483e99a23d9348f63deab43c8f0c09afb2af9ca313ce401e27b9e31aeba7eb63

Analysis

max time kernel
135s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YogaDNSSetup.exe
Size

8.0MB
MD5

a1780f92321a1857505752a53888cebb
SHA1

77bb3b55f2704a50d9b8b3c67e5b2e57ad9824ed
SHA256

483e99a23d9348f63deab43c8f0c09afb2af9ca313ce401e27b9e31aeba7eb63
SHA512

b5b61b3be90d3952bbd4bf43bf383bab56c7de88afe4057990c8e1d238bece54781b9701b615c7a27d6bcc1ad6ebd537eb3a7be2c9a9df094c290c3d84bb4f15
SSDEEP

196608:RbfgBIO7uGevAeadYrsrnql79gG8l/oEqns:Vw9headYozql7Glgps

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETEA6E.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SETEA6E.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\DnsFltEngineDrv.sys	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YogaDNS = "\"C:\\Program Files (x86)\\YogaDNS\\YogaDNS.exe\" /AutoRun"	YogaDNSSetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\YogaDNS\dnscrypt.dll	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\Driver\is-FAAR1.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\Driver\is-PHO4P.tmp	YogaDNSSetup.tmp
File opened for modification	C:\Program Files (x86)\YogaDNS\ServiceManager.exe	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-MN2OD.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-N2OUR.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-GIDG6.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-N7AGD.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-KSAIE.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\unins000.msg	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-T4UKT.tmp	YogaDNSSetup.tmp
File opened for modification	C:\Program Files (x86)\YogaDNS\unins000.dat	YogaDNSSetup.tmp
File opened for modification	C:\Program Files (x86)\YogaDNS\YogaDNS.exe	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\unins000.dat	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\is-HHGH1.tmp	YogaDNSSetup.tmp
File created	C:\Program Files (x86)\YogaDNS\Driver\is-C8R74.tmp	YogaDNSSetup.tmp

