ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Size

446KB
MD5

0d47d733753cbcc7117f987d860d0232
SHA1

72c7a1c30d33a32a849b43030f82e2743d1b0d76
SHA256

ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1
SHA512

324c67156bdf3d1d1892075552b7a5c6519f3c714d4bc41f18c72b47b69ca4b17a74580005f772e9bc3c380ec1f3228e2150b6772eab16eb62c0cc41be9295e0
SSDEEP

12288:sQ3wmKKS7E/iWaYBD5SwWZCLc39cHX3VLcR:sewho6WaYBekaaHBk

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2796	yx_zusen.exe
1528	yz_pane.exe
1984	yz_pane.exe
1776	yz_pane.exe

Loads dropped DLL 9 IoCs

pid	Process
2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
2796	yx_zusen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	yz_pane.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yx_zusen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000016591-7.dat	nsis_installer_1
behavioral1/files/0x0009000000016591-7.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	yz_pane.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
2796	yx_zusen.exe
2796	yx_zusen.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe
1984	yz_pane.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1528	yz_pane.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	yz_pane.exe
1776	yz_pane.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2512 wrote to memory of 2796	2512	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	32
PID 2796 wrote to memory of 1528	2796	yx_zusen.exe	34
PID 2796 wrote to memory of 1528	2796	yx_zusen.exe	34
PID 2796 wrote to memory of 1528	2796	yx_zusen.exe	34
PID 2796 wrote to memory of 1528	2796	yx_zusen.exe	34
PID 2796 wrote to memory of 1776	2796	yx_zusen.exe	35
PID 2796 wrote to memory of 1776	2796	yx_zusen.exe	35
PID 2796 wrote to memory of 1776	2796	yx_zusen.exe	35
PID 2796 wrote to memory of 1776	2796	yx_zusen.exe	35
PID 2796 wrote to memory of 1984	2796	yx_zusen.exe	36
PID 2796 wrote to memory of 1984	2796	yx_zusen.exe	36
PID 2796 wrote to memory of 1984	2796	yx_zusen.exe	36
PID 2796 wrote to memory of 1984	2796	yx_zusen.exe	36

C:\Users\Admin\AppData\Local\Temp\ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
"C:\Users\Admin\AppData\Local\Temp\ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe
  "C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /ShowDeskTop
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1528
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /autorun /setuprun
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1776
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /setupsucc
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe

Filesize
848KB

MD5
f5fce043a266908ebf0503a96604dea6

SHA1
9d548adbe2b4e8f5d2c2e061acb176cb5a8d40f2

SHA256
1bd93454d32e64b6fbe7d90bce055c8ca968c31de0bca47b6a30992b8ed5a6f0

SHA512
b59b4aca200bfd3219ba99617560f18a132a4653c8cae47f6f672fdc629efe66e404e2b3b2e0be7cc642cef658d20021255d0f77121a67c9d919b37e6548e3b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\»¯ÉñÎÞµÐ.lnk

Filesize
864B

MD5
aaba6bc7239f0e36d25d60e8d5b6470b

SHA1
b7e4eafe54e84829050890894a8eb48462c92241

SHA256
88e0ad0aed3b3f1a85d0c10047a61424b4720400db132259dd2c7d727c896186

SHA512
c392d3f004e7cdee3e5f305d52e52fb1e6da312d7f64725be452e5b503ad700455a6d6d5a9fb035282bd6398c2d785c5632a5ac95ad5a3e0239ad1ddd3848822

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\Lander.ini

Filesize
413B

MD5
adce9104fbd32e0d42d2aad5ec769f70

SHA1
cb273e5cf0e394636772aef9724dce85c3701d0e

SHA256
9036512b2c85bf25907548da5a8176809757284da8016025a86a522d1bad729c

SHA512
437118308a907c6a3979b7fd87e60d8924a7760cdff74505da2e9ac46f0583d8e467c627d572270fb837cbb6aa14c13c6f5636e095393b66821728fd23f015d5

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\Lander.ini

Filesize
457B

MD5
b4678159c66c0c535bfd2354aac7a9fe

SHA1
40e359d86ac647523009e47ec0aea83f15bac35d

SHA256
506cca890c0928b4d3c1814fd71c6913c63566a9efde1a101101b0c350148276

SHA512
bf703078d30e78f643dd8f3ff1c19c9f9bdb105583d9afc3e65ed05b3ed634ce86516255f3b5e34c320f37d38f45968a69a3d49a995c83284bdbb90cac4eb485

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\Lander.ini

Filesize
652B

MD5
716cda23043b3e99110fcb5cfed7f0da

SHA1
c581cb80ea1b494c2ac8b68eacafee22588607cc

SHA256
4904398924352da8c917dc0fbe3bb63a5040a0dd7fb45721a6f0f55c753c2842

SHA512
ce3b5d0833cdbf5c6763cfd784582e890d9d9229900abcbf181b0f0576aaffaf3063e3d61a0eaf768ba81af2f29f2f3666514b371f98726583d4cf3b3925f090

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\lander.ini

Filesize
394B

MD5
99b9b9a6474ed3612feec822be2fcc15

SHA1
c50194edb2c24ee53f6ed64fd9e52abe3f5cbdbb

SHA256
228e12d5bbeead171ecfc58adb09143555c108a2ee5470d57c26d2e0b06fd73f

SHA512
aef16ec0631176e8fe8dc6707effc2046f3432ee33e1451ba706fb6830d85211207de054a589fdf491ce3ea5e397891594234cd35fb23d32c861f6701db9aab3

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\lander.ini

Filesize
413B

MD5
7c61dbf31b865fd7fec942c550d3334a

SHA1
7ce75f5d61c2461950465247d73236aad148d7cb

SHA256
3ee29651f5d688d9b76f8f647a440811c3b9386c3d1a9433851b3fb0e76bdb23

SHA512
3cf9d30df3bd07d502741720fa46e0ab857f710cf316e0e8acb3704cf1317fe8680fb90eccd2c66d7f4e1255cd4340e14308cdbdb16b78f5af5eeffb891a5218

Download Submit
\Users\Admin\AppData\Local\Temp\nst6A7.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6A7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe

Filesize
893KB

MD5
fa5a0cc225ac34d5e0f5cbbaac6bd4cc

SHA1
ce88a67a1c17325c7e82ec4815e023e9472662b0

SHA256
b37e364e03ecfc2fb5160431a575cb2f9d150da520ea1c917c2afc4b85548a61

SHA512
afad524600bf6f4c0c2dd64c38f01e7b72c94ae4a5fe93c6a8b6f02477542797fb5f82b3c03db5f56e0d1d9ff9adea48aeacf5935954a7242a5246107f5ad61b

Download Submit
memory/2512-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2512-1-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2512-91-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2512-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2796-25-0x00000000006F0000-0x00000000006F3000-memory.dmp

Filesize
12KB

Download
memory/2796-26-0x00000000006F1000-0x00000000006F2000-memory.dmp

Filesize
4KB

Download
memory/2796-92-0x00000000006F1000-0x00000000006F2000-memory.dmp

Filesize
4KB

Download
memory/2796-101-0x00000000006F0000-0x00000000006F3000-memory.dmp

Filesize
12KB

Download