Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 09:48
Behavioral task
behavioral1
Sample
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe
Resource
win10v2004-20231215-en
General
-
Target
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe
-
Size
5.3MB
-
MD5
22724dac24a468e53cfe5dad6c8248b0
-
SHA1
99981aff0b1775449e8807bb1651258c5643ac7c
-
SHA256
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6
-
SHA512
9d23b6e694423b15e55f621b60a5783c2633e32b0386bec1576e9762475720ef589fa9f9532c94af7f7c7e9e79618fb30d0b86b16bc62a6a81580336758a246d
-
SSDEEP
98304:NU6htI5apaQZzEkRERspC/AbA4jaZiRRt0pTLWmrCrBqm:NiSVEt4bA4j2It0110g
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2744 Yloux.exe -
Loads dropped DLL 1 IoCs
pid Process 2960 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe -
resource yara_rule behavioral1/memory/2960-2-0x0000000000F60000-0x00000000017CE000-memory.dmp vmprotect behavioral1/memory/2960-5-0x0000000000F60000-0x00000000017CE000-memory.dmp vmprotect behavioral1/memory/2960-34-0x0000000000F60000-0x00000000017CE000-memory.dmp vmprotect behavioral1/memory/2960-46-0x0000000000F60000-0x00000000017CE000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\O: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\Y: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\sqlite3.dll 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\Yloux.exe 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\1.bin 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\WindowsTask.exe 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\DuiLib_u.dll 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2960 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe 2744 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2744 Yloux.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2960 wrote to memory of 2744 2960 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 28 PID 2960 wrote to memory of 2744 2960 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 28 PID 2960 wrote to memory of 2744 2960 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 28 PID 2960 wrote to memory of 2744 2960 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD52d3418c6602a6a952f665509558c4a5c
SHA12f701f0f121f13abecfc10311c5db1a63c227f72
SHA2569f3d4d68da154c13657816aa787e6766fc28c8820da748aa4398daf7bc435e43
SHA512d0b24e3c81a9bb08b45560d3a8389c2212059c525c617b66ef5bbe8a920851509de3d5982ecabdb432315d9b231f259efdaffc6d0fd7cea27c9d38a4c8dc7232
-
Filesize
328KB
MD50429f275b221c39db1980a9c0c138d88
SHA14b5a96f2f5127462b59fa5c8aa3285898284fd79
SHA25615037c378cf027a87cc278e0390b01a35657f8412a0d1571db2d423a605af884
SHA512d8f0d1139464a8c799b9fb662250d4cbf711b2c6611b24520943e9d877ab6379a5c3716e95c5e76d6a5593756dbb64eaca8ea1c668f5ec43f3e521c7fd16fcce