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	RUNDLL32.EXE

Executes dropped EXE 3 IoCs

pid	Process
3020	YogaDNSSetup.tmp
2452	YogaDNS.exe
2464	YogaDNS.exe

Loads dropped DLL 6 IoCs

pid	Process
2404	YogaDNSSetup.exe
3020	YogaDNSSetup.tmp
3020	YogaDNSSetup.tmp
3020	YogaDNSSetup.tmp
3020	YogaDNSSetup.tmp
3020	YogaDNSSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YogaDNS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YogaDNSSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YogaDNSSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YogaDNS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000eaaf6df89ad229c771a1c5c0781658f4ee3a267aef31069fb4e15eb625ccc6e9000000000e8000000002000020000000fee0b09ec950c85e5db459b6be48cd7e99694b1de585ee3de33a32f38bf9d51890000000f7ab4521de52f47f2087362eb389657c6211d50940ceaa01a02fbdfef33ee964d0c3208737425408b375e83d649283b91b7a3d7a73c632f2b7356a0550b43adc77a228e32ce9486aff1950455af4e2e97831504c46a8b146fa8705a1700a1938012eda53312a22bfc40775e984557cf111c86d9de0e1deb2d5ae312f3dc196513969c2544ca5a794a48cf1b53e7907224000000041e7022b309e215d12e6dbe1e966c46d16750ae31a9f8ac6e2dc6336e23804f4a54231be97dc279d1f78ebccc87cf8fefd0e32e9a8a0d0868e1c501d59509cee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\MigrationModeData = "2106930162"	YogaDNS.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60288b619b1cdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AB7B901-888E-11EF-9109-7694D31B45CA} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000485adee7125a36e8f531036781cac05f0a536df96a2704f68fcca1f8b63f15c4000000000e8000000002000020000000e6dce5c37d9878a8cbca9215c1d54d6890d950c1dec747e42af5e341123383e520000000156630034dc25259c6f3c5c5f01344892f32580246073208fd64d938ee944647400000005cd21c005346091dec20b2b1031f1a078e1f663620f6b0060de50249587d7d730068f996e85d17464f65d19d5be55a08a334385ab29262edb6bc6c3e0808edf8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	YogaDNS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	YogaDNS.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3020	YogaDNSSetup.tmp
3020	YogaDNSSetup.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	492	RUNDLL32.EXE
Token: SeRestorePrivilege	492	RUNDLL32.EXE
Token: SeRestorePrivilege	492	RUNDLL32.EXE
Token: SeRestorePrivilege	492	RUNDLL32.EXE
Token: SeRestorePrivilege	492	RUNDLL32.EXE
Token: SeRestorePrivilege	492	RUNDLL32.EXE
Token: SeRestorePrivilege	492	RUNDLL32.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3020	YogaDNSSetup.tmp
2464	YogaDNS.exe
2464	YogaDNS.exe
2464	YogaDNS.exe
2116	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2464	YogaDNS.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2452	YogaDNS.exe
2464	YogaDNS.exe
2464	YogaDNS.exe
2116	iexplore.exe
2116	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
888	IEXPLORE.EXE
888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 2404 wrote to memory of 3020	2404	YogaDNSSetup.exe	30
PID 3020 wrote to memory of 2452	3020	YogaDNSSetup.tmp	33
PID 3020 wrote to memory of 2452	3020	YogaDNSSetup.tmp	33
PID 3020 wrote to memory of 2452	3020	YogaDNSSetup.tmp	33
PID 3020 wrote to memory of 2452	3020	YogaDNSSetup.tmp	33
PID 3020 wrote to memory of 2800	3020	YogaDNSSetup.tmp	34
PID 3020 wrote to memory of 2800	3020	YogaDNSSetup.tmp	34
PID 3020 wrote to memory of 2800	3020	YogaDNSSetup.tmp	34
PID 3020 wrote to memory of 2800	3020	YogaDNSSetup.tmp	34
PID 2800 wrote to memory of 1432	2800	NET.EXE	36
PID 2800 wrote to memory of 1432	2800	NET.EXE	36
PID 2800 wrote to memory of 1432	2800	NET.EXE	36
PID 2800 wrote to memory of 1432	2800	NET.EXE	36
PID 3020 wrote to memory of 492	3020	YogaDNSSetup.tmp	37
PID 3020 wrote to memory of 492	3020	YogaDNSSetup.tmp	37
PID 3020 wrote to memory of 492	3020	YogaDNSSetup.tmp	37
PID 3020 wrote to memory of 492	3020	YogaDNSSetup.tmp	37
PID 492 wrote to memory of 1972	492	RUNDLL32.EXE	38
PID 492 wrote to memory of 1972	492	RUNDLL32.EXE	38
PID 492 wrote to memory of 1972	492	RUNDLL32.EXE	38
PID 1972 wrote to memory of 1400	1972	runonce.exe	39
PID 1972 wrote to memory of 1400	1972	runonce.exe	39
PID 1972 wrote to memory of 1400	1972	runonce.exe	39
PID 3020 wrote to memory of 2464	3020	YogaDNSSetup.tmp	40
PID 3020 wrote to memory of 2464	3020	YogaDNSSetup.tmp	40
PID 3020 wrote to memory of 2464	3020	YogaDNSSetup.tmp	40
PID 3020 wrote to memory of 2464	3020	YogaDNSSetup.tmp	40
PID 2464 wrote to memory of 2116	2464	YogaDNS.exe	42
PID 2464 wrote to memory of 2116	2464	YogaDNS.exe	42
PID 2464 wrote to memory of 2116	2464	YogaDNS.exe	42
PID 2464 wrote to memory of 2116	2464	YogaDNS.exe	42
PID 2116 wrote to memory of 888	2116	iexplore.exe	43
PID 2116 wrote to memory of 888	2116	iexplore.exe	43
PID 2116 wrote to memory of 888	2116	iexplore.exe	43
PID 2116 wrote to memory of 888	2116	iexplore.exe	43

C:\Users\Admin\AppData\Local\Temp\YogaDNSSetup.exe
"C:\Users\Admin\AppData\Local\Temp\YogaDNSSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\is-RQDDE.tmp\YogaDNSSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RQDDE.tmp\YogaDNSSetup.tmp" /SL5="$400E0,7486188,831488,C:\Users\Admin\AppData\Local\Temp\YogaDNSSetup.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files (x86)\YogaDNS\YogaDNS.exe
    "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ForceExit
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2452
- - C:\Windows\SysWOW64\NET.EXE
    "NET.EXE" stop DnsFltEngineDrv
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DnsFltEngineDrv
      4⤵
      System Location Discovery: System Language Discovery
      PID:1432
- - C:\Windows\system32\RUNDLL32.EXE
    "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        
        PID:1400
- - C:\Program Files (x86)\YogaDNS\YogaDNS.exe
    "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ShowWnd
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.yogadns.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\YogaDNS\Driver\DnsFltEngineDrv.sys

Filesize
60KB

MD5
e280e289aed282e8b611e91732b0c620

SHA1
8edc5772328b744c51e67cc8bf797a914b0bcf12

SHA256
8a06b07e861304616ec3b8a49cdf82bb7f2817e4ba32eec6ce784023b0d86f9e

SHA512
1a953172bd8a939ac5d7268f76b039611feaa34d6620bc9f5f8d4ed4c49dd1b1abc39ad0d5db365a780f322b3784e2361f9a53063eb8d0eb751f9b0d694a28ef

Download Submit
C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf

Filesize
2KB

MD5
71f188b094aea862b928579ea3b5b8d3

SHA1
21d4b6912bcdc0afd74265b42745b5ed34b35000

SHA256
cb0e4c116e30890da4a9bc143826e65bf6c4f200237c8a0cbb12934c63a8954f

SHA512
aaead4947a3b8def2793cc85c5b8ef206df83d187009075b346fea48e5b82f9155c9b1b00effce6627dbe6cd7a55b3fa4ea8ec41c3825a9ade9022b3a9281af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECC871EB3D0C768B5D5F174AD880C518

Filesize
345B

MD5
92d9a8cbccb22f1bbf85b87ee4546c56

SHA1
f058b25d06a5a273014e6e347347947caa15f06d

SHA256
4b82eda085f20c943a6133b04b66d46f184ce8e197baa9d6859afe59b6f3ac93

SHA512
74281e1eb92b8fb9b35fc58c4f3dca46828e797960e5aedf32b1b4eb991d38d4d303cefaf95a1a201e3d5635e5fd664783594ab25269db7004d280e7f54cd39b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
0845af6fd130523063e839fe89e95003

SHA1
af681321495db67df898e342f7ca0d8d7d090078

SHA256
b131ea8f65d2bd45997d97bdbcf0a56717877f62c0d7731b6f2b2baa254040a7

SHA512
d97264f96f3defb77b964a6496a9fe8ad3f9152068892d97be22f20b8ec67056f8d74da4df3e397050af2791cab999bb1e1d7c38cf59674fe69f1a5c5085307c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64e8fb08eef1eae9368d1d25f88f5768

SHA1
50c965fae39356b8ebd012eebc5000b0cdde5a87

SHA256
2cf0434f67ecbdf127e3f15f0f4c021efb63e156a0ee83b3db499c8f51c8fa5b

SHA512
62114128d1f830b485c37731dae8fea6a4126cd31ce5aa5ca40b930c6e804a42193d2a3ceb0df2fdabceed0e94cfb418fea551a1c44f9b86495e5cce3cd850c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
952fcc5ec04cc137d20b190aa51ac389

SHA1
28e12d5124d075d97a65a14d14d07e765540ab1b

SHA256
6208d082132ce995faab9ffcec982eefe1469cd559d54feebdd9392c4b78862b

SHA512
1af4b9e747c4ded0fb5fc61678e1c887d450b5892ed237de94a9b84a859ef91961e229623b935f5cbc1f20f787015025384aee618fcdf79065238b296b3994bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f4d758c15520696838f80ca801994c

