Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 04:23
Behavioral task
behavioral1
Sample
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe
Resource
win10v2004-20231130-en
General
-
Target
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe
-
Size
10.7MB
-
MD5
e2f47d90261992d34a18e49568de265e
-
SHA1
9078292c6d7865c4471fec79b6f65001024fb281
-
SHA256
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619
-
SHA512
c71c7839eeb1ee7e54e25610cb92c894977e67df1c1c74d85d45bd9761c6b290f91af797b932fc5978f70e93b9fcf117a43145b2f58f6610bd1132854367e58c
-
SSDEEP
196608:RVVE/H/MVA2OR3+qNTFiKTmDEyt3e2mEJcBww0tUYb/6/FEAwDCf3hZtmEVjVuYT:14UPSvhiQwt3e2mQcB82KWFICtN11ww/
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2608 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2780 onliawaz.exe 2632 Yloux.exe -
Loads dropped DLL 3 IoCs
pid Process 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2780 onliawaz.exe -
resource yara_rule behavioral1/memory/2332-13-0x0000000000400000-0x000000000180F000-memory.dmp vmprotect behavioral1/files/0x00080000000122cd-41.dat vmprotect behavioral1/files/0x00080000000122cd-47.dat vmprotect behavioral1/files/0x00080000000122cd-46.dat vmprotect behavioral1/files/0x00080000000122cd-43.dat vmprotect behavioral1/files/0x00080000000122cd-48.dat vmprotect behavioral1/memory/2780-54-0x0000000000EC0000-0x000000000176A000-memory.dmp vmprotect behavioral1/memory/2332-57-0x0000000000400000-0x000000000180F000-memory.dmp vmprotect behavioral1/memory/2780-80-0x0000000000EC0000-0x000000000176A000-memory.dmp vmprotect behavioral1/memory/2780-93-0x0000000000EC0000-0x000000000176A000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\W: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\DuiLib_u.dll onliawaz.exe File created C:\windows\Runn\sqlite3.dll onliawaz.exe File created C:\windows\Runn\Yloux.exe onliawaz.exe File created C:\windows\Runn\1.bin onliawaz.exe File created C:\windows\Runn\WindowsTask.exe onliawaz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2568 PING.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2780 onliawaz.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe 2632 Yloux.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2632 Yloux.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2780 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 28 PID 2332 wrote to memory of 2780 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 28 PID 2332 wrote to memory of 2780 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 28 PID 2332 wrote to memory of 2780 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 28 PID 2332 wrote to memory of 2608 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 29 PID 2332 wrote to memory of 2608 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 29 PID 2332 wrote to memory of 2608 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 29 PID 2332 wrote to memory of 2608 2332 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 29 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 PID 2608 wrote to memory of 2568 2608 cmd.exe 31 PID 2780 wrote to memory of 2632 2780 onliawaz.exe 33 PID 2780 wrote to memory of 2632 2780 onliawaz.exe 33 PID 2780 wrote to memory of 2632 2780 onliawaz.exe 33 PID 2780 wrote to memory of 2632 2780 onliawaz.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\ProgramData\onliawaz.exeC:\ProgramData\onliawaz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
176KB
MD57e9d02bca3ab745c84117057f48b1a97
SHA1b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500