Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 06:50
Behavioral task
behavioral1
Sample
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe
Resource
win10v2004-20231215-en
General
-
Target
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe
-
Size
10.7MB
-
MD5
2c7c5e63ff00125ed6251a83197198a0
-
SHA1
2d56215171527a416738fafad50507d19c272d12
-
SHA256
5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1
-
SHA512
26923b90f0b1cc288f18d1328766e841353803e5424c540203014eee246d435ec8ce7617c30ed240d0bd3ad4c21f1bc48e880d44286f4b411ddf3e68fed4de24
-
SSDEEP
196608:CgmQehFTgEXFs9TunQN9SlhoEsww034t1m9vn9Jmr5BNEgddGVFZzNHIgLe9vyQ:CgmdLTnFsk+EHsTh+GrFEeAVFlPe9aQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation latic.exe -
Executes dropped EXE 3 IoCs
pid Process 3172 latic.exe 1000 Yloux.exe 2684 {54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe -
resource yara_rule behavioral2/memory/2580-0-0x0000000000400000-0x00000000017E8000-memory.dmp vmprotect behavioral2/memory/2580-8-0x0000000000400000-0x00000000017E8000-memory.dmp vmprotect behavioral2/files/0x000600000002322d-13.dat vmprotect behavioral2/files/0x000600000002322d-14.dat vmprotect behavioral2/memory/3172-16-0x00000000002C0000-0x0000000000B4F000-memory.dmp vmprotect behavioral2/memory/3172-17-0x00000000002C0000-0x0000000000B4F000-memory.dmp vmprotect behavioral2/memory/2580-19-0x0000000000400000-0x00000000017E8000-memory.dmp vmprotect behavioral2/memory/3172-40-0x00000000002C0000-0x0000000000B4F000-memory.dmp vmprotect behavioral2/memory/3172-207-0x00000000002C0000-0x0000000000B4F000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\M: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\WindowsTask.exe latic.exe File created C:\windows\Runn\DuiLib_u.dll latic.exe File created C:\windows\Runn\sqlite3.dll latic.exe File created C:\windows\Runn\Yloux.exe latic.exe File created C:\windows\Runn\1.bin latic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings latic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1703227932" {54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2308 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 3172 latic.exe 3172 latic.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe 1000 Yloux.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 1000 Yloux.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2580 wrote to memory of 3172 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 91 PID 2580 wrote to memory of 3172 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 91 PID 2580 wrote to memory of 3172 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 91 PID 2580 wrote to memory of 4652 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 93 PID 2580 wrote to memory of 4652 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 93 PID 2580 wrote to memory of 4652 2580 5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe 93 PID 4652 wrote to memory of 2308 4652 cmd.exe 94 PID 4652 wrote to memory of 2308 4652 cmd.exe 94 PID 4652 wrote to memory of 2308 4652 cmd.exe 94 PID 3172 wrote to memory of 1000 3172 latic.exe 98 PID 3172 wrote to memory of 1000 3172 latic.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\listp\latic.exeC:\listp\latic.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\5ddf469107cc200a7a635bcafecb7cfbb27d3d8e355ee40cf102a425fd2ef0c1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2308
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe"C:\Users\Admin\AppData\Local\Temp\{54BB98AB-51B5-4e3e-A1BC-7B112C698417}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{712767FD-0811-4a38-8ED4-71F2E1D8C9ED}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b321dc6175c7198179cbf23065e29b02
