Analysis
-
max time kernel
141s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 06:50
Behavioral task
behavioral1
Sample
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe
Resource
win10v2004-20231215-en
General
-
Target
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe
-
Size
10.7MB
-
MD5
2c7c5e63ff00125ed6251a83197198a0
-
SHA1
2d56215171527a416738fafad50507d19c272d12
-
SHA256
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1
-
SHA512
26923b90f0b1cc288f18d1328766e841353803e5424c540203014eee246d435ec8ce7617c30ed240d0bd3ad4c21f1bc48e880d44286f4b411ddf3e68fed4de24
-
SSDEEP
196608:CgmQehFTgEXFs9TunQN9SlhoEsww034t1m9vn9Jmr5BNEgddGVFZzNHIgLe9vyQ:CgmdLTnFsk+EHsTh+GrFEeAVFlPe9aQ
Malware Config
Signatures
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 2412 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2688 latic.exe 2928 Yloux.exe 2096 {AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe -
Loads dropped DLL 3 IoCs
pid Process 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2688 latic.exe 2688 latic.exe -
resource yara_rule behavioral1/memory/368-5-0x0000000000400000-0x00000000017E8000-memory.dmp vmprotect behavioral1/files/0x000e0000000126a2-41.dat vmprotect behavioral1/files/0x000e0000000126a2-44.dat vmprotect behavioral1/files/0x000e0000000126a2-45.dat vmprotect behavioral1/memory/2688-48-0x0000000000E30000-0x00000000016BF000-memory.dmp vmprotect behavioral1/memory/2688-51-0x0000000000E30000-0x00000000016BF000-memory.dmp vmprotect behavioral1/memory/368-57-0x0000000000400000-0x00000000017E8000-memory.dmp vmprotect behavioral1/memory/2688-58-0x0000000000E30000-0x00000000016BF000-memory.dmp vmprotect behavioral1/memory/2688-247-0x0000000000E30000-0x00000000016BF000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\H: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\sqlite3.dll latic.exe File created C:\windows\Runn\Yloux.exe latic.exe File created C:\windows\Runn\1.bin latic.exe File created C:\windows\Runn\WindowsTask.exe latic.exe File created C:\windows\Runn\DuiLib_u.dll latic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1703227921" {AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2604 PING.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2688 latic.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe 2928 Yloux.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2928 Yloux.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2688 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 28 PID 368 wrote to memory of 2412 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 29 PID 368 wrote to memory of 2412 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 29 PID 368 wrote to memory of 2412 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 29 PID 368 wrote to memory of 2412 368 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 29 PID 2412 wrote to memory of 2604 2412 cmd.exe 31 PID 2412 wrote to memory of 2604 2412 cmd.exe 31 PID 2412 wrote to memory of 2604 2412 cmd.exe 31 PID 2412 wrote to memory of 2604 2412 cmd.exe 31 PID 2688 wrote to memory of 2928 2688 latic.exe 32 PID 2688 wrote to memory of 2928 2688 latic.exe 32 PID 2688 wrote to memory of 2928 2688 latic.exe 32 PID 2688 wrote to memory of 2928 2688 latic.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368 -
C:\listp\latic.exeC:\listp\latic.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe"C:\Users\Admin\AppData\Local\Temp\{AFD5ED06-B722-4d34-A979-7A8757C80E34}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{6526ACB4-C485-456a-8003-2A0C1848A355}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54048e3532f62a36e75af9260e56a4448
SHA17ed45a8a1709268866b60b34153baf702d503caf
SHA256ebcc732b5bae155cbd7f4ae6dfc8a5dd7f6866d41062f17dbcd04fa3d493b37d
SHA51291ad26ac0b287dd9c47961a1b460d67dc5a7cee44adbbf93e722dd2e499e72811663d47434b23f5aeb8c0951af5b610eb0dab977529d77861e97b6996c05f2a0
-
Filesize
1KB
MD5357de1740b6de5e7272b69681a033e0c
SHA1d68cd6473409d738e759e6af7a5b244076e241e9
SHA256839030e02ca2e4422e0be20a8517ca9a944ce325ef028d2d8439e271b9f3981f
SHA5125e535a5b8be486720e18f2e64e0143de7883924c11556e8657d6e950f1b5b1f40c5a90113442efd9a90fd872175d0f983d0bc6e58f19849a15f96f5805573306
-
Filesize
215B
MD5cd66458fe84ee95c5f1912812464d34e
SHA1be99271da6255b452a392fb565e7d6a0a55810be
SHA256dd60cfdcc5b26ebc04094ccc52669b0a585c0669c45d9c577dafb3ddbb9f207a
SHA512c0b7c29b8b5855f2effe20589900c80b72bdc10fee1af8d0fb1c7ca17e73b2517ac16801af888458cb74f239b4951dd182215a9f3f2dd323b3fe6879d06b3eaa
-
Filesize
1.8MB
MD5c862e6797d42f456523ab432699d6cec
SHA12373ba1370778f7723966553a2387d13f403f933
SHA256780c656223bd92f774a23e1d0925fb3f71b3f18c430f4c5faf379de90a4c7add
SHA512baf064f542bb4a1ca778e08e7d95dd86eff41e22d3d3b7eb4113a1d2d959e57f2db8ffec134d752dd1623f95e7c8b59ee7e7f3a1cb772fe07d4fd27638786b11
-
Filesize
536KB
MD52d6e14218fcc33b40b3e0ca83d790a9d
SHA16a6d4958297aab132f666a86ac43c1777ec23b4c
SHA25696d1317b1b9e2b052baaf311676838346d27f14b95181e5ba0537af52f6ea3cb
SHA512eee4263a992c75c010f8b167ad79d12e31c0973ec9c4cc951463b151c10f7e9f03195742a878b7d8be7289be7337738e484f0a37f95bce7ae4be02fc68eca4e2
-
Filesize
564KB
MD5139c7ec735af163e84d876f911ccb19e
SHA1e63cd40b66ad7111f0ad2986ebb80047a2990704
SHA256a7457c9126110b5ea0189e83478baf60ec2e460afc1ebeb2453cda68bcbc010d
SHA512529b5483b6fd0947df1592fd519a2b01fce86cd65e2922f2d0c303812b5c74a3e13c06bf4062edfcfa49cf129b59b888a9f8d99827b3a9aacf07729ed3c03824
-
Filesize
176KB
MD555d9bdc529ec8876fda28bc5c697ca1f
SHA1eb3db138a5f5842479af1a7991cf043dc4b52895
SHA2560e70a3a503edbdc2c436912871615de8cc9161f0866260b47c1d179779b40acc
SHA512a551347fc48fa2f3adf2c039a53cb430df9138c7b47ccabf2aa6d0df63b3be94ceecb9abf889446e117802d601c20ff8f067ec653e91e036b5e86328f0bcc23a
-
Filesize
3.0MB
MD51665b4a939b42df6d47009e0d68bd073
SHA114489c975e9ccd7269326a45b2bd49e15f2b2cc7
SHA2564ef0c90d13f4de1166d12b57e5a37d9338ded10969c4b4be2d159e4168818dfd
SHA51213d2e7d95d9f521d05a10b562016d20afc3366341ebf45583c1358ae210e81e9348b650eb2872085404c579d6977c7aeb8617b8347b1f6797f26015e5d3ccb52
-
Filesize
1.0MB
MD5217dc98e219a340cb09915244c992a52
SHA1a04f101ca7180955d62e4a1aaeccdcca489209da
SHA25627c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c
SHA512dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85
-
Filesize
2.2MB
MD5a71c7a04ed002703ce14609ee90725c1
SHA1150c8ca5c473517fc4373ca2a735179219e80383
SHA256788d4163d4df705a1e0e1efd1b82ed33ae4787227e4a648244809818cafbe4ed
SHA51205c89a40b2ded6ba9a0a079c7283aad4243fd63baa5d59e3befc0a8b001b0afb2dcb429712fbb9860b947ec505b82483d985f057c673a5d5f5d75242689f2f45
-
Filesize
532KB
MD5e62fe53b8403c3cabfb18c3acfc6cbbd
SHA1771ff781d963f09bc22b0bb6a8eed7c01a5a7777
SHA2560020ff7d1a004dd5ed0bbf30d89b81752003ee52d32e9280a3f090830415c6b2
SHA51280c118b3c3db3b0412cd52e4ab60d2dd81af70fbacdafd89970f11d67f06ba8463574f0b0a5999d614c763ff3e430ab2c5adf0db107026ee86bf48589c7bbcbf