Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

YogaDNSSetup.exe

windows7-x64

8

YogaDNSSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YogaDNSSetup.exe

  • Size

    8.0MB

  • MD5

    a1780f92321a1857505752a53888cebb

  • SHA1

    77bb3b55f2704a50d9b8b3c67e5b2e57ad9824ed

  • SHA256

    483e99a23d9348f63deab43c8f0c09afb2af9ca313ce401e27b9e31aeba7eb63

  • SHA512

    b5b61b3be90d3952bbd4bf43bf383bab56c7de88afe4057990c8e1d238bece54781b9701b615c7a27d6bcc1ad6ebd537eb3a7be2c9a9df094c290c3d84bb4f15

  • SSDEEP

    196608:RbfgBIO7uGevAeadYrsrnql79gG8l/oEqns:Vw9headYozql7Glgps

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 15 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 41 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YogaDNSSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\YogaDNSSetup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Local\Temp\is-SP7TM.tmp\YogaDNSSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SP7TM.tmp\YogaDNSSetup.tmp" /SL5="$801E6,7486188,831488,C:\Users\Admin\AppData\Local\Temp\YogaDNSSetup.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Program Files (x86)\YogaDNS\YogaDNS.exe
        "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ForceExit
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3844
      • C:\Windows\SysWOW64\NET.EXE
        "NET.EXE" stop DnsFltEngineDrv
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop DnsFltEngineDrv
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1524
      • C:\Windows\system32\RUNDLL32.EXE
        "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf
        3⤵
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\system32\runonce.exe
          "C:\Windows\system32\runonce.exe" -r
          4⤵
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\System32\grpconv.exe
            "C:\Windows\System32\grpconv.exe" -o
            5⤵
              PID:3892
        • C:\Program Files (x86)\YogaDNS\YogaDNS.exe
          "C:\Program Files (x86)\YogaDNS\YogaDNS.exe" /ShowWnd
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3836
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{d75cdc82-b13e-3440-baa8-0fa7a36dedeb}\DnsFltEngineDrv.inf" "9" "48ceef827" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\YogaDNS\Driver"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:856
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\dnsfltenginedrv.inf_amd64_70fcb7f63230c89c\dnsfltenginedrv.inf" "0" "48ceef827" "0000000000000158" "WinSta0\Default"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2452
    • C:\Program Files (x86)\YogaDNS\YogaDNS.exe
      "C:\Program Files (x86)\YogaDNS\YogaDNS.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~2\YogaDNS\Driver\DnsFltEngineDrv.sys
        Filesize

        60KB

        MD5

        e280e289aed282e8b611e91732b0c620

        SHA1

        8edc5772328b744c51e67cc8bf797a914b0bcf12

        SHA256

        8a06b07e861304616ec3b8a49cdf82bb7f2817e4ba32eec6ce784023b0d86f9e

        SHA512

        1a953172bd8a939ac5d7268f76b039611feaa34d6620bc9f5f8d4ed4c49dd1b1abc39ad0d5db365a780f322b3784e2361f9a53063eb8d0eb751f9b0d694a28ef

        Download Submit

      • C:\Program Files (x86)\YogaDNS\Driver\DnsFltEngineDrv.inf
        Filesize

        2KB

        MD5

        71f188b094aea862b928579ea3b5b8d3

        SHA1

        21d4b6912bcdc0afd74265b42745b5ed34b35000

        SHA256

        cb0e4c116e30890da4a9bc143826e65bf6c4f200237c8a0cbb12934c63a8954f

        SHA512

        aaead4947a3b8def2793cc85c5b8ef206df83d187009075b346fea48e5b82f9155c9b1b00effce6627dbe6cd7a55b3fa4ea8ec41c3825a9ade9022b3a9281af0

        Download Submit

      • C:\Program Files (x86)\YogaDNS\YogaDNS.exe
        Filesize

        6.0MB

        MD5

        c0c0b96046f27f7b549c42cd6b48b2d8

        SHA1

        39bc3bbe61be2128e5f8d839dd08722b83fc45d9

        SHA256

        76409047ea4fc5785e9499ca5215e457de446e08474fdf7c81eb83d3af2b1afe

        SHA512

        b3aabfc3ef919850bca9043c251d73d51af8d1feaf47c87fed0e3bf45f61a4f1bc8558191877028b1418c2c7a994e35d65a555efd05e9952eb961bd3004f6d33

