6ef94526277cbd63b6f7d51fe802750efe323dea5bfcf743766d946c282e03fd

Analysis

max time kernel
93s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PaiPai/PaiPai.exe
Size

1.6MB
MD5

34672bfad67a4ee5fcd8f6812fbf10ec
SHA1

95af609433e9da2f02cd9a5cfda168811d35d93a
SHA256

fd16419c2625b7f4983acad53ae11c73d4a7d204c9f9867f10973e72cf0d8609
SHA512

3df15be81f846b00de6c3dde2b533b0a3ac40981515e583d0fd51fbdbe103addd3fcfe03d9ed79c099b387a962b471194f2236dfebe4cfe486c13d1a38a90085
SSDEEP

24576:QahSQ2mX/GG5dDHm8DUpxCkSyTfo6slgs8s6slg4sRsnw+DWbDPa+DWrrDPiI3sG:Qcpq8mCkSsIBjerHEe/Ruke7Ucn

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PaiPai.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaiPai.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	PaiPai.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	PaiPai.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync	PaiPai.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	PaiPai.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe
424	PaiPai.exe

C:\Users\Admin\AppData\Local\Temp\PaiPai\PaiPai.exe
"C:\Users\Admin\AppData\Local\Temp\PaiPai\PaiPai.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PaiPai\Config.ini

Filesize
640B

MD5
0b964a229262c4a1d22204a8f1ffb2e7

SHA1
9f54f081e9f48778557028769272ef8b94ea0ebb

SHA256
e2c6f2565ed824b6781f78bfed692875b897a684d197418a986a2c41e4143506

SHA512
3327705e5b0b0753eda900accf3a7771e89c39887674d2095dab2e9e090f707823642c78694a0ead98cfe80cee06f69ff7d336f112b5ee34ffe8b4f1dd9dace6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaiPai\Config.ini

Filesize
854B

MD5
4db7490a554111cf49b456182b414294

SHA1
123ac21b8621e647bd8f900cd65008801f5244a9

SHA256
d89dfc727a00c4db6441b6f863cfdde79ae62cc17d60afea0cee9ee3c6a6304e

SHA512
bebb66135e985f2a090806d6a0dcacac0c16edde1b08ef4bd4eaf46fbc358bc0642fdd6c478add0c59e6afd555c8544435849d6dc1d39b38772fee49633821f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaiPai\Config.ini

Filesize
450B

MD5
0f8cba40cc0591cf5c2029a317699a3b

SHA1
fc928f2b46d93cc278e34ba15d6687d1eaad3d25

SHA256
560be65bac8b41694c8fcf1761e490cb63cd7c543e1076f9cbd2108ececcdbdf

SHA512
f1126c5115eb283bfb4959ace5f51867ec77977783bfcdd7e88dc5f8bd9f1ecc6dccf794639042a48e5f40746364d5230344dff0debb06d8cd7b4b2635be0250

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads