Overview

overview

9

Static

static

3

ZaynPack.exe

windows10-2004-x64

9

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows10-2004-x64

3

ZaynPack.exe

windows10-2004-x64

9

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows10-2004-x64

3

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ZaynPack.exe

  • Size

    76.7MB

  • Sample

    240909-yzrgvszcqd

  • MD5

    7d1d33a7705e794a2f1dfda7033c9d58

  • SHA1

    f4e414765c0fd3f9bd3c25268dee16eed8858bbe

  • SHA256

    74add2b3e90123ac89ca3b1ee41b80e888d00481177c294154f247489fb96cda

  • SHA512

    6c984585af09f9c29250b0f8fc3fbba1f042a97a7aac88c60ddab43b27dad3e5868ac48747fbaefb9cb1e8bbe1527913dbbd8874839c9cdc04d0ef6cd9d04a84

  • SSDEEP

    1572864:k4gPXMorgR2hY80GYgozGffu2MsNxG1i+ozKmC/0zHl1r07:k4AcGgR2u8op4GLcz6/0zHlW7

Score
9/10
collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      ZaynPack.exe

    • Size

      76.7MB

    • MD5

      7d1d33a7705e794a2f1dfda7033c9d58

    • SHA1

      f4e414765c0fd3f9bd3c25268dee16eed8858bbe

    • SHA256

      74add2b3e90123ac89ca3b1ee41b80e888d00481177c294154f247489fb96cda

    • SHA512

      6c984585af09f9c29250b0f8fc3fbba1f042a97a7aac88c60ddab43b27dad3e5868ac48747fbaefb9cb1e8bbe1527913dbbd8874839c9cdc04d0ef6cd9d04a84

    • SSDEEP

      1572864:k4gPXMorgR2hY80GYgozGffu2MsNxG1i+ozKmC/0zHl1r07:k4AcGgR2u8op4GLcz6/0zHlW7

    Score
    9/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    discovery
    behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    discovery
    behavioral3

    • Target

      LICENSES.chromium.html

    • Size

      8.8MB

    • MD5

      2675b30d524b6c79b6cee41af86fc619

    • SHA1

      407716c1bb83c211bcb51efbbcb6bf2ef1664e5b

    • SHA256

      6a717038f81271f62318212f00b1a2173b9cb0cc435f984710ac8355eb409081

    • SHA512

      3214341da8bf3347a6874535bb0ff8d059ee604e779491780f2b29172f9963e23acbe3c534d888f7a3b99274f46d0628962e1e72a5d3fc6f18ca2b62343df485

    • SSDEEP

      24576:cpD6826x5kSWSsRinoHnmfm646a6N6z68SH4SApTJ:cHSek

    Score
    3/10
    discovery
    behavioral4

    • Target

      ZaynPack.exe

    • Size

      164.7MB

    • MD5

      8fc499cf60dfe0f7d6fb100bd80b2466

    • SHA1

      58f03cb58391f4a8a2474965ae9f55169b25d066

    • SHA256

      cb6c76e599ea31283e82d91801975eecbd7e1bb040de97b417889bad20b940a9

    • SHA512

      81c34cdca88c7092ed5057b9e539f5f3ff4d29e63698d04c31d1a4db2ba6ff3cf151024186ef44dfb4a0e64438200629ac8575681c78eff9396076ea3677c727

    • SSDEEP

      1572864:03OB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQ9:MPvt1x2z5m7jN

    Score
    9/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral5

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      2191e768cc2e19009dad20dc999135a3

    • SHA1

      f49a46ba0e954e657aaed1c9019a53d194272b6a

    • SHA256

      7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    • SHA512

      5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

    • SSDEEP

      49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l

    Score
    1/10
    behavioral6

    • Target

      ffmpeg.dll

    • Size

      2.8MB

    • MD5

      a9ea2fab0940c6d0d04deb70e0f81b48

    • SHA1

      a992109beec766bf315da8035a6eaa5c3e4660d2

    • SHA256

      6b721af2850f8654d42585e363e1ffa2e92843b3b84bb2e0074cd954966300ff

    • SHA512

      014e3fafaa84f433c26d77e666ba94f0e364d7ae4268602742af9ab81169601a1e94d20a8a0a4328573b6f36052e2afe0745374c03c71b4d853c825df9372096

    • SSDEEP

      49152:kF5qb84KtStWEK/Ju2lf3tAtiLHQVTf6yfcrhCHDXLl8+0LKSQISCu:kFvSkJXv+tiLAD0+DIS5

    Score
    1/10
    behavioral7

    • Target

      libEGL.dll

    • Size

      477KB

    • MD5

      f1c6c87ee66112b3c7cce3ad1cab59c8

    • SHA1

      cce4f00e654c10ea5408897296a269be79a21a2e

    • SHA256

      5318dc1ede886a1d33c7243f68847e6c29436f3f7d1891a6803c70aaea3a278d

    • SHA512

      ddec01354988ce401a1fbdf06c57b25acfcfd8dfbcd58337f029f579e9f6c7cdc98aeee9001073de88db192d4b7ac6bda4b3bcccf2aa5d8f136aef580c95bcc6

    • SSDEEP

      6144:48hd1BSjuMmof2SEXVVfgV8hxN7h2NvIEOg51f0FticyQ:48DXSjZmof2SEsmN12NvIE7f0FticyQ

    Score
    1/10
    behavioral8

    • Target

      libGLESv2.dll

    • Size

      7.3MB

    • MD5

      d5993dd046fc7331aa3da6a6a68f634f

    • SHA1

      f7a8fa4add31e581d7af8f1e832168e29c7c759a

    • SHA256

      158cc009ec9b331b6b279818743e451c3ee706b8faac52e85ffedeff4643ffab

    • SHA512

      e37bcfb2919ae649ab9be9f15150f5cc221d07913a4d6872060d722fbada266620868de2179ffefd04d119f08909a6635561078b0a24b59e60478e42770f162d

    • SSDEEP

      98304:FwY1sQqaLe2Egto8U4r5Pp6TlITQZ3uW888888888tb8dKi:mNaSgtvroZu

    Score
    1/10
    behavioral9

    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    3/10
    discovery
    behavioral10

    • Target

      vk_swiftshader.dll

    • Size

      4.9MB

    • MD5

      0e653627e1754dfb69680077af7bc0e1

    • SHA1

      45a46f604d5da8920c2485e4931feb4f84ae294c

    • SHA256

      b279cb96e6e853624079b87f6f5d9321c8662aeb06631bb9261db5a73496a55c

    • SHA512

      0c71bdfde59a47c435c98311714a9417a5be5356fb8845cd8b755357eed6bf4d70124c495303d2f2a4e8d0a964af2c4579b8d6715f6ee4915aaf47163ec20b28

    • SSDEEP

      49152:G6h3a0f1ABi1jP9LoS8lne0Zv8EgHI7JXYN3bgFNmEgMYmz2qA0Mr7wsVUsNCOzh:nh3aMXoSHfPwksHldLiuNr

    Score
    1/10
    behavioral11

    • Target

      vulkan-1.dll

    • Size

      931KB

    • MD5

      66f1223b63719717e59ce7059f2cfba8

    • SHA1

      80cfccccac4d55d0b1916ac2fe744c61e6baae0e

    • SHA256

      96d48cbc783aa0aa283398f3bfdc3d997ad328265f1af2cfd781ba89829601b4

    • SHA512

      9a3e08ea3c91f67ca16a9ac17f6257a6035873e34ab341d8103c3da0b3a659f5d95f3522f87065bde5c4be2373dabc229b1bd8a194574753c85b1d8a9d6ac114

    • SSDEEP

      24576:yYWOq/4Kt/Ku8n387ecbFb6Z5WoDYsHY6g3P0zAk7sz:yY65/M387R56Z5WoDYsHY6g3P0zAk7s

    Score
    1/10
    behavioral12

    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10
    discovery
    behavioral13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks