Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 09:48
Behavioral task
behavioral1
Sample
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe
Resource
win10v2004-20231215-en
General
-
Target
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe
-
Size
5.3MB
-
MD5
22724dac24a468e53cfe5dad6c8248b0
-
SHA1
99981aff0b1775449e8807bb1651258c5643ac7c
-
SHA256
1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6
-
SHA512
9d23b6e694423b15e55f621b60a5783c2633e32b0386bec1576e9762475720ef589fa9f9532c94af7f7c7e9e79618fb30d0b86b16bc62a6a81580336758a246d
-
SSDEEP
98304:NU6htI5apaQZzEkRERspC/AbA4jaZiRRt0pTLWmrCrBqm:NiSVEt4bA4j2It0110g
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe -
Executes dropped EXE 2 IoCs
pid Process 632 Yloux.exe 216 {60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe -
resource yara_rule behavioral2/memory/3600-1-0x0000000000580000-0x0000000000DEE000-memory.dmp vmprotect behavioral2/memory/3600-3-0x0000000000580000-0x0000000000DEE000-memory.dmp vmprotect behavioral2/memory/3600-30-0x0000000000580000-0x0000000000DEE000-memory.dmp vmprotect behavioral2/memory/3600-184-0x0000000000580000-0x0000000000DEE000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Yloux.exe File opened (read-only) \??\Q: Yloux.exe File opened (read-only) \??\Z: Yloux.exe File opened (read-only) \??\E: Yloux.exe File opened (read-only) \??\I: Yloux.exe File opened (read-only) \??\H: Yloux.exe File opened (read-only) \??\L: Yloux.exe File opened (read-only) \??\P: Yloux.exe File opened (read-only) \??\T: Yloux.exe File opened (read-only) \??\U: Yloux.exe File opened (read-only) \??\W: Yloux.exe File opened (read-only) \??\B: Yloux.exe File opened (read-only) \??\G: Yloux.exe File opened (read-only) \??\S: Yloux.exe File opened (read-only) \??\V: Yloux.exe File opened (read-only) \??\X: Yloux.exe File opened (read-only) \??\K: Yloux.exe File opened (read-only) \??\N: Yloux.exe File opened (read-only) \??\R: Yloux.exe File opened (read-only) \??\Y: Yloux.exe File opened (read-only) \??\J: Yloux.exe File opened (read-only) \??\O: Yloux.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\Runn\WindowsTask.exe 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\DuiLib_u.dll 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\sqlite3.dll 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\Yloux.exe 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe File created C:\windows\Runn\1.bin 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1703238513" {60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3600 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 3600 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe 632 Yloux.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 632 Yloux.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3600 wrote to memory of 632 3600 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 96 PID 3600 wrote to memory of 632 3600 1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"C:\Users\Admin\AppData\Local\Temp\1a43b929c62d20c34c0cf85d624864dfce246ea5ba37a2cf9e35872f11fa6da6.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe"C:\Users\Admin\AppData\Local\Temp\{60EB6711-E5CB-4b38-890A-68FAE6C8A362}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{A21E22C3-E1AD-4808-BFB9-A80BA3620690}"1⤵
- Executes dropped EXE
- Modifies registry class
PID:216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52dfd4f9d3487d9650837dfb791257cff
SHA1bf917cc1dc359d37ac5b9e3f41e972dce4a23682
SHA2565ccaf7987672351b0b31d6fe79af9f5f44a0b4817b8826389992ba6eac341cd1
SHA512ebbcf8f8095a4625659a15de91e80b14b43b607ae6a2eab55aef018ca3942f9a3b9a168e0a4e98096cfbfc125da3d2d872f8cb39eee7ec14e4afbad84bada87f
-
Filesize
2KB
MD5ff0c7c2667dff4f3ed588f40d047c642
SHA11162c83bd0bb0d81b7ab7f616cb012b790aa4adf
SHA25602af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7
SHA512539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3
-
Filesize
427B
MD56b567b6daf1252f2782d50a9cf6c77c9
SHA14a7357f1acc65ca025aef13d8dab4c02e024ae6d
SHA256b3257a406a183d32b5641cb4c3c2dde9dd302554975555bd9e5ba0533476c5a2
SHA512a69cef3a44215294ec6eb21b745974e86ff477e164627f03b23584d3af958fb012d0aa0552972cd541264dd9b500367bfacd3621d02e1e0d4735929c1010e6be
-
Filesize
621B
MD5b41f2e813f22dc07d55a69743fe7b348
SHA1d415dffd038e8ac046c8739de31f27e310bc3947
SHA2564a4cb3fa898d2dd19f6ab8e9fb1ace3f9a2a64c95b1b4db8b7a31dcbce27c538
SHA51297cec08f492c3bafe5a8fe7437cf906e27c01f40496ddd926c46d431b2d462bfeca0cc06ca4e545615d6eaacb9350aef29d1e5d9e32195747ccd39265e0fc8aa
-
Filesize
283KB
MD56400e6037af65b64957e9b6740c2f38a
SHA14b3f57efa3f67996a52b711b1378a1a010a9ae23
SHA2561af3ded0e4e8ee365a4ee40b6e0b7d110767b4f02a15dc7304548996548b04fe
SHA512e5614e1f4b450d4179bd925e5eb5f04977dbfb43f0a45e4b94e619804c5981e4650aba4144e566f75d09a341bffe422730bc63942589d818e30fd736c044f9e4
-
Filesize
363KB
MD5678061aa88499e4969dd4e341d63eef6
SHA120d409767676a0df088cb8a0e37a3585b28b828b
SHA25620c54266295e8de4240e6382eda9462c4baf1526862673abec1c485dcad16767
SHA512b3794386b336e6d4763bd0fa54318c2fc0eba0d2c36e63b81f61c252b1076cb68c22cdd6ce4b7f37d6a134f7e4e2d4fc17ce73eb3fc441f2fc33042f67152548
-
Filesize
215B
MD572503c548709344f6069804ec45c670c
SHA1867cb8ea8ba43869bce7eae2353b5d64bfdd59fb
SHA256bbaa9746e7e3646a131221080ab17f4d9db4a4c7853bbf12e49fc0c168f44139
SHA5121a2fea19ac316fd6e618ed1745856752582954256ff2777c4c4e921ba68a46cd7ba6bb81db861906a4d6e754f5aea6dcbbeea77f23c6e58469d89fb37b1e2843
-
Filesize
328KB
MD50429f275b221c39db1980a9c0c138d88
SHA14b5a96f2f5127462b59fa5c8aa3285898284fd79
SHA25615037c378cf027a87cc278e0390b01a35657f8412a0d1571db2d423a605af884
SHA512d8f0d1139464a8c799b9fb662250d4cbf711b2c6611b24520943e9d877ab6379a5c3716e95c5e76d6a5593756dbb64eaca8ea1c668f5ec43f3e521c7fd16fcce
-
Filesize
176KB
MD52d3418c6602a6a952f665509558c4a5c
SHA12f701f0f121f13abecfc10311c5db1a63c227f72
SHA2569f3d4d68da154c13657816aa787e6766fc28c8820da748aa4398daf7bc435e43
SHA512d0b24e3c81a9bb08b45560d3a8389c2212059c525c617b66ef5bbe8a920851509de3d5982ecabdb432315d9b231f259efdaffc6d0fd7cea27c9d38a4c8dc7232
-
Filesize
1KB
MD5997ccbe621e8d137c19e13d1327c74a5
SHA19ba492542670293b5c16fc843b8046c313f3cf8d
SHA2560132b8ea8623f709bc11ce55f15b14d51ea4f3eb5156a41efc35b777adcf4ad2
SHA512185ea496e9231e6b9d26b593eb43ece6131cffc9df85d0bac08fe62ba7d1bd97f2763cd6d64dd3f96fe7ab8a0f5d45081d288da10ed625899c233813a2a53045