Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 05:28
Behavioral task
behavioral1
Sample
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe
Resource
win10v2004-20231130-en
General
-
Target
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe
-
Size
5.4MB
-
MD5
e16899ad557215c7af9942c93ad0b5c5
-
SHA1
89939d6c77c59b13287a74fbc73092e1b66c15ab
-
SHA256
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
-
SHA512
4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
SSDEEP
98304:+wGRS5ao3FxD1jdn0qEUiSinZXI3/Gjb2nGcMqvmZVV3sdfhhT:+wFQE5ZnXgSint0YbRcKOdfPT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3036 Yloux.exe -
Loads dropped DLL 1 IoCs
pid Process 2360 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe -
resource yara_rule behavioral1/memory/2360-4-0x0000000000AE0000-0x000000000138A000-memory.dmp vmprotect behavioral1/memory/2360-2-0x0000000000AE0000-0x000000000138A000-memory.dmp vmprotect behavioral1/memory/2360-32-0x0000000000AE0000-0x000000000138A000-memory.dmp vmprotect behavioral1/memory/2360-44-0x0000000000AE0000-0x000000000138A000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\N: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\1.bin b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\WindowsTask.exe b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\DuiLib_u.dll b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\sqlite3.dll b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\Yloux.exe b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2360 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe 3036 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3036 Yloux.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2360 wrote to memory of 3036 2360 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 29 PID 2360 wrote to memory of 3036 2360 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 29 PID 2360 wrote to memory of 3036 2360 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 29 PID 2360 wrote to memory of 3036 2360 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe"C:\Users\Admin\AppData\Local\Temp\b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
176KB
MD57e9d02bca3ab745c84117057f48b1a97
SHA1b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500