Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 05:28
Behavioral task
behavioral1
Sample
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe
Resource
win10v2004-20231130-en
General
-
Target
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe
-
Size
5.4MB
-
MD5
e16899ad557215c7af9942c93ad0b5c5
-
SHA1
89939d6c77c59b13287a74fbc73092e1b66c15ab
-
SHA256
b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301
-
SHA512
4342b3a16d4803ee2e0300ef9484e5b11fc5f0c310da501c50d1eb2a5e19ff0ae0402306dc02828702432877f41fffdcd8df4c00a43224937bd839084adce0bb
-
SSDEEP
98304:+wGRS5ao3FxD1jdn0qEUiSinZXI3/Gjb2nGcMqvmZVV3sdfhhT:+wFQE5ZnXgSint0YbRcKOdfPT
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe -
Executes dropped EXE 2 IoCs
pid Process 1636 Yloux.exe 3436 {9795253A-303E-4ec4-9B60-246DAE73BD21}.exe -
resource yara_rule behavioral2/memory/3100-1-0x0000000000320000-0x0000000000BCA000-memory.dmp vmprotect behavioral2/memory/3100-2-0x0000000000320000-0x0000000000BCA000-memory.dmp vmprotect behavioral2/memory/3100-27-0x0000000000320000-0x0000000000BCA000-memory.dmp vmprotect behavioral2/memory/3100-195-0x0000000000320000-0x0000000000BCA000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\T: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\Yloux.exe b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\1.bin b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\WindowsTask.exe b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\DuiLib_u.dll b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe File created C:\windows\Runn\sqlite3.dll b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1702013366" {9795253A-303E-4ec4-9B60-246DAE73BD21}.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3100 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 3100 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe 1636 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1636 Yloux.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3100 wrote to memory of 1636 3100 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 103 PID 3100 wrote to memory of 1636 3100 b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe"C:\Users\Admin\AppData\Local\Temp\b8e048347ec8cfc70d59e457515382765641da64a712fa294abc1bbdc46c6301.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\{9795253A-303E-4ec4-9B60-246DAE73BD21}.exe"C:\Users\Admin\AppData\Local\Temp\{9795253A-303E-4ec4-9B60-246DAE73BD21}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{CAE38D6D-36AA-48b1-90D1-7779CF86E0AC}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
693B
MD541f841c114fa609e493b72df33f264d8
SHA18f947abc685c672ca3984105fb911d2fbe740eb8
SHA2563dbaa9f9074ea4afec71f3163dbfdea338fd896b520320a7df4ffc8fef9b2e74
SHA512a698b96007aca2a10dfebb3fe803a19de8c5c209c0f0d3ecf4bdab2c3779aba8618e86a749e66eb041ac1cba849a5057ccfe6893ee047a36fb6dc17700a94364
-
Filesize
984B
MD5ff034a2af1193f9e88306620d350964b
SHA12c4eb05e76e9db2fc578b4340ced57d046014ee2
SHA256fae268e15176cf4fbedd2dce08141a77b4d632aa0e9460de2bb43f2e43c0af41
SHA5127e74f55943d296ed281f3e87cb11b3ae7f4f79eef740620bc1aaf0e4fca07c5a0f568c3bd3875e01cf7584be8ab939f8ad5d0af5eaab2fb89f79d2aa2a3e2237
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
215B
MD50918726b593f16371921a5c62e33fdc5
SHA12b4fe90a8f9d765e03abc10439a5d49e456465a1
SHA2566c4f12a00baff8293519e8fc2a275e1d277eee911f1776bafb292015b39b3de0
SHA512055dfb53bf986855946fd2e0be4fe708ff1f1fcfec172f967d7f006e89dac2b6631e57f40edee29bdd179075465edc6eeab75b3201f60a164a1651c71a05314d
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500
-
Filesize
176KB
MD57e9d02bca3ab745c84117057f48b1a97
SHA1b17986a21b44749f042f4bf779c9b75ab7bce5bf
SHA256a3cd7777c4344f0c80140d2cdfce1b993a8653707de8a68490bfcc6fbfc63c1f
SHA512edfb1cff6736f4ebf5675c9d54039e036201715b89fe2233e790a7cb1796b10fb7c1016f305f13742427baae627c1f7bd32b43c0c8d9d7d7fda4440a4b9fefae
-
Filesize
3.0MB
MD58eb8324b0edbf91fdc49ec66e0248959
SHA15c98914ce7b5c564db4456320b89428f8b6d83aa
SHA256c6f62df5dcfc64177de6cf2ee5a95b0cbf404ce262b60cbe3c8e260108a4c29a
SHA5125a4991ef70fcd902a03c1af8d9e43ee72ecdb035625d29c596a0d0cf34f38504e2a567d3547f4b0e4f75b14d617854fe1dcd85a76d1452bb284b9d95912d1500