SHA1
0eb0e2317223522ac260719c2b36246338580d0e

SHA256
18134377157aa979977b649c5344f27e39cc3b7a914d8ffc5f8f40c9b8bbfe2b

SHA512
fc233a42e7448cfcb67063da79946dc395f059b95771d6cf6ea7ed6f62f42a582e4b66535825498b1969d49982a331c2439d08fa9b00034dd2143b2088e0d3ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
509a8c5360d5724361287f578ca2f972

SHA1
d10b6c4bda02e1207a5caa5783e755d1a3af4871

SHA256
e0d166b59dbfbe6effc00920484cb511477ab1de9d1f8c1b65bc75a8829612be

SHA512
4e1b6929b32f612075ec565a484214b653381145fa3902690a48bb7f3ad8ae286c45f96f890a944a22cca2ee78928e81c4065524754df7544e7ae4fd18ac0fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f986b15f3320194851526891a3ad30c2

SHA1
12b5c103c2f605bc469a3e26327cf9b344bb021f

SHA256
31ac0adeb7007abb9ca7e101ae1590b9b82bb05cfb24614bcaa38bf8a4824b50

SHA512
a4c48c3db35bb2014a79222c0960335b371f23c78d55496da0c2cd5dd7e413c8a0b31f70fd54e10650a798562143c4ce6525290ac58aac0b678a8d1e72bf09de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55b7afa3e817b684c7543dc14f78fdfc

SHA1
673c4a2c69ef886827b38635c89f7978f3c668e5

SHA256
19baeb8fee48a049fee11d56af2eecde831e4d13b8070b7debd16365ed85f96c

SHA512
638fcd8c9ca498901eb251df36eee2dd3780317cdfe9d778d55db7d9ec9c52e81fca258f592671fefda51d3ed326c1c3aa63e315f112a3ce93c801752bfa9aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1452752421cf48421a96c97fae02a6f

SHA1
f1d8c21a341671fb7c57d99d02aa94b1479e26e0

SHA256
d256ba10156784e8c3a927b74d9223d391fecc408abe46f25be345b6974224ed

SHA512
19b6d1e9f069b9b279a40689fc981d498e47d74882408274052d245a68c59934aaf08ff3f8f6b2ecc8a62b80352684de2fa01f39d08eaf33b824a46eba1dc834

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d1ef6ada9b8909ec2e31eda9f3d052d

SHA1
121b8a08424a059d5ef2a89ddeae66dff23f8aff

SHA256
c9f559bf68957b9565a222fcc2f88cd7cb3af47ef290fb9cff9d0379bff88211

SHA512
42bb7dfe53528759c0ef97c2cbd4fb8b42a3975b9be23a3c7f15c91373317e7397d7b3a9c459ef87bd04ac23cd507cbb0617756063c4a9a9fe177446c1ebec70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ae9b32b0e09ee142e9cc6dad491b8a7

SHA1
072fa30662e836edfd4dcde3d2d0522fe4886139

SHA256
9d8c59fdf7b69df2a0aa7639aa88b38dffaa6c5c922d184e64ef5ddb4c1526cd

SHA512
7c3d9fa9ad834378df9df521ff28f34dc9a39b818169b5f02cf5b75afcce4be71401658e1501976bb6949b33641caeb639f4dc5eaa0af01dc15d6194cd674b97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8ca3e779826c7ba87af7ca2e6a72ecc

SHA1
d66eeda643cf192ca8e4d764a007da1de72e0180

SHA256
756da3afe78f324dce1602fb0decfef4dd2500c7095aa315b6b55cc05d23eb42

SHA512
404eeb504b6c00eb6503fbed877af39aaa0dd000e82474ca09c348c8aad7660b6308f1f296a4a12c5e2ee6f2d9c168a9ede17005aff5ff0aaf2cb6782cf3c6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECC871EB3D0C768B5D5F174AD880C518

