6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe
Size

3.4MB
MD5

7d8201b754a9db95b3b121f6c8213f89
SHA1

b769ad3c21614caf61e86e212b8291c543b6567f
SHA256

6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00
SHA512

ee2d2f80da5028d698aaa65698af7299205b26568b8bb5d7cd8f650d78824bfb4e3125bfe1b5bbf1179336f110100b72df71bc5f8f3595ab67a7f1064d7cb70c
SSDEEP

98304:OGaWU2FG98z3DbVEke/B02O601yJk3T4Ous/:ORWU2FG+Bte5pOry04OX/

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

Youbak_MSN_PARTNER2038.exeha65.exepplive.exeYoubak_MSN_PARTNER2038.tmpHaoZipLoader.exeHaoZipUpdate.exe

pid process

3016 Youbak_MSN_PARTNER2038.exe
3012 ha65.exe
2900 pplive.exe
2724 Youbak_MSN_PARTNER2038.tmp
2912 HaoZipLoader.exe
1984 HaoZipUpdate.exe

pid	process
3016	Youbak_MSN_PARTNER2038.exe
3012	ha65.exe
2900	pplive.exe
2724	Youbak_MSN_PARTNER2038.tmp
2912	HaoZipLoader.exe
1984	HaoZipUpdate.exe

Loads dropped DLL 43 IoCs

Processes:

6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exeYoubak_MSN_PARTNER2038.exeYoubak_MSN_PARTNER2038.tmppplive.exeha65.exeHaoZipLoader.exeHaoZipUpdate.exe

pid	process
2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe
3016	Youbak_MSN_PARTNER2038.exe
2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe
3016	Youbak_MSN_PARTNER2038.exe
2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe
2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe
3016	Youbak_MSN_PARTNER2038.exe
2724	Youbak_MSN_PARTNER2038.tmp
2724	Youbak_MSN_PARTNER2038.tmp
2900	pplive.exe
2900	pplive.exe
2900	pplive.exe
3012	ha65.exe
3012	ha65.exe
3012	ha65.exe
3012	ha65.exe
3012	ha65.exe
3012	ha65.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
3012	ha65.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

HaoZipUpdate.exe

description ioc process

File opened for modification \??\PhysicalDrive0 HaoZipUpdate.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	HaoZipUpdate.exe

Drops file in Program Files directory 31 IoCs

Processes:

ha65.exeHaoZipUpdate.exeHaoZipLoader.exe

description	ioc	process
File created	C:\Program Files (x86)\HaoZip\HaoZip.exe	ha65.exe
File created	C:\Program Files (x86)\HaoZip\config\HaoZip.hzs	HaoZipUpdate.exe
File created	C:\Program Files (x86)\HaoZip\config\temp\pending.hzt	HaoZipUpdate.exe
File created	C:\Program Files (x86)\HaoZip\sfx\HaoZip7zSetup.sfx	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipExt.dll	ha65.exe
File created	C:\Program Files (x86)\HaoZip\Uninstall.exe	ha65.exe
File opened for modification	C:\Program Files (x86)\HaoZip\config\HZ~691F.tmp	HaoZipUpdate.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe	ha65.exe
File opened for modification	C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini	ha65.exe
File created	C:\Program Files (x86)\HaoZip\UNACEV2.DLL	ha65.exe
File created	C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll	ha65.exe
File created	C:\Program Files (x86)\HaoZip\Benchmark.data	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipShell.dll	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZip.chm	ha65.exe
File created	C:\Program Files (x86)\HaoZip\RarNew.data	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipImage.dll	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipVersion.dll	ha65.exe
File created	C:\Program Files (x86)\HaoZip\Rar.exe	ha65.exe
File created	C:\Program Files (x86)\HaoZip\ZipNew.data	ha65.exe
File created	C:\Program Files (x86)\HaoZip\TarNew.data	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipCompress.dll	ha65.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipFormats.dll	ha65.exe
File opened for modification	C:\Program Files (x86)\HaoZip\config\HZ~4F88.tmp	HaoZipLoader.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipC.exe	ha65.exe
File created	C:\Program Files (x86)\HaoZip\Microsoft.VC80.CRT.manifest	ha65.exe
File created	C:\Program Files (x86)\HaoZip\msvcr80.dll	ha65.exe
File opened for modification	C:\Program Files (x86)\HaoZip\config\HZ~4F1A.tmp	HaoZipLoader.exe
File opened for modification	C:\Program Files (x86)\HaoZip\config\temp\pending.hzt	HaoZipUpdate.exe
File created	C:\Program Files (x86)\HaoZip\HaoZipLoader.exe	ha65.exe
File created	C:\Program Files (x86)\HaoZip\好压免责声明.txt	ha65.exe
File created	C:\Program Files (x86)\HaoZip\7zNew.data	ha65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Youbak_MSN_PARTNER2038.exeYoubak_MSN_PARTNER2038.tmppplive.exeha65.exeHaoZipLoader.exeHaoZipUpdate.exe6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Youbak_MSN_PARTNER2038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Youbak_MSN_PARTNER2038.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pplive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ha65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HaoZipLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HaoZipUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe

