ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e

Analysis

max time kernel
110s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
Size

2.0MB
MD5

5f4bd3f3b5efadef56a9151432d8a96a
SHA1

222a29c28f6167de49717fd514ed3083492535f6
SHA256

ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e
SHA512

befee533883003077a8a93773af4a3f8e570f59803c73098e8fb5c14da466bde819b97446fbcc633c1187e29820f84df35eb62d19352cfa161d708eeeca2da7b
SSDEEP

49152:zMNMD8ERuhf/WLMJxhd4jV7kFe+NYLgCuOd+9p:QNbBf/pcj+BNYVu9

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/560-61-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-63-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-65-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-69-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-67-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-73-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-75-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-79-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-83-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-85-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-89-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-91-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-93-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-97-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-99-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-103-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-101-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-95-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-87-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-81-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-77-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-71-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-105-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/560-107-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375570091"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055e082b70a895c4682388db9a49c7e060000000002000000000010660000000100002000000063f8bb197816dd36c1cceb69e2d4332e093ae18774fee8e5e31080920b291584000000000e80000000020000200000000712d4ffe75ad75b868a8d5d5615553c41c7b187045661e0f6e64f467f3761732000000074f9d6caea221b84d46e883a6d4ea33d0c77cc5c72b0d46699c9cd9d2925c30340000000ca1d28e265dfd4df1606742a8856143eaadadd983d73cc72a0a189efe539141004e81460d8b8a214788db4072186439f054151b8837fe3511372eef6205e3cbd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055e082b70a895c4682388db9a49c7e06000000000200000000001066000000010000200000000c11b1b07da74bbbdcb50ac114203be9ff512a15fa88131607e758e5ac128c60000000000e8000000002000020000000964302769e06cc0385e094fbd114ae04965e2a069551cbcb7be18c5a14b38cc190000000837b1ba13ed23b7c96ba7ed8e654f22bc78cfc4cbf6249c6d29bd5e5d060ea0d4597bcea814186674a41928e92613b81fa8860977772092991d028ee105d089a636e18711af9f86b50401115d9108d0d29ae72f9278b84afcca7fd95bf1703bbbba25361d902ac2b0f07b2187e3e29cba3ccef004a67a239e254d75c71f9ef31546c8154d066cc805206d8781f60092540000000979d6f71d6a4384092176815a4432339fd2e10e421afed7a046294d855cacb1517b76c33a8f3c9678bf6604a88c3ede2f39e2ed22adf4e160057b9333a1ba617	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F40A7621-6CFF-11ED-8413-C22E595EE768} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07192d50c01d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2345.com/?k16275695"	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1540	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
1540	iexplore.exe
1540	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1540	560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe	30
PID 560 wrote to memory of 1540	560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe	30
PID 560 wrote to memory of 1540	560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe	30
PID 560 wrote to memory of 1540	560	ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe	30
PID 1540 wrote to memory of 1608	1540	iexplore.exe	31
PID 1540 wrote to memory of 1608	1540	iexplore.exe	31
PID 1540 wrote to memory of 1608	1540	iexplore.exe	31
PID 1540 wrote to memory of 1608	1540	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ef80c202ecf26d09cc4e258678de8eea46aaba90517d1a4be5dfab243f8ecb6e.exe"
1⤵
- Checks BIOS information in registry
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.yaofz.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
a4e21ab0b35a35e2d453a8da61354056

SHA1
0ff1f4f05f88cded677d33b116d26a536d165887

SHA256
17e634450f94911a18f583fe5988103ea06c78cc8a5145ba3ff96b4f3cbe3a5b

SHA512
ff8e4711154d3dcce728a3f279fcb4168660591ef45294459428a7b998e19e5adf537e9f24af918dd96ac6c21823847103fdbda5390757a3184e541a7453ff0a

Download Submit
memory/560-85-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-63-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-57-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-58-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-89-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-61-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-91-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-65-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-93-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-67-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-73-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-75-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-79-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-83-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/560-60-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-56-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-69-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-97-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-99-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-103-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-101-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-95-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-87-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-81-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-77-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-71-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-104-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-105-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-106-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-107-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/560-108-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download
memory/560-55-0x0000000000400000-0x00000000006A7000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads