feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963

Analysis

max time kernel
84s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
Size

10.6MB
MD5

9ea06e2ba709b7aaf037b50fc7632dfb
SHA1

a2d6829a9f2b00971b3ef84cb99393145654359d
SHA256

feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963
SHA512

3884c487c03ae05413279126f88dabd2848c98a1167c31e47a3801c5ec71cd669a3699417ac810775700dcb9b8604a03573f52db164ab3346d970bd1fa4e34df
SSDEEP

196608:vHBJ/2/o87W4NfDpk0imvabSJ67aMeCCB/B/kMmfNv8JwY:ZL87hlfiCXJmHelvwvH

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3448	latic.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/368-3-0x0000000000400000-0x00000000017CF000-memory.dmp	vmprotect
behavioral2/memory/368-7-0x0000000000400000-0x00000000017CF000-memory.dmp	vmprotect
behavioral2/files/0x000800000002317f-14.dat	vmprotect
behavioral2/files/0x000800000002317f-15.dat	vmprotect
behavioral2/memory/3448-18-0x0000000000B80000-0x000000000140D000-memory.dmp	vmprotect
behavioral2/memory/3448-19-0x0000000000B80000-0x000000000140D000-memory.dmp	vmprotect
behavioral2/memory/368-21-0x0000000000400000-0x00000000017CF000-memory.dmp	vmprotect
behavioral2/memory/3448-22-0x0000000000B80000-0x000000000140D000-memory.dmp	vmprotect
behavioral2/memory/3448-201-0x0000000000B80000-0x000000000140D000-memory.dmp	vmprotect

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\Runn\Yloux.exe	latic.exe
File created	C:\windows\Runn\1.bin	latic.exe
File created	C:\windows\Runn\WindowsTask.exe	latic.exe
File created	C:\windows\Runn\DuiLib_u.dll	latic.exe
File created	C:\windows\Runn\sqlite3.dll	latic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4720	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
3448	latic.exe
3448	latic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3448	368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	91
PID 368 wrote to memory of 3448	368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	91
PID 368 wrote to memory of 3448	368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	91
PID 368 wrote to memory of 4364	368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	95
PID 368 wrote to memory of 4364	368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	95
PID 368 wrote to memory of 4364	368	feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe	95
PID 4364 wrote to memory of 4720	4364	cmd.exe	93
PID 4364 wrote to memory of 4720	4364	cmd.exe	93
PID 4364 wrote to memory of 4720	4364	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe
"C:\Users\Admin\AppData\Local\Temp\feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\listp\latic.exe
  C:\listp\latic.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3448
- - C:\windows\Runn\Yloux.exe
    "C:\windows\Runn\Yloux.exe"
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Local\Temp\feb930103257de5b8a469d39d3b3d5eb836e04395fefac1bcfbfe673e249d963.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
1⤵
- Runs ping.exe
PID:4720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\{32BB3256-83FA-4da7-A1FC-70B706FC89B7}.exe
"C:\Users\Admin\AppData\Local\Temp\{32BB3256-83FA-4da7-A1FC-70B706FC89B7}.exe" /s "C:\Users\Admin\AppData\Local\Temp\\{83F31CC2-5885-465a-81FC-44F1A69211BC}"
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
998B

MD5
0c1741e2bbde7991a9ed7c0c20104170

SHA1
72a7c6110c609a10cedd092faed7be46c85209d9

SHA256
40863b6672cf3e66a600b219fd3e7f1b184e0671a56e59ba8f094f159adde1bd

SHA512
2e9b3cf3a391e8c674fa446851962255ec68338ac831daf0116b3dbea0541daf82d6dc7ec576988abbfa773c6044e348b95fd42367aa353412de0698a979ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
174B

MD5
510533962b323de6b24331b38672aa57

SHA1
518fb8c2ee1a8dddca9dfe0fa3a0fcc481d197d1

SHA256
f7f573d4ef9ffa1f2b96201a1d92ff57ce344e536096aba17107d61f82e6834a

SHA512
251ee3c9d8303cd05c6008205d76c6272d102090dcae5865ab4568381db34446530fa4d50ec84aeae05030207940cf36656d9cae26620a8b79f9e618492e8be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
818B

MD5
77c2db7ab486f1fdd3da2244188bf338

SHA1
7dea1ff59195e6be17e34169e6ac8b324b7c191c

SHA256
f80cc9a43fbe0b01acc721ec638af09906289b3671a3e936778aad39d6cb8b3b

SHA512
0539a61c573caeecdda11683387ef68b159f00a83bbba5efd0e783625fdcc969e6efb2aae0be1b0d2b12f44c2ffb97d93c6b0cc2f79663d321d7939414908b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32BB3256-83FA-4da7-A1FC-70B706FC89B7}.exe

Filesize
64KB

MD5
320809a4bd3036ba2e333a04f6696c45

SHA1
b9fb0e084667102a51ed1dbf79b6e3f1e19051ca

SHA256
930b11955b564204f70bbec3cd54df42e70a6bb1a3419a78888525f8db82eadd

SHA512
c9a6e726539a084535d37a36d01ca0427f5cb1ebb02fc4bd398090e3ac612108b86af6dddc251dcc5848ad45cf10347fc822ec2f52282f57b29ec199f97cf2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\{32BB3256-83FA-4da7-A1FC-70B706FC89B7}.exe

Filesize
93KB

MD5
34797355873773c3af505ee7a3890880

SHA1
84bd23b2458c39ed1e8db23ed25d3237b57cc444

SHA256
f00b45c8679b24a0fea5c3540918ef55488582b532d42e386503bfb3e1f11657

SHA512
00ec0c1e7943ea56c2aa58e558dd78250423bbf3c5f2960a653463214718c38a34eaa450274fac47eb9043d7497b7f9e8b61079114ead5f8ef62e17f889e8417

Download Submit
C:\Users\Admin\AppData\Local\Temp\{83F31CC2-5885-465a-81FC-44F1A69211BC}

Filesize
215B

MD5
d0d599e04e8ac70a4506d930093a8b8b

SHA1
6a1dda26470cccb7dad297ab05784c92f7a4d745

SHA256
9214d015294574e655db36b2a6ba521e25d398333e3a5fb6ab346a9082129fd6

SHA512
8186ae0b585e496d2cfe83ac7b6346267e5856c08539eda65b4633fa0026eb552d72d64220047fad936b472270c5dd285614b44c96ee11b4b7c36a358b873840

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
90KB

MD5
b5c04258ce858aa7777de6a8ad17a9d7

SHA1
c2ad901266bd2882004ef45719ea64d9d5deb83b

SHA256
0cb32e5f425d35a6cccbd48ec70267bd789c0c22ba3d9abf753ed17c3ce26b6c

SHA512
9d94de378a52b306b78025c958f6b5a84a446989c656737cea34826f8a1520a269c3a378a8bf0abdccbade2145e7d9699eea3f447c0fb63c9cce0c6da5ed35cd

Download Submit
C:\Windows\Runn\Yloux.exe

Filesize
59KB

MD5
977a918bafadb5bae70eee0c8c320120

SHA1
eaba506ce370e51e5a09b24987942eccd167d970

SHA256
2f3e14d79e2deb9cdee253737a4cfa8b69594762a90f61ba8f27661066f6224c

SHA512
e5598fd1f47731e39faee184db02873a8851560fc2c008865640a6103462e2004e5de47c4a6b1e8372397b096e07db54e487bd44348deebf4783ff95790e7a3b

Download Submit
C:\listp\latic.exe

Filesize
840KB

MD5
7cf05de7742618637ae40fb490ec737c

SHA1
11975f7da7312f59216bcfd79bda99f1c2a36489

SHA256
654c9a52e062a5e3d1f18355683366794e5dfac096cbb6331bfce4d5fa19379e

SHA512
240419bdf7c9588e787baa157d0a37f090dda956c61ac94ec70422f55b3ed6d04dd486806c34666f1c8227cbe49eaf97878a7a6f63307e6dad6e4d5ff8fc2691

