bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0

Analysis

max time kernel
150s
max time network
185s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
Size

172KB
MD5

e2271fbc453b32701e301007420f837a
SHA1

89491dac9bbeb41bc8746b4cd898a72c475da4e8
SHA256

bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0
SHA512

3f21def3512ce3c1da5f7e03db81717cfc1a398ec95d195c07f01656456e3bdb629f45b0db0bc975e8cdf8d717e12255511f4f3f6b6aa03962c57bba46850750
SSDEEP

3072:MoNYnnW133uZ9nhx43Ccb1ij7Rfk1sEGga7zWTzHnXO+yK+:MoinqW9nhSScb1ij5REyWzXvyd

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/940-55-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/940-56-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\54.exe	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A7D3391-77A7-11ED-AE55-6A950B37D0A0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000da0842bc19cbe195dfc1b1cd6b790d73956194e6828db62dd9fc1812ed662071000000000e8000000002000020000000e6318b00bfe709bbcfb0ac501805be440f7038aa8f7d0d3364d13faaf9878d6790000000c7378917d568be06dab656d08fc6911386d07e8fcc6676a0ba3c85bc99ae951231baeadc4a18a22abeb1014387985ac9cd5f704e38cbb61d33068095c1fd0a8ef58cf884b258d8043ac73492e52b2cea031b7bb4cce82b8f9385521c2bbe6465d631fff4907fbf9bf311e0d1066661f07c4458740e60d839571beb30198db475ba5f271328e7d1e8a9838991e13bc6b24000000016715afeb912105580720bf81557e8cc12f904098409e7b34951e9e8776e3fab295b5886123d71887bd1c15a8a5a496f7c1966d47f0da3354c501819f735794e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377344489"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000b3ce565eb7c23f1ded96a91caeecd09a1aa8c501a88e8f19ae6941013032ab03000000000e8000000002000020000000dac6f46462a3607a34a5e3a6d025b81cc3248b267cea79dbdded653be3bd896d20000000ae7e8f0c67ae6a81c459549476d1cd3b014ae05d530684f24f6bf8049157f30e40000000a6c83de5d62b328e86023e357ffa8246efbb936819f7596041848c0ae47618c50f0e1baaaa5697db3ab3a0c24de47fc10d03bf16d0ea3b00a278dfca7f05419c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300ca808b40bd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
360	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
360	iexplore.exe
360	iexplore.exe
292	IEXPLORE.EXE
292	IEXPLORE.EXE
292	IEXPLORE.EXE
292	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 360	940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe	30
PID 940 wrote to memory of 360	940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe	30
PID 940 wrote to memory of 360	940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe	30
PID 940 wrote to memory of 360	940	bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe	30
PID 360 wrote to memory of 292	360	iexplore.exe	31
PID 360 wrote to memory of 292	360	iexplore.exe	31
PID 360 wrote to memory of 292	360	iexplore.exe	31
PID 360 wrote to memory of 292	360	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe
"C:\Users\Admin\AppData\Local\Temp\bf8453f1c847da3fd4385b18d1561233fef215e05a8519207e88e14ea0d977a0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.0750car.net.cn/cracksafe/tj/ctfmen.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NX2BK2KW.txt

Filesize
601B

MD5
7728df986560cf9f8f42498094521976

SHA1
66bfba5f909dbb04d2b2bb675166e07a1ba8283c

SHA256
ad059a11c3663057904b8159ac677c90dbf8a648f89a647bd0df6c8c2c9c82b0

SHA512
515a61cb5fc7e2e85584e35cd2d54f5b118b1c680aef877779bca3f97ef0a298f5e5f23ac70336a722e1bb0621561ab68ca2d10d792bc8fb904da51097e5556e

Download Submit
memory/940-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/940-55-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/940-56-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download