Filesize
540B

MD5
043b0e79c276eb78a1ee81a5fbd185c1

SHA1
bbcf08d16cfadc72dc97822a2575346a0afd6e09

SHA256
504be98fa1fd2e14a54a14fd3362ceba996c4dd5347301637c79b6a6d7b57954

SHA512
f77f3d07533a7b5c57fc81a3f3c640df24bed1af67f6721721fe3c3af3fd14a40dd456cb496f053a6d5d5b62b28558fb0e98740f3f746a38f33eb3189db6c2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
6KB

MD5
b7787710441abffc67cf182938a8bea8

SHA1
306bb519c6014934d122811ef81e9af647c74bb9

SHA256
f008fce0c626f76ddd4f151a4ec81432da9532e7342a0a73eba678afb2387ecf

SHA512
beb50aa959be2461e3c3cb11cfccc1421b92c3778a9e21de0cfa1a9577f2baee133973e53ba1f041363f184475fd94be2c682162c6cf6382165ff795ae9f8baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\favicon[1].png

Filesize
6KB

MD5
11a1da8cbf3341190bce1eacce9f7720

SHA1
5a07f8639a27e17798457a2b2a11732ce683808d

SHA256
1ac9de48aab2e9d92c66ebce7cd9c5f45457172c356f5a232608cfef6e0fb933

SHA512
d3c72f4170e5c7e05a96acfe7af6b36e36e16a084d9bdc11d00d99418d6bd2cad9e0ef7bea454e57f55232e57b74f8a76ee33b9edb175d04158993c1797a777e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\app[1].js

Filesize
118KB

MD5
1b667ff04121825f5164cae2fdd14942

SHA1
060cd75bad01483d48b49b064f35ac7172078006

SHA256
75b2158f405583651b09090b560b750a5ffd37bcb4d30d255c9aea8981161f21

SHA512
97cc1ffa56550d71a78561239df40df436403af59a16c12ae2a83e6b12cac68ee9036986c04c3507155a66b32c07723406566adb491793cdbec645e673437dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18DE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3017.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\YogaDNS\ServiceManager.exe

Filesize
726KB

MD5
e2d209e03b611e54639678a1c72f210e

SHA1
cbb8924fa05b015dc212fee3fd6861217131806a

SHA256
768ed606dedcf8911bab477fc823c47b38cf28c128ed8e374c679ec1e0e38799

SHA512
7505292b7b490df3c7284b8a61c6c440ae3814685650bec7a78f6303f333baac17121f104f44c0bbfcc51cbf060b9b3cf5a874f08fd430e162a7af2a9b1e19b0

Download Submit
\Program Files (x86)\YogaDNS\YogaDNS.exe

Filesize
6.0MB

MD5
c0c0b96046f27f7b549c42cd6b48b2d8

SHA1
39bc3bbe61be2128e5f8d839dd08722b83fc45d9

SHA256
76409047ea4fc5785e9499ca5215e457de446e08474fdf7c81eb83d3af2b1afe

SHA512
b3aabfc3ef919850bca9043c251d73d51af8d1feaf47c87fed0e3bf45f61a4f1bc8558191877028b1418c2c7a994e35d65a555efd05e9952eb961bd3004f6d33

Download Submit
\Users\Admin\AppData\Local\Temp\is-RQDDE.tmp\YogaDNSSetup.tmp

Filesize
3.1MB

MD5
9a918ea79f21edea6046bb11ec0f94b9

SHA1
63aa5d0d209e3a1a45cd933c3c712c640bd667f3

SHA256
78acc8f6748ed579e0cbe4de2ec748561363f49bb614587afddabdd4351fe843

SHA512
ada1b7a07e1500ecf61dc09760ac2cb2c000a9a3ff6af17cd2a0096ae01f340b21b4c823205af4bab373c9052cc9b4fafe575b12e77856b280597b5c7e3cc47a

Download Submit
memory/2404-81-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2404-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2404-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2404-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3020-18-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-22-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-20-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-24-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-16-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-14-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-12-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-75-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-9-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3020-80-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download