Download Submit
C:\listp\latic.exe

Filesize
1.5MB

MD5
fa5f8b93468716a54cb1aa777f081f3a

SHA1
27e57cf1d8a1f0fe416ffb30a020a7dcab31505c

SHA256
54e19231f4162f26eebf350a1f7953a560881454a94c9fa0f39260b24bf7938a

SHA512
958c95add616b67eeb395342917e3748c7828582b2842b3e45f777e6a4e1d59e864d15e797dc1f8af6605b42fd177907dd8dc0525f5f674b3a49bf0d35b32a9c

Download Submit
C:\windows\Runn\1.bin

Filesize
39KB

MD5
96d23d8b0ee9fb88c944108bc59ad3fe

SHA1
51085b37f7680577fc7065d973bc3f5ad1a50ce3

SHA256
6b9780c28bafbbd0b54b28ea1f7327d8ef1b94c571311ab986239a9fc9cdc1af

SHA512
778c04b574d2fe95d067036f517a59d27db61f70230caffaeea4fd32a70ac4dcd26c638fda6d23838c2871d3290de70d0224c219afb061340b25c8fcad82892b

Download Submit
C:\windows\Runn\Yloux.exe

Filesize
230KB

MD5
3803e316d27a3d475784c259b96c70f7

SHA1
6c8a5ab0922566e2d81abda85ea14a79412fb457

SHA256
bffafe05871b7a801266f008db4a42c90e92c8f4baf0afa2d1d91dbaea933b3d

SHA512
efd283b062ce50e6d1f493d58ae5161b9d27b2cc388aff646839cafedfa696f22a12adef187a6e0a78cf0eb5e0c210eca871fafe7f353dbedcfbb2c25e2b8168

Download Submit
memory/368-8-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/368-7-0x0000000000400000-0x00000000017CF000-memory.dmp

Filesize
19.8MB

Download
memory/368-21-0x0000000000400000-0x00000000017CF000-memory.dmp

Filesize
19.8MB

Download
memory/368-6-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/368-5-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/368-4-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/368-3-0x0000000000400000-0x00000000017CF000-memory.dmp

Filesize
19.8MB

Download
memory/368-2-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/368-1-0x0000000001A20000-0x0000000001A21000-memory.dmp

Filesize
4KB

Download
memory/368-0-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download
memory/1156-43-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-218-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-51-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-56-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1156-50-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-42-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1156-49-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-202-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-216-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/1156-214-0x00000000026E0000-0x0000000002724000-memory.dmp

Filesize
272KB

Download
memory/1156-209-0x00000000026E0000-0x0000000002724000-memory.dmp

Filesize
272KB

Download
memory/1156-208-0x00000000026E0000-0x0000000002724000-memory.dmp

Filesize
272KB

Download
memory/1156-205-0x00000000026E0000-0x0000000002724000-memory.dmp

Filesize
272KB

Download
memory/1156-207-0x00000000026E0000-0x0000000002724000-memory.dmp

Filesize
272KB

Download
memory/1156-204-0x0000000002680000-0x00000000026BE000-memory.dmp

Filesize
248KB

Download
memory/1156-203-0x0000000180000000-0x0000000180033000-memory.dmp

Filesize
204KB

Download
memory/3448-24-0x0000000010000000-0x0000000010607000-memory.dmp

Filesize
6.0MB

Download
memory/3448-201-0x0000000000B80000-0x000000000140D000-memory.dmp

Filesize
8.6MB

Download
memory/3448-18-0x0000000000B80000-0x000000000140D000-memory.dmp

Filesize
8.6MB

Download
memory/3448-16-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/3448-19-0x0000000000B80000-0x000000000140D000-memory.dmp

Filesize
8.6MB

Download
memory/3448-22-0x0000000000B80000-0x000000000140D000-memory.dmp

Filesize
8.6MB

Download
memory/3448-23-0x0000000003E10000-0x0000000004412000-memory.dmp

Filesize
6.0MB

Download