ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1

General

Target

ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Size

446KB
MD5

0d47d733753cbcc7117f987d860d0232
SHA1

72c7a1c30d33a32a849b43030f82e2743d1b0d76
SHA256

ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1
SHA512

324c67156bdf3d1d1892075552b7a5c6519f3c714d4bc41f18c72b47b69ca4b17a74580005f772e9bc3c380ec1f3228e2150b6772eab16eb62c0cc41be9295e0
SSDEEP

12288:sQ3wmKKS7E/iWaYBD5SwWZCLc39cHX3VLcR:sewho6WaYBekaaHBk

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	yx_zusen.exe

Executes dropped EXE 5 IoCs

pid	Process
1888	yx_zusen.exe
4812	yz_pane.exe
4460	yz_pane.exe
3704	yz_pane.exe
1048	yz_pane.exe

Loads dropped DLL 3 IoCs

pid	Process
1888	yx_zusen.exe
1888	yx_zusen.exe
1888	yx_zusen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	yz_pane.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yx_zusen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz_pane.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a00000002337b-7.dat	nsis_installer_1
behavioral2/files/0x000a00000002337b-7.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
1888	yx_zusen.exe
1888	yx_zusen.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe
1048	yz_pane.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4460	yz_pane.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4812	yz_pane.exe
4812	yz_pane.exe
3704	yz_pane.exe
3704	yz_pane.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 1888	4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	94
PID 4824 wrote to memory of 1888	4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	94
PID 4824 wrote to memory of 1888	4824	ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe	94
PID 1888 wrote to memory of 4812	1888	yx_zusen.exe	95
PID 1888 wrote to memory of 4812	1888	yx_zusen.exe	95
PID 1888 wrote to memory of 4812	1888	yx_zusen.exe	95
PID 1888 wrote to memory of 4460	1888	yx_zusen.exe	96
PID 1888 wrote to memory of 4460	1888	yx_zusen.exe	96
PID 1888 wrote to memory of 4460	1888	yx_zusen.exe	96
PID 1888 wrote to memory of 3704	1888	yx_zusen.exe	97
PID 1888 wrote to memory of 3704	1888	yx_zusen.exe	97
PID 1888 wrote to memory of 3704	1888	yx_zusen.exe	97
PID 1888 wrote to memory of 1048	1888	yx_zusen.exe	98
PID 1888 wrote to memory of 1048	1888	yx_zusen.exe	98
PID 1888 wrote to memory of 1048	1888	yx_zusen.exe	98

C:\Users\Admin\AppData\Local\Temp\ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe
"C:\Users\Admin\AppData\Local\Temp\ca60890177f092087f37050cdce91a3ef1f932651bd200f76625c8a13ba2ebf1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe
  "C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" SW_SHOWNORMAL
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4812
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /ShowDeskTop
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:4460
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /autorun /setuprun
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3704
- - C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe
    "C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe" /setupsucc
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshB279.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB279.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yx_zusen.exe

Filesize
848KB

MD5
f5fce043a266908ebf0503a96604dea6

SHA1
9d548adbe2b4e8f5d2c2e061acb176cb5a8d40f2

SHA256
1bd93454d32e64b6fbe7d90bce055c8ca968c31de0bca47b6a30992b8ed5a6f0

SHA512
b59b4aca200bfd3219ba99617560f18a132a4653c8cae47f6f672fdc629efe66e404e2b3b2e0be7cc642cef658d20021255d0f77121a67c9d919b37e6548e3b6

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\Lander.ini

Filesize
425B

MD5
f8e135d1dc38b247b845ae2b4d880f84

SHA1
d2b790aac4bb70206016386159b3fb9ff37f0fca

SHA256
2b9f453c6b4fb41b98729881a1a9a3188b7401e85f454d4f9eb3ca456359bc3d

SHA512
0aaff2d16dc4f75d03934d4fb9d05e85eb6bc02a09067b86607a1fa5f14748ce638dec04ceb01a2d2c541892f5eb9797674a28f121e9de3d4fac7e11c8bb21c1

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\Lander.ini

Filesize
457B

MD5
4a418b10b247f21f2f382ec92d547894

SHA1
6868a748c7a5c4ab34e5944ef6ac6b4f1cb8f61b

SHA256
7ce9abd5e2a49a2fb0725da50ce3575707c1fe870ec80d5175dcd0b62803ab1e

SHA512
2e8c9ce52d637c74197f8041c26a83e1d80ae228bfeff3e117f8152ecd15880445f144e44d890ddffe4a3c70f5965d064c1428869ba19a853f3f1bc2d7347814

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\lander.ini

Filesize
394B

MD5
99b9b9a6474ed3612feec822be2fcc15

SHA1
c50194edb2c24ee53f6ed64fd9e52abe3f5cbdbb

SHA256
228e12d5bbeead171ecfc58adb09143555c108a2ee5470d57c26d2e0b06fd73f

SHA512
aef16ec0631176e8fe8dc6707effc2046f3432ee33e1451ba706fb6830d85211207de054a589fdf491ce3ea5e397891594234cd35fb23d32c861f6701db9aab3

Download Submit
C:\Users\Admin\AppData\Roaming\yz_pane\yz_pane.exe

Filesize
893KB

MD5
fa5a0cc225ac34d5e0f5cbbaac6bd4cc

SHA1
ce88a67a1c17325c7e82ec4815e023e9472662b0

SHA256
b37e364e03ecfc2fb5160431a575cb2f9d150da520ea1c917c2afc4b85548a61

SHA512
afad524600bf6f4c0c2dd64c38f01e7b72c94ae4a5fe93c6a8b6f02477542797fb5f82b3c03db5f56e0d1d9ff9adea48aeacf5935954a7242a5246107f5ad61b

Download Submit
memory/1888-32-0x0000000004810000-0x0000000004813000-memory.dmp

Filesize
12KB

Download
memory/1888-28-0x0000000004810000-0x0000000004813000-memory.dmp

Filesize
12KB

Download
memory/1888-33-0x0000000004811000-0x0000000004812000-memory.dmp

Filesize
4KB

Download
memory/4824-0-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4824-1-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/4824-2-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4824-78-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads