedb86bd8e7afebdb0de2b60db2c9fbe56040874f001d5b74529c9f998061bce03058f362952a069435f6c42e0b361865daa2f32116ff6369b0852df10

memory/2708-28-0x0000000000260000-0x000000000028D000-memory.dmp

memory/2708-29-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2708-36-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2708-35-0x0000000180000000-0x0000000180033000-memory.dmp

\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe

MD5 217dc98e219a340cb09915244c992a52
SHA1 a04f101ca7180955d62e4a1aaeccdcca489209da
SHA256 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512 dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

memory/372-42-0x0000000000E40000-0x00000000016D5000-memory.dmp

memory/2708-43-0x0000000180000000-0x0000000180033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{EB1C1DF0-FC37-4d54-A9FE-60782016F9D6}.exe

MD5 217dc98e219a340cb09915244c992a52
SHA1 a04f101ca7180955d62e4a1aaeccdcca489209da
SHA256 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512 dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 ff0c7c2667dff4f3ed588f40d047c642
SHA1 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA256 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

C:\Users\Admin\AppData\Local\Temp\{5B3B6B6D-180D-4e89-AC5F-7762A6993DDE}

MD5 cd4478ae7de2e99792473c749b6045f1
SHA1 1ed7d4ddbebfd55b53a87ee9bec241c400f25154
SHA256 cf34fcddacd611b4fc813d1548a2828082c5b70ca78efe9aaee1b62d6b763dda
SHA512 2df19b5922efb368f41dc23815fa3b64a28a530aac48f94a6a77c795fa8ed62cc4df1752950f997e581f7761941c99319d8c25bac96da8e01abe191d8d4916a5

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 ff0c7c2667dff4f3ed588f40d047c642
SHA1 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA256 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

memory/2708-186-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2708-187-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2708-188-0x0000000001DB0000-0x0000000001DEE000-memory.dmp

memory/2708-189-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-191-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-192-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2708-193-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/372-196-0x0000000000E40000-0x00000000016D5000-memory.dmp

memory/2708-197-0x0000000001EF0000-0x0000000001F34000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 fff86732dd49317db08c940f362f5023
SHA1 79e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256 ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512 e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9

memory/2708-199-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-202-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-203-0x0000000003E50000-0x0000000003ECF000-memory.dmp

memory/2708-217-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-219-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2708-221-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-222-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2708-223-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-229-0x0000000001EF0000-0x0000000001F34000-memory.dmp

memory/2708-231-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 11:28

Reported

2023-12-07 11:30

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\windows\Runn\Yloux.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe

"C:\Users\Admin\AppData\Local\Temp\a6358a4a0c6efc2c466d23d52e2b2f989cbb2f30016c76c9569508dd45dbd3de.exe"

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 38.54.101.34:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 34.101.54.38.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 38.60.205.234:52361 38.60.205.234 tcp
US 8.8.8.8:53 234.205.60.38.in-addr.arpa udp
HK 43.249.31.126:18759 tcp
US 8.8.8.8:53 126.31.249.43.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
HK 43.249.31.126:18759 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 249.194.19.2.in-addr.arpa udp
HK 43.249.31.126:18759 tcp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 2.1.168.192.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/180-0-0x0000000001310000-0x0000000001311000-memory.dmp

memory/180-1-0x00000000000D0000-0x0000000000965000-memory.dmp

memory/180-3-0x00000000000D0000-0x0000000000965000-memory.dmp

memory/180-5-0x0000000003530000-0x0000000003880000-memory.dmp

memory/180-6-0x0000000010000000-0x0000000010354000-memory.dmp

C:\Windows\Runn\Yloux.exe

MD5 fff86732dd49317db08c940f362f5023
SHA1 79e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256 ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512 e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9

C:\Windows\Runn\Yloux.exe

MD5 fff86732dd49317db08c940f362f5023
SHA1 79e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256 ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512 e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9

C:\windows\Runn\1.bin

MD5 e8d22da772001f5b8e4036d8c0673e5f
SHA1 2dd5d03dad6e75e3c082b774a31a35ef7775a6cf
SHA256 98de66877090c3d1b3ac1c2e732bccd9f271eaf4487cb6b2803da8eb0cbbb447
SHA512 62ccedcedb86bd8e7afebdb0de2b60db2c9fbe56040874f001d5b74529c9f998061bce03058f362952a069435f6c42e0b361865daa2f32116ff6369b0852df10

memory/2964-27-0x00000000000C0000-0x00000000000ED000-memory.dmp

memory/2964-32-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-38-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-39-0x0000000180000000-0x0000000180033000-memory.dmp

memory/180-43-0x00000000000D0000-0x0000000000965000-memory.dmp

memory/2964-44-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-45-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2964-46-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-47-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-48-0x0000000002C20000-0x0000000002C5E000-memory.dmp

memory/2964-50-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-51-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-52-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-53-0x0000000002E60000-0x0000000002EA4000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 fff86732dd49317db08c940f362f5023
SHA1 79e1ff08ccde6ea37cf84617e2ada8e86672730e
SHA256 ed4719202f1d434071516ab5aafb9b6f3080be77e4bfeecfa85af68dfc1d28f0
SHA512 e43089ba588e5eaa1007d176551710ebedd8f855c900c1248747d2172eceb8214e5c4bcc6e7a7bcf3d58fbffc306ae33e3c89e315bedde9f2152acaf22a092b9

memory/2964-57-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-59-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-60-0x0000000004BE0000-0x0000000004C5F000-memory.dmp

memory/2964-74-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-75-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-77-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2964-78-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-80-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-86-0x0000000002E60000-0x0000000002EA4000-memory.dmp

memory/2964-87-0x0000000002E60000-0x0000000002EA4000-memory.dmp