2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095

Analysis

max time kernel
160s
max time network
191s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe
Size

1.6MB
MD5

0dd5a3cd034826ea4f2d5edc88aa64d0
SHA1

3c0110904761b0adedc352057e6665d5e497f6a0
SHA256

2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095
SHA512

af585d8ff64a78ba068cd7947d610d4d888a1eedfc4166b405251523b03104fe4852901e9c806cab24a4330c147e4b511a9f0ef7b523c11cb6c980e5c89332f3
SSDEEP

24576:5t1RN4Y0wxQaYNwKN3DE3bQy/IkbH0vC3YkimBujmlbCnmXj:5D0wwwy4fMvC3jimMqlJ

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1724-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xuehua8.com\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xuehua8.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9079c6fc1100d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\xuehua8.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F72F7181-6C04-11ED-91E9-EEBA1A0FFCD1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000a7c7f4304546ef96b6784cf1ea5f548651d607bbabf254f4836798c676cc9145000000000e80000000020000200000009bd4fd60ced463e315293fa866c1c51223e2660f26a3e019e5ad10b52b602303200000008ec8aa9273d394f5e6a22fe1b0f5c3dab9125556a9fa091fb0af11bec6c2c9b240000000278b15214a02d9a4628c523bc57f944dce27d26ee12439ab6accc0f9a76115cab4a15cc1728533aee3190231d243df9c51143065782292f319f5808077060058	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000007c92aa45b441a931ba9c6264c8c6a77f7873b336fe0a5d7c17561a973390e1f4000000000e8000000002000020000000076fb56399bff921705f5a0574b57df1e5cb1049ae70d4eac31304d00d5df066900000008c87e73cf8bb429aacdc017bf5356701493dab31255a50a2103cc17a4f7ee721427f6ea31947d4e8a255b6a56c0545cb34763f7ad50c6b75ef843533fa5fe3661c1ced25acce58d34a8eb738a9d10d15de96693199c2e804049bf3be025ccc676b118ae43c3119b30f54f8210a54849ddfd0c328de807a01b30bdda35a71de6a74fc93f21ab91193886c239cc37794de40000000ffdf4f89ae753ee565b6dff808c935d719aeb8f3c36cc696c0d7114e69ceee0ef0fa74303f489ef51b39395a17d60c6e8679e55665821f86c932201f851d2d12	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\xuehua8.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376065397"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\xuehua8.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1444	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe
1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe
1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe
1444	iexplore.exe
1444	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1444	1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe	31
PID 1724 wrote to memory of 1444	1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe	31
PID 1724 wrote to memory of 1444	1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe	31
PID 1724 wrote to memory of 1444	1724	2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe	31
PID 1444 wrote to memory of 1092	1444	iexplore.exe	32
PID 1444 wrote to memory of 1092	1444	iexplore.exe	32
PID 1444 wrote to memory of 1092	1444	iexplore.exe	32
PID 1444 wrote to memory of 1092	1444	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe
"C:\Users\Admin\AppData\Local\Temp\2d721ef97b30ba28fc335d48c5b32f47009a09cb441d68df3be34fd8f40dc095.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xuehua8.com/zan/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eef71ba71dc7fd29293ca9085658096c

SHA1
132040a77a14a135eb42b449fb6a9668de25076a

SHA256
c646177918f76d2304b741220a13ec17b7323366bcf41a4bcb14b9cfe959a7e4

SHA512
e57ea83747141aedc5947eb6dc49d1f2050d13a79026fde3d400b4e627183c6ee9431d7435ee8ef4e63d5815853c49f5166b389cd1627dd44fdaa75b0bcdf024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
1KB

MD5
29218e9ef974c9370942a2718e96780f

SHA1
a26fb6f1f20d03c73697bdd32062319e8746f67b

SHA256
d6ee1034908bd6440c3a89e560949f3b14b79c22d9c500aa5001562b7c8b5283

SHA512
8e3d227fd972284894427a952bdb30167611a663214a738c298d8678ddf52156eb38af5d08767125789b6b96723717fc5cefdce4dcfe0772c207257d941a6812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NDDNGBWG.txt

Filesize
601B

MD5
f29be4cbe6877467865d83c96ad5b395

SHA1
f88eb34ee241b0c38e49c5b6d7a273eb9a8874b5

SHA256
4da0e29d0fd71a0c208535b6614fb177932073a4f6149adf8bf776038accbb88

SHA512
a48fdcaf031b4359eaafbd2a74e8c5f6d4540a329e70dad8c51c85ffdf8f6d4ad5655723dee560395a026b4deac1bb9c9f6e984a25d3e9cda1619e2a37187b07

Download Submit
memory/1724-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1724-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1724-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download