Modifies registry class 64 IoCs

Processes:

HaoZipLoader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.rpm	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tbz2\shell\open	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r76	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.zip.split	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hfs\ = "HaoZip.hfs"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shell\open	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.rar.split\shellex	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r45	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.arj\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,0"	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r51\ = "HaoZip.rar.split"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z92	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tpz\ = "HaoZip.tpz"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.tbz\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.xar\shell\open	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bzip2\HaoZipBackup = "7-Zip\\.bzip2"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.gz\shell\open\command	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.rar\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,25"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.rar\shellex\ContextMenuHandlers	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.taz\DefaultIcon	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z12	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "HaoZip.z"	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.taz\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\""	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.7z\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,23"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.hfs	HaoZipLoader.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\HaoZip	HaoZipLoader.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\HaoZip	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shellex\DropHandler	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z33	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z66	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.arj\shellex\ContextMenuHandlers	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzma86\ = "HaoZip.lzma86"	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r42\ = "HaoZip.rar.split"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z45	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.taz\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,0"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.7z\shellex\DropHandler\ = "{5FED836A-C96C-4d88-A91E-F63F07726585}"	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z88\ = "HaoZip.zip.split"	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r57\ = "HaoZip.rar.split"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r72	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzh\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.rpm\DefaultIcon\ = "C:\\Program Files (x86)\\HaoZip\\HaoZip.exe,0"	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z43\ = "HaoZip.zip.split"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.xpi\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r38\ = "HaoZip.rar.split"	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.gz\shellex\PropertySheetHandlers	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lha\shellex\ContextMenuHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shell\open\command\ = "\"C:\\Program Files (x86)\\HaoZip\\HaoZip.exe\" \"%1\""	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r74	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.xar\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.7z\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.001\shellex\ContextMenuHandlers	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r78	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r85	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.bzip2\DefaultIcon	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lzma\shellex\PropertySheetHandlers\{5FED836A-C96C-4d88-A91E-F63F07726585}	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.lha\DefaultIcon	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.cpio\shellex\PropertySheetHandlers	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.jar\shellex	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r43	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z72	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.bz2\shell\open\command	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.wim	HaoZipLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HaoZip.arj\DefaultIcon	HaoZipLoader.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

HaoZipLoader.exeHaoZipUpdate.exe

pid	process
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
2912	HaoZipLoader.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