SHA13228e95f9751de67e9365505538bc3bd74ae2779
SHA256960a51f07f1f67314fb115bb45a2e3a1743317f57b1615ddf50567fdb447777b
SHA51200a14dcac54a33d99eb563f2c22928bf72e5e6ab251da5353276d7704268b9636f9928d1d8de3763485f6b7d9c55d6667c3a3e3409f92441cfe8703219c8e564
-
Filesize
1KB
MD565e8e358762f01a169d7ebc4fa2ed27e
SHA13b9ae3018ebf841387c5deb7080d41282757a467
SHA256c5ad5565eb0c370eec69f7d5b97c50dab810ab75a47425c52936412babcebd94
SHA512ae5c71fcccdc5e7f64ef12f3f8915537fe1495f76be3aaec886cbe51a309ad3b67a378847e37acb0f2d406b725fde6515cf28715d8509c13516450173f050e82
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
807B
MD58676f46e52e4e52cb6df6856d75b624d
SHA1069f7676e8f1cf091cfb3fb80e650585b28aa261
SHA256e29715870a207865715b075e73b1650d9a59b2453a4c69387e5f4d6e9be3c858
SHA512f2daa20e820f75e47f7912e925c9cc59b344166b695638f79dd6f6642ec6e3e6d370f013ab0e526037608f824793838fe1be60701fa7e28d9535292b6fba1033
-
Filesize
61KB
MD56e32862e23d548a113d58c8045818559
SHA1876baf8532019e9652a06655c63d34bf0ed750b6
SHA256361164f9a9319ef2042db3191611e96c6631dd2bcdd8fe53bcd5f272615fb053
SHA51203e68ea8a8bdde49b4c11a8a8c21058c9431d7edf32cac1f2831165f0f96367c01892a0f37fdedf6854ec344770b06909667eb1ee54715e8417939a3aa48d767
-
Filesize
44KB
MD5906cdd158611c06d2e0d330ddb1f1aca
SHA18bda6bd466afac91dcc4c4592502ea45f0513875
SHA256f16de02eec942498a5efa1fa8a2e755070608ee7cec67e6baf53b5c2a5da8f77
SHA512dee16a80c092f98c474befeb11438ee8301d5e43b8ba9515d5177e8c5dd2ae701283146751d7280e6027bb828b81e85d8ea4857a3babcc8a1e4b4ad3af532a2f
-
Filesize
215B
MD5588361ad87e6062ef6329335c871ede0
SHA1c76f531810a2f9a8af02fe5867a0eb83d96ed855
SHA2565417e01229d6aaa25b3b37a429192aec7e5540fc816f4058d8c38c3f71f5c048
SHA512b00be9a2097eda51765a14b6097ad084c901479b270f3008aeffc9e11c1bd80fa260ca36793f05fed5d86d4e0c7f5de4906a081aec9c3b523c0a7244d98478b3
-
Filesize
67KB
MD51a9bc481c4b2fa2a7ef887f55eb549a3
SHA17ab4c248adb705a7e8e62ef645b8a26ecc14e58c
SHA2564ee16fb8e29811f0955fe185860f59d4a2bd45c3f9ab6f8773a2dceded5b29e8
SHA51293a25f7695e86f4b7effcbd09208adfd7b47bd28bccf542eec82ad9574fe4ff682e81865709a76e4fc18d5af5e981f1b1a4ce75fcb2b5f468059054089e9943b
-
Filesize
44KB
MD53ca5e8b2889e11f3a02e4c8982be48e7
SHA18e493bba591661cb0ab0f29d3daf4515b12282e6
SHA256650e4ac7eb7a5bff24db4edf1dd6c0cbc4801df5398a9177714d567c493749a2
SHA5126852ff1f150a223de137f92467a54aa1277be2ba8f1aed7b38249d2e86bfeb00765bc24ec7f610086a179801a162a3f1a8937a480488c6ee0f892240acff4bd3
-
Filesize
115KB
MD563a1ab345691aef1d3dca66855997e53
SHA16d69151a51ca095fdf0cdca2876512de52028012
SHA2568349963c9d4179fb5eb7bfa9f9c13496072273be8ac06435bdcab1335916bc2d
SHA5125b725289c2e24410ac556b26e3204230532ce22ca46c9e61c4ea3b0d103ce4abe80f7dbec16f54857b92c049de69bdcf31b42c39d3c36d67c6ef53f2f0345c74
-
Filesize
104KB
MD5e2cfe6e6edbbca41b82cadb5e4bcafce
SHA174665766fb2c6ac1b51a442e411c64b13cd5fc99
SHA2564f7c3a858b79d9730e3e5917bc6300c71a784869550e11b3364f7872efdd8aea
SHA512d0a0fe2bd13d5f98c4638c294def949c07846c2865a625bbc353ccc47eb2209aa6106d88b303bb2dbb5015cdafaeae1f1e08f5bd0933a491e62504a80180fee6
-
Filesize
92KB
MD56d0d174a888e6471aef3e6d6f9304685
SHA1d320bdca2dba4c7f59c10718b4ccb1b295243a7b
SHA2564f7b4680d2f6db1b8d03c176e2c35f0607ebce11806558dc5b23b32a1421bd97
SHA51202eaf0754602d28c2b4939afd6d0a0065747543ac1ca98808e3b851a5720417cfdddad9f766fd2ec9a392eb857a529d2fb21ac8b26890322956df14b322cc4c5
-
Filesize
9KB
MD5cb15eca41ddce0ff94a024c44e2e0cb6
SHA1ccd1d1f4655b0609b00174c2c76c9ae3b7cf68c9
SHA256a877ae8854c1d2612f1c681706253a8a4f9341db99a920973d747b2e1db1086d
SHA512a1cb0ce61466a7b7e69795c0648cb6c87885fed1772a7fac1e0fd150eb56818d939add5a4bbe6733c7b57b2ea840d860a965900abab10dc2c90f527e46aa03ab