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
        Filesize

        717B

        MD5

        822467b728b7a66b081c91795373789a

        SHA1

        d8f2f02e1eef62485a9feffd59ce837511749865

        SHA256

        af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

        SHA512

        bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECC871EB3D0C768B5D5F174AD880C518
        Filesize

        345B

        MD5

        92d9a8cbccb22f1bbf85b87ee4546c56

        SHA1

        f058b25d06a5a273014e6e347347947caa15f06d

        SHA256

        4b82eda085f20c943a6133b04b66d46f184ce8e197baa9d6859afe59b6f3ac93

        SHA512

        74281e1eb92b8fb9b35fc58c4f3dca46828e797960e5aedf32b1b4eb991d38d4d303cefaf95a1a201e3d5635e5fd664783594ab25269db7004d280e7f54cd39b

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
        Filesize

        192B

        MD5

        a4a8553372eb5462e4b8b5b88ef910cb

        SHA1

        1eddbaf43d53adea3a5a89b203b657b5f5bb2c79

        SHA256

        18ed1b4cc16c317f4b485aeb94c56e0276cbc97ee498522cb80ba213d3485f69

        SHA512

        b8c8017691a62d3e093c31b4cc8baf7cc50dee404ce35f35f24293a3c9a40ed7d19af707b3c9c1171a504115245df886e54091ae69b9071d40e7cf3f4fb702fa

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECC871EB3D0C768B5D5F174AD880C518
        Filesize

        540B

        MD5

        243139059b42af148bde13a2c3ec91e4

        SHA1

        9193b16f9f01f67e2abd447922c25bebcd083c6b

        SHA256

        a1706990c57175828ad2576f2077a6c7d33d1a0da340d3719c94ef1650efcd29

        SHA512

        a91086f62efd534243284b1152a4718cb3d928b1c8b20a5f154461ab56cd46fff6f4defd351d236d14c92065e8ac0716e0dec948381bdef56540e5dace358a67

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-SP7TM.tmp\YogaDNSSetup.tmp
        Filesize

        3.1MB

        MD5

        9a918ea79f21edea6046bb11ec0f94b9

        SHA1

        63aa5d0d209e3a1a45cd933c3c712c640bd667f3

        SHA256

        78acc8f6748ed579e0cbe4de2ec748561363f49bb614587afddabdd4351fe843

        SHA512

        ada1b7a07e1500ecf61dc09760ac2cb2c000a9a3ff6af17cd2a0096ae01f340b21b4c823205af4bab373c9052cc9b4fafe575b12e77856b280597b5c7e3cc47a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{d75cdc82-b13e-3440-baa8-0fa7a36dedeb}\DnsFltEngineDrv.cat
        Filesize

        11KB

        MD5

        b243199ab0c6836a0896037a45af42d3

        SHA1

        ed9957261161d52dae8eb200b1c6afd9a08eccda

        SHA256

        3ca2becf9d4177a539f5ea0913c882232c92e4caf193d2d0782e0bac7a421d00

        SHA512

        9860a56d79cc6dba7bc5b2d502f3ae69cc87d6908172d022ee39a2feb650cd144be4d3ee82364e65b8247f3bb6e0514f172d129ccfd983dc99f445c14ec242fa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\YogaDNS\Configuration.xml
        Filesize

        809B

        MD5

        ae1d26ab2dce3e14c041ed748377f5d1

        SHA1

        7eef6a18a5df6516be0e684ce66db1218c82b4bc

        SHA256

        bec2a3c3bc8e0e68c25d229636f58548f5e82806470b35711ccb4b09be099b06

        SHA512

        5ac57724e3b80f6aaff2f1c5c126bdadcef6a2932bac592ae5f596218b16673f6a7e9b635b0a5b986a9b4109e295585ad8eb387a9bc6c4d39a9abd1cd111ee32

        Download Submit

      • memory/1280-9-0x0000000000400000-0x000000000071A000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1280-121-0x0000000000400000-0x000000000071A000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1280-10-0x0000000000400000-0x000000000071A000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1280-6-0x0000000000400000-0x000000000071A000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1848-123-0x0000000000400000-0x00000000004D8000-memory.dmp

        Filesize

        864KB

        Download

      • memory/1848-8-0x0000000000400000-0x00000000004D8000-memory.dmp

        Filesize

        864KB

        Download

      • memory/1848-0-0x0000000000400000-0x00000000004D8000-memory.dmp

        Filesize

        864KB

        Download

      • memory/1848-2-0x0000000000401000-0x00000000004B7000-memory.dmp

        Filesize

        728KB

        Download