a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7

Analysis

max time kernel
164s
max time network
168s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe
Size

3.8MB
MD5

df3ea840b2b8b221cdcb8363cbcf4e1a
SHA1

1359cd282e3ecb3abbbdbdee96c84094a07e0998
SHA256

a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7
SHA512

58e69dd0f3a01ae975aa6d416955eaa355b934cecc2b7aba267174a775912b6ff9bb1672d04998d1bb216c793e5e2dfaa562233590b28b7bdf3b9af2c63fc096
SSDEEP

98304:RAYmF2XsSJCpe02pJ2yeHqqw7cXFt9hD4T:2J5S2ebJpeKqwoda

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00140000000054ab-61.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-61.dat	upx
behavioral1/memory/1780-63-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe

Loads dropped DLL 1 IoCs

pid	Process
1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "143867"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144067"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "143945"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "164"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144017"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144095"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "144014"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85F81EE1-75BE-11ED-9F7B-6E705F4A26E5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144240"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144164"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144109"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144178"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "143917"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "144025"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "150"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "143959"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144175"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "144090"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "164"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "210"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "143903"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144164"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "144178"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\item.taobao.com\ = "150"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144017"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "144067"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "144028"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\item.taobao.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\login.taobao.com\ = "144183"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a43183cb09d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1356	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe
1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe
1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe
1356	iexplore.exe
1356	iexplore.exe
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE
608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1356	1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe	28
PID 1780 wrote to memory of 1356	1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe	28
PID 1780 wrote to memory of 1356	1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe	28
PID 1780 wrote to memory of 1356	1780	a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe	28
PID 1356 wrote to memory of 608	1356	iexplore.exe	30
PID 1356 wrote to memory of 608	1356	iexplore.exe	30
PID 1356 wrote to memory of 608	1356	iexplore.exe	30
PID 1356 wrote to memory of 608	1356	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe
"C:\Users\Admin\AppData\Local\Temp\a8cda3cb4ced4d330b773695ef4a93cae0f0bf2c1923a6fc1b551cdde52e29a7.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://item.taobao.com/auction/item_detail.htm?item_num_id=9121999995
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
706b88b1f72a39b79c4f4c98135863bb

SHA1
3f5a786f55401d738351e0c70bb0bdf4c7b22a8c

SHA256
662b700dd52d77dc03449a400ca7844782347e4b6d962daf0400b7b302181300

SHA512
913551755120f243e17574caefaf991e5413e57c83f367f24526b726b986b3ee99de2336d26df8d59174328993177b73330f19f2324552be05358ab1a03ceefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
8KB

MD5
8ccfdcabd259f38d5e677cf027836629

SHA1
17d76b6e50a6294f3545c27250e846ccd5d0bb5c

SHA256
5439b8fdd23900f3f7a1b5043183498a89ccc00c6263a609530169a68c4b4482

SHA512
04ec0d205fc5c3cd051cb9cba69055a00c4fdc40d1ae36dc750d1437856e0aeee37e84f77f45b9c4afe5b91dca713ff6dbdea0c9d6589fda37c16c80c887665e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CMNP6YV2.txt

Filesize
608B

MD5
26b751f6f4c0fcc16e3a71d45fd0500d

SHA1
7cea07c6d04e18c5978fbe90f4e84758aacb128a

SHA256
9571589cd09a36ad66cfdf7693b984c3ab8dadc412fb0041ad8dac88836a907a

SHA512
c9aff791d3a5fa390c39d2ef098fdf38f50209a9855d1121fa68ac75d88113f039fa85c1eb25dd8aa59cc4ae40d84529f966905f9456ef55906202b203e23b47

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/1780-58-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-60-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-57-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-62-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-63-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1780-64-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1780-56-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-55-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download
memory/1780-68-0x0000000000400000-0x0000000000961000-memory.dmp

Filesize
5.4MB

Download