HaoZipUpdate.exe

pid	process
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

HaoZipUpdate.exe

pid	process
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe
1984	HaoZipUpdate.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exeYoubak_MSN_PARTNER2038.exeha65.exe

description	pid	process	target process
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3016	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	Youbak_MSN_PARTNER2038.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 3012	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	ha65.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 2760 wrote to memory of 2900	2760	6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe	pplive.exe
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3016 wrote to memory of 2724	3016	Youbak_MSN_PARTNER2038.exe	Youbak_MSN_PARTNER2038.tmp
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 2912	3012	ha65.exe	HaoZipLoader.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe
PID 3012 wrote to memory of 1984	3012	ha65.exe	HaoZipUpdate.exe

C:\Users\Admin\AppData\Local\Temp\6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe
"C:\Users\Admin\AppData\Local\Temp\6d166eff89a3d5daeba90881fef9976b09e154a15cef922515be2813c57e4e00.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\Youbak_MSN_PARTNER2038.exe
"C:\Users\Admin\AppData\Local\Temp\Youbak_MSN_PARTNER2038.exe" /VERYSILENT /SP- /NORESTART
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\is-83936.tmp\Youbak_MSN_PARTNER2038.tmp
"C:\Users\Admin\AppData\Local\Temp\is-83936.tmp\Youbak_MSN_PARTNER2038.tmp" /SL5="$B0122,737659,54272,C:\Users\Admin\AppData\Local\Temp\Youbak_MSN_PARTNER2038.exe" /VERYSILENT /SP- /NORESTART
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2724

C:\Users\Admin\AppData\Local\Temp\ha65.exe
"C:\Users\Admin\AppData\Local\Temp\ha65.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012

C:\Program Files (x86)\HaoZip\HaoZipLoader.exe
"C:\Program Files (x86)\HaoZip\HaoZipLoader.exe" -install01
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe
"C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe" -install
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984

C:\Users\Admin\AppData\Local\Temp\pplive.exe
"C:\Users\Admin\AppData\Local\Temp\pplive.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HaoZip\HaoZip.chm

Filesize
169KB

MD5
c111d2770455449f129128b88f2f5206

SHA1
8b51f7261ef355270b4a6e76eeb616af1e0447ea

SHA256
a283661a8652195db9c371579189c9359092e900b925393d265a4f5b232e118c

SHA512
e6acd7df4646d4e44d7bae560493b4132272907b6b12600807dfb8f1defc37ab9a177b7887f29d580eee841850987e8f681f24714f91b82ac6851531828e688c

Download Submit
C:\Program Files (x86)\HaoZip\HaoZip.exe

Filesize
1.8MB

MD5
97efade40e113454d7f51634e67a4c24

SHA1
b26372620aafea7208d462a2afe52f6ed1b5c55a

SHA256
c33464aa06906ad2f17f97f39b30d27552a62d1b93b7a84eef6b4d2d23bc8669

SHA512
6c15bf5d634183cc5fafa7e80ab3d3ab69b87be9c0ccc0dd40b1367695478264c5f57eacd8aaf87cdca88d204c7cce8a4546febdfcd27c264b581af9b82b98a7

Download Submit
C:\Program Files (x86)\HaoZip\HaoZipExt.dll

Filesize
172KB

MD5
52f02e82c21a85e7476ee6db6d76d786

SHA1
e7fbdbec5e735cfcbaa89e98d7bcab6ce73b0b0c

SHA256
8dcd8cba677436bd0dc3d44e8ba6ae7b75b15d602881d596b17690f7c4c0e2b6

SHA512
4d1c7d95610f21f36b9ffb1db3004f5e0fef48e89f3b22e50283da85510343d54e7efdfce8f218555d28efc429a734b0f064ac17d5b8c73d4734e1ca6ba42f70

Download Submit
C:\Program Files (x86)\HaoZip\HaoZipLoader.exe

Filesize
48KB

MD5
a43c95953e8ae0cc14cdce57dfb0096b

SHA1
d721d9f34aefbcdf6e8cc59889d5ccc8e1997d0e

SHA256
9aceeeef173e48bdf2167756227e41b71a9dc04c7276105b36fd3607d32f342c

SHA512
87bd9181503fcdaef5191f3836f00b8f103d3280e81594cfaa224dc2824c54ec79241adf4750e6f8fbab0ff5c5048ac2cea6da6e3da6a6e2b68ab71e2f511658

