hxxps://github[.]com/Tenclea/YANG/releases/download/v3[.]2[.]3/yang-windows[.]zip

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-es
resource tags

arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12/07/2023, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Tenclea/YANG/releases/download/v3.2.3/yang-windows.zip

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
224	yang-win.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 49a39a69e6add901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3345817798"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{421CE865-888A-482A-BEE2-5E99D3645378}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3345974009"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD6AC82A-20AF-11EE-AF63-7E3686A5116A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31044796"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31044796"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395321619"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2780	iexplore.exe
2780	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2780	iexplore.exe
2780	iexplore.exe
3136	IEXPLORE.EXE
3136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3136	2780	iexplore.exe	85
PID 2780 wrote to memory of 3136	2780	iexplore.exe	85
PID 2780 wrote to memory of 3136	2780	iexplore.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Tenclea/YANG/releases/download/v3.2.3/yang-windows.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1460

C:\Users\Admin\Downloads\yang-windows\yang-win.exe
"C:\Users\Admin\Downloads\yang-windows\yang-win.exe"
1⤵
- Loads dropped DLL
PID:224

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KACS5BDS\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KACS5BDS\yang-windows[1].zip

Filesize
18.4MB

MD5
703d731f8a4055fcaa9e812cd729b11b

SHA1
4e776010f1c65ce89981c6f7d19d25553179a514

SHA256
2cd37d107e57e420073dc4986b33ef7bb1cc9ef3824640354cec4de8ed8c2f30

SHA512
e49f54c0e23a0a5e4cbe6dfe516acc357a4791c0374627aced6072b7498fa3496c5398a2841b85c9b09c861f252cace7af31b17df17d69d5bc97ffc49c28f746

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\6950474f61b82b5059ac0b72e865a66e8737318acee1af1ea9afaa9f10f82fde\node-dpapi-master\build\Release\node-dpapi.node

Filesize
141KB

MD5
6087fe08498ca09cbf63a337735820eb

SHA1
41c2d398f5de6bae241c988da13a630a989d4345

SHA256
6950474f61b82b5059ac0b72e865a66e8737318acee1af1ea9afaa9f10f82fde

SHA512
d2daf385634ef6ddb97f40b919f700b3b4154716e86eb61bcf7fb94da6436c2f08286e2021ef4cb68b92f7b93f4b0e83b67b334c427128624b595c2216507ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\6950474f61b82b5059ac0b72e865a66e8737318acee1af1ea9afaa9f10f82fde\node-dpapi-master\build\Release\node-dpapi.node

Filesize
141KB

MD5
6087fe08498ca09cbf63a337735820eb

SHA1
41c2d398f5de6bae241c988da13a630a989d4345

SHA256
6950474f61b82b5059ac0b72e865a66e8737318acee1af1ea9afaa9f10f82fde

SHA512
d2daf385634ef6ddb97f40b919f700b3b4154716e86eb61bcf7fb94da6436c2f08286e2021ef4cb68b92f7b93f4b0e83b67b334c427128624b595c2216507ec0

Download Submit
C:\Users\Admin\Downloads\yang-windows.zip.s2h4cix.partial

Filesize
18.4MB

MD5
703d731f8a4055fcaa9e812cd729b11b

SHA1
4e776010f1c65ce89981c6f7d19d25553179a514

SHA256
2cd37d107e57e420073dc4986b33ef7bb1cc9ef3824640354cec4de8ed8c2f30

SHA512
e49f54c0e23a0a5e4cbe6dfe516acc357a4791c0374627aced6072b7498fa3496c5398a2841b85c9b09c861f252cace7af31b17df17d69d5bc97ffc49c28f746

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads