Overview

overview

7

Static

static

3

yx_dts.exe

windows7-x64

7

yx_dts.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

dts.exe

windows7-x64

3

dts.exe

windows10-2004-x64

3

iconAnimate.exe

windows7-x64

3

iconAnimate.exe

windows10-2004-x64

3

iconTips.exe

windows7-x64

3

iconTips.exe

windows10-2004-x64

3

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2024, 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yx_dts.exe

  • Size

    889KB

  • MD5

    09ce8089df9c73890dd0569c053e10c5

  • SHA1

    ca150d526dc7bf9161b8b9da4617ff461d5ae9d9

  • SHA256

    d6ac9b5838aad1062ed759ee201e77e07314a0434a9236c6f8b54363e79c541b

  • SHA512

    414c80288666d609740956aec1f999d07412ee1998574da2374847a46137d828d4b42917c50ab167272313e802da03099bdb6d3518812fa307640c960cf8df6c

  • SSDEEP

    24576:4617vD7Kv8d4lXdcGs3KAh++8JS7+Jrmzo8t:4G7L+TY73l58JS7CKoy

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yx_dts.exe
    "C:\Users\Admin\AppData\Local\Temp\yx_dts.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
      "C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" SW_SHOWNORMAL
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1968
    • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
      "C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /autorun /setuprun
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4012
    • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
      "C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe" /setupsucc
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nslA105.tmp\FindProcDLL.dll
    Filesize

    3KB

    MD5

    8614c450637267afacad1645e23ba24a

    SHA1

    e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

    SHA256

    0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

    SHA512

    af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslA105.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dts\mydts\Lander.ini
    Filesize

    414B

    MD5

    73c7eb1e201cadcdfc9263d8e3d982b5

    SHA1

    c896dc8fbe566a5f37247c13d236ee4ad6872730

    SHA256

    632bd324dde38adff24c540f99a53d92c2c5ca3c021aff411d4230f70ea7afab

    SHA512

    5129838fd8c75bfaea668a8a6b433b6b6fd4ba166bed3b822cab2883b72f01cbe1c305435d444bea9c3c485b7e9e8d3779452eda17387cb78af48118ea6e85ee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dts\mydts\Lander.ini
    Filesize

    446B

    MD5

    7b0ad132ee8a6e2eab029203b15b8d57

    SHA1

    f06f6fea5f627c08d5aa45355459c906a6765e71

    SHA256

    9c2c35947f62bba1639afa80c683c6fb38800b91c7ddf2b7a28e6ae2b463c388

    SHA512

    b2b09a1b755a79f894c12cc86c7155441bcc5085a4a9071ae450efdecda775b9b160fca977e4bd0e4bd223ac7364d3f6c183655cd41a6da4d50a56d3908c6bb2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dts\mydts\dts.exe
    Filesize

    843KB

    MD5

    d0e6bfcf97bc61745ba68118df26b971

    SHA1

    cc3696f5722ee55acddadd8ca5495294d47ae455

    SHA256

    23b94fb2952b692f6e8e7dbd2bb4ae013cb4ad2c0b99066a2538d5c73b4a4216

    SHA512

    0c9106d4c9414e54c7c19d8a11b441fd1bfb013e02d5990c7acc5c5c3b73b1a3efd8effd5a98fa5c54033a80b33605f5324084ccb497130ffb366dd44ac80e09

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dts\mydts\lander.ini
    Filesize

    383B

    MD5

    48fd2ead551dbd2a88e7c8b1d5ecf506

    SHA1

    4844fae2d49135936a063b41087601dc22c54e9a

    SHA256

    b9a7bb9b824a7903b508c3ea1f5128ab098fdaf849b3978549637bf60611073e

    SHA512

    25644b00513f3a234ce3386ddda7acae2b3a0cb6dbd51c8cbc811e929462553e336659c18684d1e3fcf8d3d0d001e897c15060f7eefc07859dff116b7a2a5681

    Download Submit

  • memory/2152-15-0x0000000004861000-0x0000000004862000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2152-14-0x0000000004860000-0x0000000004863000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2152-66-0x0000000004861000-0x0000000004862000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2152-73-0x0000000004860000-0x0000000004863000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4012-65-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4012-67-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

    Filesize

    4KB

    Download