Download Submit
C:\Program Files (x86)\HaoZip\HaoZipShell.dll

Filesize
115KB

MD5
e58565d563b57d23cabf53ab07dd1a48

SHA1
47875e0b3399eb6bbac4d6d8d7ee7dd449aa0b09

SHA256
ac0b28a399cec5081349cb1ab36b76cb7e0705a51ed14e4029b63ce7e63181b0

SHA512
69aa599a6e9830a2264abb34566181789eb6b3980f938c58d94f3da460765c854ce5e4c99b49aa4a2fa372e6360154839a391a9adc5ac31635315e16c4131c22

Download Submit
C:\Program Files (x86)\HaoZip\HaoZipUpdate.exe

Filesize
219KB

MD5
fc274b9bbccb119040b4c98d06dd2f94

SHA1
38ada3cdece1a3aa33167b51c4e5383fd34bc513

SHA256
dc37c5698510265763c654a89d06c0e37d0a603054a9d7a0281b3c819acd1d77

SHA512
20d455cf419ec5e89d9a51e20a65c28c19bc3641f821c76ab6a1e4a494195b24f462014852906a11f4719f4c64f0de717a1198ecc4c26ae740d243e56580114d

Download Submit
C:\Program Files (x86)\HaoZip\HaoZipVersion.dll

Filesize
8KB

MD5
d2fa876bdc048d986c6568c84a685f25

SHA1
cf04df82ac26d87b65b420c6b33e8e56c312d791

SHA256
68cf8ab20ea5ffe0f550c0b9dd3630ee450287c528345b213f25a2a1174deb97

SHA512
eac6e35218def092248cb7b2f3b1308e16497d66a20f0e158abc0ba45c01b882a100fc09ac629777bb7a2500a76c83a2e4eaa79a9c163c586a50913bee00a8f7

Download Submit
C:\Program Files (x86)\HaoZip\Uninstall.exe

Filesize
80KB

MD5
1baa91ee2d5ffbc0cd490413eabc2f11

SHA1
4f78183dd73428c805a82975c63072d29ba1f62e

SHA256
0c5ef5708d08d889e3fed130522c7476373357d627400fdb7082a4f16275abd8

SHA512
84eed54ce82aaa879b2a86b5a7c5648dfe834377c19017ba6b34829aa284641634af625a3bf75eaec41f7942136776ec1ddf55961e16920531339c53120b29ad

Download Submit
C:\Program Files (x86)\HaoZip\config\HaoZipLang.ini

Filesize
37B

MD5
0e5d62bbebb35ca5bcac5a8563a799b2

SHA1
271ccec941e18321739d1794578586a149e6ccd2

SHA256
deac5c066a7d8d7a8af6c05dee5217e44fcbe34f6fafd9ea30390af5d6bb1537

SHA512
e1d4e982f6b8b2d0c089b58b2f25d644582bfd58b66892421f095db87884b9efedce7f5dfcfd9825e832f57228a6fc3d8e9dd797ae4414c3daf43dcdf97bfcf9

Download Submit
C:\Program Files (x86)\HaoZip\lang\HaoZipLang_chs.dll

Filesize
334KB

MD5
04919aa4ecfa8aacbf1d6383ee4d92f0

SHA1
1b3e08b6dbd72bb11afe6475b0a9caa5b173f218

SHA256
6a8af8509fa93a42d5fe3eeb871f916e20f28f96a3c2aabcf9d8938366edf94d

SHA512
268a01f622f5105878da331fa93f64f1f43e7e1b099d49f10b7d631bf6d56f28c8d05e960b2551fb09f4f2a7edfc0ca5fa3facc2b432c863e72b5067d601cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ha65.exe

