Malware Analysis Report

2025-08-11 01:36

Sample ID 231208-ez875aad9w
Target cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619
SHA256 cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619

Threat Level: Likely malicious

The file cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Downloads MZ/PE file

VMProtect packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 04:23

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 04:23

Reported

2023-12-08 04:26

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation C:\ProgramData\onliawaz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\onliawaz.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\Runn\DuiLib_u.dll C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\sqlite3.dll C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\Yloux.exe C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\1.bin C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\WindowsTask.exe C:\ProgramData\onliawaz.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000_Classes\Local Settings C:\ProgramData\onliawaz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1702009466" C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe N/A
N/A N/A C:\ProgramData\onliawaz.exe N/A
N/A N/A C:\ProgramData\onliawaz.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2728 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2728 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3660 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3660 wrote to memory of 548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 1952 N/A C:\ProgramData\onliawaz.exe C:\windows\Runn\Yloux.exe
PID 2816 wrote to memory of 1952 N/A C:\ProgramData\onliawaz.exe C:\windows\Runn\Yloux.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe

"C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"

C:\ProgramData\onliawaz.exe

C:\ProgramData\onliawaz.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe

"C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{7E50617B-757A-42be-AA94-91134F838E38}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 38.54.25.23:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 23.25.54.38.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 185.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 105.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 38.60.204.65:53261 38.60.204.65 tcp
US 8.8.8.8:53 65.204.60.38.in-addr.arpa udp
HK 45.112.205.101:15746 tcp
US 8.8.8.8:53 101.205.112.45.in-addr.arpa udp
HK 45.112.205.101:15746 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 2.1.168.192.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 192.168.1.2:6341 udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2728-1-0x0000000001900000-0x0000000001901000-memory.dmp

memory/2728-0-0x0000000001890000-0x0000000001891000-memory.dmp

memory/2728-4-0x0000000000400000-0x000000000180F000-memory.dmp

memory/2728-3-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/2728-2-0x00000000036B0000-0x00000000036B1000-memory.dmp

memory/2728-5-0x00000000036D0000-0x00000000036D1000-memory.dmp

memory/2728-6-0x00000000036E0000-0x00000000036E1000-memory.dmp

memory/2728-9-0x0000000000400000-0x000000000180F000-memory.dmp

memory/2728-7-0x00000000036F0000-0x00000000036F1000-memory.dmp

C:\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

C:\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

memory/2816-16-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/2816-18-0x00000000006D0000-0x0000000000F7A000-memory.dmp

memory/2728-20-0x0000000000400000-0x000000000180F000-memory.dmp

memory/2816-21-0x0000000003D60000-0x0000000004361000-memory.dmp

memory/2816-22-0x0000000010000000-0x0000000010606000-memory.dmp

C:\Windows\Runn\Yloux.exe

MD5 8eb8324b0edbf91fdc49ec66e0248959
SHA1 5c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256 c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA512 5a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500

C:\Windows\Runn\Yloux.exe

MD5 8eb8324b0edbf91fdc49ec66e0248959
SHA1 5c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256 c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA512 5a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500

C:\windows\Runn\1.bin

MD5 7e9d02bca3ab745c84117057f48b1a97
SHA1 b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256 a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512 edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae

memory/1952-43-0x00000000000C0000-0x00000000000ED000-memory.dmp

memory/2816-44-0x00000000006D0000-0x0000000000F7A000-memory.dmp

memory/1952-45-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-51-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-52-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-53-0x0000000180000000-0x0000000180033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe

MD5 217dc98e219a340cb09915244c992a52
SHA1 a04f101ca7180955d62e4a1aaeccdcca489209da
SHA256 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512 dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

C:\Users\Admin\AppData\Local\Temp\{78A8E41B-E4B1-4f80-9CC4-5B584502D389}.exe

MD5 217dc98e219a340cb09915244c992a52
SHA1 a04f101ca7180955d62e4a1aaeccdcca489209da
SHA256 27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512 dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 d2a6750f48423dda7fe7db107524d90a
SHA1 bf2e3dfe7fc950fcf3b3d73274e80d9629219cc5
SHA256 a45b9f74ce51ae6ec25bfd54b3040189b9cacdc4e409124b19af72a2f907cdf0
SHA512 eb0684222fec793fcc0cde83d1305ae004727efe2250e2da28831aac3ba864046db57f379e7c5e0b091e9f1fa498a27b9c6cfdb997be08cc9c7c77e9e3d5e8da

C:\Users\Admin\AppData\Local\Temp\{7E50617B-757A-42be-AA94-91134F838E38}

MD5 e78a1a4d49e12684f2949526d702c8a9
SHA1 ff4c9689de3aab0e7310d65fd04ee44f46d95eef
SHA256 9dd90412eb36796a129c0aa8cae56bfff620fb87b8bd58c125c4b66df791b991
SHA512 6ea6db842d7d44f214d9d60a4ce20d4fdf7a1a077eb62e3c3bab6352c4b6fdc78800515144fd21681e74af7c2b75526ee09b7dbd5220ed2b01ef4cb80b406e56

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 c37d8dea8d5c813436c64fc725513beb
SHA1 b787c483d14e926d3613b48dc542672b4da291d4
SHA256 397650f1fe561aef72471635362e9b2f7f6f07d3d0afcf5c212b5de4db80eef3
SHA512 7ae2f36328b0b67b24ec11974dff25f5bddfaea8ad87386221c7570308743707bfe832e4a22d94e0fdf530195bc005442b9af45e3d39ca9f1d01f93d867f85c5

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 ff0c7c2667dff4f3ed588f40d047c642
SHA1 1162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA256 02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512 539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5 00c45a8db96e2cab7e871a14638e99b3
SHA1 258098918cf67af628d4a1dbfd1babe74a042986
SHA256 d422a20ef2069c430036d8a1406133dadc93925cebe25cf4a0bcba61f9e12962
SHA512 e49ed4171b231827ef87dc3405a8948ef764dbbd5fea85444fe23d473114bf26a8a803c84a6bf1ac8b452af4744da38ceaac952a565404573d7046dc1028ddd0

memory/1952-201-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-202-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-204-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-203-0x0000000000400000-0x0000000000591000-memory.dmp

memory/1952-206-0x0000000002640000-0x000000000267E000-memory.dmp

memory/1952-205-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-207-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-208-0x0000000002F90000-0x0000000002FD4000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 8eb8324b0edbf91fdc49ec66e0248959
SHA1 5c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256 c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA512 5a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500

memory/2816-211-0x00000000006D0000-0x0000000000F7A000-memory.dmp

memory/1952-214-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-217-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-219-0x0000000180000000-0x0000000180033000-memory.dmp

memory/1952-220-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-221-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-227-0x0000000002F90000-0x0000000002FD4000-memory.dmp

memory/1952-229-0x0000000002F90000-0x0000000002FD4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 04:23

Reported

2023-12-08 04:26

Platform

win7-20231201-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\onliawaz.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\R: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\X: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\E: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\M: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Q: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\U: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Z: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\B: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\H: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\K: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\O: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\S: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\T: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\Y: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\G: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\I: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\J: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\L: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\N: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\V: C:\windows\Runn\Yloux.exe N/A
File opened (read-only) \??\W: C:\windows\Runn\Yloux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\Runn\DuiLib_u.dll C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\sqlite3.dll C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\Yloux.exe C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\1.bin C:\ProgramData\onliawaz.exe N/A
File created C:\windows\Runn\WindowsTask.exe C:\ProgramData\onliawaz.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe N/A
N/A N/A C:\ProgramData\onliawaz.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A
N/A N/A C:\windows\Runn\Yloux.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2332 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\ProgramData\onliawaz.exe
PID 2332 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2608 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2780 wrote to memory of 2632 N/A C:\ProgramData\onliawaz.exe C:\windows\Runn\Yloux.exe
PID 2780 wrote to memory of 2632 N/A C:\ProgramData\onliawaz.exe C:\windows\Runn\Yloux.exe
PID 2780 wrote to memory of 2632 N/A C:\ProgramData\onliawaz.exe C:\windows\Runn\Yloux.exe
PID 2780 wrote to memory of 2632 N/A C:\ProgramData\onliawaz.exe C:\windows\Runn\Yloux.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe

"C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"

C:\ProgramData\onliawaz.exe

C:\ProgramData\onliawaz.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\cce3cf3b425a4783b2632cdeca7b172dd5ddf7577e9c6be82e92b81f3d31a619.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\windows\Runn\Yloux.exe

"C:\windows\Runn\Yloux.exe"

Network

Country Destination Domain Proto
US 38.54.25.23:80 tcp
US 38.60.204.65:53261 38.60.204.65 tcp
HK 45.112.205.101:15746 tcp
HK 45.112.205.101:15746 tcp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp
N/A 192.168.1.2:6341 udp

Files

memory/2332-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2332-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2332-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2332-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2332-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2332-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2332-13-0x0000000000400000-0x000000000180F000-memory.dmp

memory/2332-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2332-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2332-30-0x0000000001820000-0x0000000001821000-memory.dmp

memory/2332-28-0x0000000001820000-0x0000000001821000-memory.dmp

memory/2332-25-0x0000000001810000-0x0000000001811000-memory.dmp

memory/2332-23-0x0000000001810000-0x0000000001811000-memory.dmp

memory/2332-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2332-18-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2332-31-0x0000000001830000-0x0000000001831000-memory.dmp

memory/2332-33-0x0000000001830000-0x0000000001831000-memory.dmp

memory/2332-35-0x0000000001830000-0x0000000001831000-memory.dmp

memory/2332-37-0x0000000077330000-0x0000000077331000-memory.dmp

\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

C:\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

C:\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

C:\ProgramData\onliawaz.exe

MD5 e16899ad557215c7af9942c93ad0b5c5
SHA1 89939d6c77c59b13287a74fbc73092e1b66c15ab
SHA256 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
SHA512 4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb

memory/2780-53-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2780-54-0x0000000000EC0000-0x000000000176A000-memory.dmp

memory/2780-51-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2780-56-0x0000000077330000-0x0000000077331000-memory.dmp

memory/2332-57-0x0000000000400000-0x000000000180F000-memory.dmp

memory/2780-58-0x0000000003040000-0x0000000003641000-memory.dmp

memory/2780-59-0x0000000010000000-0x0000000010606000-memory.dmp

C:\Windows\Runn\Yloux.exe

MD5 8eb8324b0edbf91fdc49ec66e0248959
SHA1 5c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256 c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA512 5a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500

\Windows\Runn\Yloux.exe

MD5 8eb8324b0edbf91fdc49ec66e0248959
SHA1 5c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256 c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA512 5a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500

C:\windows\Runn\1.bin

MD5 7e9d02bca3ab745c84117057f48b1a97
SHA1 b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256 a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512 edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae

memory/2632-75-0x0000000000260000-0x000000000028D000-memory.dmp

memory/2780-80-0x0000000000EC0000-0x000000000176A000-memory.dmp

memory/2632-81-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2632-88-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2632-87-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2632-89-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2780-93-0x0000000000EC0000-0x000000000176A000-memory.dmp

memory/2632-94-0x0000000000400000-0x0000000000591000-memory.dmp

memory/2632-96-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2632-95-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2632-98-0x00000000028C0000-0x0000000002904000-memory.dmp

memory/2632-97-0x0000000002880000-0x00000000028BE000-memory.dmp

memory/2632-99-0x00000000028C0000-0x0000000002904000-memory.dmp

C:\windows\Runn\Yloux.exe

MD5 8eb8324b0edbf91fdc49ec66e0248959
SHA1 5c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256 c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA512 5a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500

memory/2632-104-0x00000000028C0000-0x0000000002904000-memory.dmp