Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 04:23
Behavioral task
behavioral1
Sample
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe
Resource
win10v2004-20231130-en
General
-
Target
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe
-
Size
10.7MB
-
MD5
e2f47d90261992d34a18e49568de265e
-
SHA1
9078292c6d7865c4471fec79b6f65001024fb281
-
SHA256
cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619
-
SHA512
c71c7839eeb1ee7e54e25610cb92c894977e67df1c1c74d85d45bd9761c6b290f91af797b932fc5978f70e93b9fcf117a43145b2f58f6610bd1132854367e58c
-
SSDEEP
196608:RVVE/H/MVA2OR3+qNTFiKTmDEyt3e2mEJcBww0tUYb/6/FEAwDCf3hZtmEVjVuYT:14UPSvhiQwt3e2mQcB82KWFICtN11ww/
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation onliawaz.exe -
Executes dropped EXE 3 IoCs
pid Process 2816 onliawaz.exe 1952 Yloux.exe 3544 {78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe -
resource yara_rule behavioral2/memory/2728-4-0x0000000000400000-0x000000000180F000-memory.dmp vmprotect behavioral2/memory/2728-9-0x0000000000400000-0x000000000180F000-memory.dmp vmprotect behavioral2/files/0x000200000001e827-15.dat vmprotect behavioral2/files/0x000200000001e827-14.dat vmprotect behavioral2/memory/2816-18-0x00000000006D0000-0x0000000000F7A000-memory.dmp vmprotect behavioral2/memory/2728-20-0x0000000000400000-0x000000000180F000-memory.dmp vmprotect behavioral2/memory/2816-44-0x00000000006D0000-0x0000000000F7A000-memory.dmp vmprotect behavioral2/memory/2816-211-0x00000000006D0000-0x0000000000F7A000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\B: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\DuiLib_u.dll onliawaz.exe File created C:\windows\Runn\sqlite3.dll onliawaz.exe File created C:\windows\Runn\Yloux.exe onliawaz.exe File created C:\windows\Runn\1.bin onliawaz.exe File created C:\windows\Runn\WindowsTask.exe onliawaz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\Local Settings onliawaz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1702009466" {78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 548 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2816 onliawaz.exe 2816 onliawaz.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe 1952 Yloux.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 1952 Yloux.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2816 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 90 PID 2728 wrote to memory of 2816 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 90 PID 2728 wrote to memory of 2816 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 90 PID 2728 wrote to memory of 3660 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 97 PID 2728 wrote to memory of 3660 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 97 PID 2728 wrote to memory of 3660 2728 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe 97 PID 3660 wrote to memory of 548 3660 cmd.exe 99 PID 3660 wrote to memory of 548 3660 cmd.exe 99 PID 3660 wrote to memory of 548 3660 cmd.exe 99 PID 2816 wrote to memory of 1952 2816 onliawaz.exe 105 PID 2816 wrote to memory of 1952 2816 onliawaz.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\ProgramData\onliawaz.exeC:\ProgramData\onliawaz.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:548
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe"C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{7E50617B-757A-42be-AA94-91134F838E38}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:3544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
5.4MB
MD5e16899ad557215c7af9942c93ad0b5c5
SHA189939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA5124342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
Filesize
1KB
MD5c37d8dea8d5c813436c64fc725513beb
SHA1b787c483d14e926d3613b48dc542672b4da291d4
SHA256397650f1fe561aef72471635362e9b2f7f6f07d3d0afcf5c212b5de4db80eef3
SHA5127ae2f36328b0b67b24ec11974dff25f5bddfaea8ad87386221c7570308743707bfe832e4a22d94e0fdf530195bc005442b9af45e3d39ca9f1d01f93d867f85c5
-
Filesize
1KB
MD500c45a8db96e2cab7e871a14638e99b3
SHA1258098918cf67af628d4a1dbfd1babe74a042986
SHA256d422a20ef2069c430036d8a1406133dadc93925cebe25cf4a0bcba61f9e12962
SHA512e49ed4171b231827ef87dc3405a8948ef764dbbd5fea85444fe23d473114bf26a8a803c84a6bf1ac8b452af4744da38ceaac952a565404573d7046dc1028ddd0
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
497B
MD5d2a6750f48423dda7fe7db107524d90a
SHA1bf2e3dfe7fc950fcf3b3d73274e80d9629219cc5
SHA256a45b9f74ce51ae6ec25bfd54b3040189b9cacdc4e409124b19af72a2f907cdf0
SHA512eb0684222fec793fcc0cde83d1305ae004727efe2250e2da28831aac3ba864046db57f379e7c5e0b091e9f1fa498a27b9c6cfdb997be08cc9c7c77e9e3d5e8da
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
215B
MD5e78a1a4d49e12684f2949526d702c8a9
SHA1ff4c9689de3aab0e7310d65fd04ee44f46d95eef
SHA2569dd90412eb36796a129c0aa8cae56bfff620fb87b8bd58c125c4b66df791b991
SHA5126ea6db842d7d44f214d9d60a4ce20d4fdf7a1a077eb62e3c3bab6352c4b6fdc78800515144fd21681e74af7c2b75526ee09b7dbd5220ed2b01ef4cb80b406e56
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
176KB
MD57e9d02bca3ab745c84117057f48b1a97
SHA1b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500