Filesize
2.3MB

MD5
616285502f035c80681455288c513731

SHA1
4fd937ff5add37e10254c11a8f0809d6b7f23521

SHA256
49631d72bdd2902f98b080e4326b82380be234e1d01a8291dcc7431764e90281

SHA512
6d46800f925917af4d510604e544b9491c83a23ce98fb4a1d2bc6d2deefb7d7d052b75b1dd57cb232d4f4a036b013fdfe53d280926342053831b26fc549c34bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-83936.tmp\Youbak_MSN_PARTNER2038.tmp

Filesize
694KB

MD5
29bb632f057f068130e8a7877781a05d

SHA1
10060581eb95e61d6ac8176f692a2ae251149b32

SHA256
13065ec81bfdf70d1074f8fb90f6eaecae531b76e71ba1542f3cefc41a9e29c1

SHA512
0b66548ea8690d755566054f42a3886ac983f8402afd8ff27923f092a71c8404e16add8393d314ea056698f51ab0f3260c882c1447b35f73b1830458e70fd405

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4D48.tmp\FileInfo.dll

Filesize
46KB

MD5
25aa25fcec2065cdf81f77d2153a63a7

SHA1
e09b96d596323201ce5586daa16c9b8ecfaa7654

SHA256
ba62fc93cdd027de00af9cbaf31bf102d47fe9f1d74493ebf6faa2f2c9982435

SHA512
5de8b9ca1b38fba4f63756066d10a0312acafe9c051645fd192e500d1cff23a21845cec2d1fb1002ddf7002f9f6ae3962fd6087f3ab793d9630c33e35d6aba64

Download Submit
\Users\Admin\AppData\Local\Temp\Youbak_MSN_PARTNER2038.exe

Filesize
989KB

MD5
d88681c275fd71f42ccaee06e5901fc9

SHA1
3f051192a4ea9722d139cea2e7d7aef860880253

SHA256
980e63c8f1c312d3dda44b1fc79cc937357a36c585fcda7c51a433e36f1600a5

SHA512
f096de74e29554d8960803f272d5c8cd37304d5fcc55d54287d0bd24901c6bf6cf9ca0b33f4d3ee96cdce5fab50248abe9332e5eb47066eb32ee5102737d2d86

Download Submit
\Users\Admin\AppData\Local\Temp\is-6BH2P.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nso4D48.tmp\System.dll

Filesize
11KB

MD5
a82b0479708b96c7bf4dd6b798aedee0

SHA1
7e47b402848a86bdddd5f0de8bb4620471caaab0

SHA256
72410442a894b8316da6ad469f03997ec17c0b0d117745bb6ac5cac3232c7d20

SHA512
02e07def3897d87d546c0cf1492191591be587f64ae5c165b9a91fb977585c65a860135eb8c102b67dede913ea935459ce70c4ca973b292122c8d097ab130d58

Download Submit
\Users\Admin\AppData\Local\Temp\pplive.exe

Filesize
57KB

MD5
165e72b2ee569a12eef6dbcd10ecd1f8

SHA1
408bd64834589daaad399d1ef6a067581554b1bf

SHA256
fd9483ae6e6dcf90242c0d0f371a9d0f4e6a0b10374ececa27effb85ba01acd0

SHA512
2ca9a45ee351873f6f8f915f7cb8ee7ffd9119913c68cefc5dc0a4f75e3a8d409f15f3ba38982a920bfc8ec15de77da298909e18d6e416cee86676a1870d716e

Download Submit
memory/2724-51-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2760-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2912-107-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/2912-111-0x0000000000A90000-0x0000000000ABF000-memory.dmp

Filesize
188KB

Download
memory/3012-92-0x00000000009E0000-0x00000000009F1000-memory.dmp

Filesize
68KB

Download
memory/3016-52-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3016-31-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3016-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download