ee78b456493f7a9d94d628cf8f8a165ad555721b03f078b76673c24816aca622

Analysis

max time kernel
134s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/01/2023, 21:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XD_Set-Up.exe
Size

2.7MB
MD5

8aca9c821937fc16b0d30ed9cfa231e3
SHA1

4c2ed084b9a34077dde546ddefe5fdd6f8a62f12
SHA256

ee78b456493f7a9d94d628cf8f8a165ad555721b03f078b76673c24816aca622
SHA512

0a1986fb110f8eaccd1c976f025c4c2a95c92da5aedc933e13c5038f4e49a0f5b7e9de727834933b6b2846f10528a7cb212f97377cc03b6da9edef799eb55a18
SSDEEP

49152:5GTEMisXVCgvAZ6X/b5Bvd11LkrgCuygbwEF2m8A0:5GIMis04Agz5/L8jkO

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/840-55-0x0000000001000000-0x00000000018E8000-memory.dmp	upx
behavioral1/memory/840-60-0x0000000001000000-0x00000000018E8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	XD_Set-Up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	XD_Set-Up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XD_Set-Up.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XD_Set-Up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XD_Set-Up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	XD_Set-Up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XD_Set-Up.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9190C21-8ED8-11ED-9B91-62E10F117DDC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	XD_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	XD_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379894673"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ef8292e522d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000cfacdfb97cf42118ca998599124a3fc7a35aca11c46fe8db7e2eca355d333152000000000e80000000020000200000007f1d6c944aceb0d07376fb12341149881c2231f7ea63359236d4a26992e96afe900000009d72ebc5143c4bd991061f6cc27173c879b1f191c3c322780dbde281f64732aaac08d1283982d283fb1c6c2c79d900e94cba725da87b9ff2057579e56eabf38acae8c0a9952ae5e5f2b1712668baa40523052554d0e1ce6333e9a54fd8b60bbbef4ef76cbd191c00b60fa37ed6fb8f9210922ad5363f491c45ef8b3a274b3f1e0184aedf4e34d2817cbcd21a42a000544000000008e5fe91125aa19b1f9494e4386ed5fb3a41eb2fc02c09ae4bc40b27e5f8e0520e179f36fea1568b9152a61c5fbf2b0e599898de4919d8b358f22e5c452b23e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	XD_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\XD_Set-Up.exe = "11001"	XD_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000000f70abf83f6041e4c5570aa21f9d5e0bda4d3f118c5e579ae69259e389bda810000000000e800000000200002000000092c2085244ad699475bfa5cc468f02a5ffa549e3cab005b2d74abcb954c1654a20000000e3d5454e7539b67f52d4f7a14a9b93ef81859b780de6ecb5c09ecf03a5b84f154000000038b3ec7663abc9d8434c4461793c5652d86f0cfbff409c35e9cf13180243705ed406772908cc991d11b1e012b6d77ffad3245253b621b108399a8e629038343e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	XD_Set-Up.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	XD_Set-Up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	XD_Set-Up.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
840	XD_Set-Up.exe
840	XD_Set-Up.exe
840	XD_Set-Up.exe
840	XD_Set-Up.exe
840	XD_Set-Up.exe
840	XD_Set-Up.exe
840	XD_Set-Up.exe
840	XD_Set-Up.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	840	XD_Set-Up.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1580	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
840	XD_Set-Up.exe
840	XD_Set-Up.exe
1580	iexplore.exe
1580	iexplore.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1580	840	XD_Set-Up.exe	30
PID 840 wrote to memory of 1580	840	XD_Set-Up.exe	30
PID 840 wrote to memory of 1580	840	XD_Set-Up.exe	30
PID 840 wrote to memory of 1580	840	XD_Set-Up.exe	30
PID 1580 wrote to memory of 1656	1580	iexplore.exe	31
PID 1580 wrote to memory of 1656	1580	iexplore.exe	31
PID 1580 wrote to memory of 1656	1580	iexplore.exe	31
PID 1580 wrote to memory of 1656	1580	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\XD_Set-Up.exe
"C:\Users\Admin\AppData\Local\Temp\XD_Set-Up.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.adobe.com/go/download_SPRK_en_US?mv=product&mv2=accc
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
832400f22ed44b13a5329abfd13652c5

SHA1
87fcf9643bd4cda31975c5ff0891bef4c032995a

SHA256
20dbe93e556bfdd6ed6750d23c54ba62de794e649280b59e019c02544035d9c8

SHA512
f49c289b16e39922f5a526c2bf62afef6fdf03c3b20269c3d6df0882f59dae8cb9245215de011c5f0499ee4cf298aa4a0de4b4a3e8bd3b66ae20016b1e15c027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d0d31aba92200096b71ae50220cb4b2

SHA1
54dff98a68ea136f84e5ed0b07aaa45dcc319406

SHA256
8bed56cad023627cb7bc0f48046b2f16ad90039a8fef382be4e212e785ee36af

SHA512
d04b98fca391f1dcb4d4a79020fe83886da2574590d597ee4c16f21619899df9eec6d52df4204a36c6576bac31d2b689a9dc6ea5f0acd263f4cf9713d35d014f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
a58f6ac86a34d9d56ba328729600fb5f

SHA1
b9b1b0aba99c8acaed35944f411d80b30bb5d2a5

SHA256
c17e7e0a2f19b9ae7a3e0e5e2d13b94542452e0c2e59702aa6618bf9a9b2d530

SHA512
e044f7fff10c40b392849e428674182b058a4a1b6e522b697352613a1c52c076e7ec0883246c9ca2e628d7a567d92a943255b0e8e96c9dd88607152f8f698b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FDI4C76F.txt

Filesize
608B

MD5
fffb9924052e3a2cb45f4c444e724e41

SHA1
6d1cdab50defce047ba244d1e6fe30ed343c5bf8

SHA256
bac566e2912bf8fae11ca0b445d426f688c74f2d1ba5f8b612053955d2e1a57f

SHA512
8795f185b612745f1bda8c0ee0a807a2c888b7de476d8144873276f04c684248116661a69571bfe97a5e3b19cfd4175886c07be23c9ba55637c5f9d978f420d6

Download Submit
memory/840-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/840-55-0x0000000001000000-0x00000000018E8000-memory.dmp

Filesize
8.9MB

Download
memory/840-56-0x0000000074CF1000-0x0000000074CF3000-memory.dmp

Filesize
8KB

Download
memory/840-60-0x0000000001000000-0x00000000018E8000-memory.dmp

Filesize
8.9MB

Download