055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5

Analysis

max time kernel
145s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-02-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
Size

923KB
MD5

e8e109e6f7a18a8371f8ea8fd5fe0cde
SHA1

b8771032493620e514dcc62718c017de4336d520
SHA256

055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5
SHA512

c3239ffbb3f54438571a159d03a9af98462b8d0fa9be4f6d99ef44757ec9020ef3c8f9909ae05b54d488be8d6bb776eb39faf884c20a9d5edaeadaf6a117dfb2
SSDEEP

12288:DsPVP6fhLJc97sDFCpWxhLclKM2LTyTZnyeSi4YAQ7XLUmhklfQ0uV+IW/Zndp4+:DcSfh1cm8JKM2LuTHSizAAXYcklp1re

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.upan.cc	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F169721-A998-11ED-9332-6A94EDCEDC7A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\upan.cc	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382835757"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\upan.cc\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000846d544e2564e348bd35e5f719051120000000000200000000001066000000010000200000001ef6d72a351e97fd6929d962d327039af4867c4e9c4c0c97d1d7d849f0003130000000000e80000000020000200000005737b67f32e14557b16da6c88ca90c5c900578dc47f68d567ad20153dd76462790000000732de26632802ba37b4b53aad6f0f44d6c5471cb066db76a230f22042234f1429f2667e717231bc9e3aa8d034fdc7f8b8157beaa0b6cad56a68a31f3750debd44ccf2745500d59bb2d01e99f40f8bfaf88c04956129b6a11c69ee4cc90e8c303e67fa62a8afc64fa57b84bb5cf88b92c76a3c1847576fadd9aea4a2838eee5a92e47f378a29f4e30b3cc520697eec5c4400000005308ad1256f774ef5283a6e87854b149ce65897d9495f8c3ea48e4a0eef5350809a92bc20cc7038109708dac73e46619927903379b83bbed674d4ffccf38844d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\upan.cc\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.upan.cc\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000846d544e2564e348bd35e5f71905112000000000020000000000106600000001000020000000b31b2188843dc62030e3f0405d00b7ccc5909ddd8230873b92ad8496566f084b000000000e80000000020000200000000985555e27f453499516b207f7ad63c8c17bc3e771924211e9a692242f8f68c22000000056b65d53ac33395a23f574c4eaa624c97bd48cad7a35ddbfc0bc65636b98eebc4000000026a3125a899cb58e0717a512c6ae36e6845dbdd9d90a579455e9ba852fec3d65627d1625c524c6d02404bd1d57f9e2f65c93cb4bfd39e21f89bb4e1bbf3bbe0b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01b8966a53dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exeiexplore.exe

pid	process
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
1788	iexplore.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe

pid	process
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exeiexplore.exeIEXPLORE.EXE

pid	process
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
1788	iexplore.exe
1788	iexplore.exe
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exeiexplore.exe

description	pid	process	target process
PID 856 wrote to memory of 1788	856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe	iexplore.exe
PID 856 wrote to memory of 1788	856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe	iexplore.exe
PID 856 wrote to memory of 1788	856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe	iexplore.exe
PID 856 wrote to memory of 1788	856	055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe	iexplore.exe
PID 1788 wrote to memory of 744	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 744	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 744	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 744	1788	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe
"C:\Users\Admin\AppData\Local\Temp\055ffa07bacfe6bcbfdc55c9088a9bebe640e00effba2ef452cf4c9c1c55b9b5.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.upan.cc/tools/test/ChipEasy_EN.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\45253D621EA9F2E0253B4AF8D44565CD_E1C900220CC72433790F0B31F26E4F2D
Filesize
1KB

MD5
04942b404da9c789a6ea5f8cde4c69fd

SHA1
8c5e822f6e5805f7820f475f0ad74a533b986177

SHA256
cf2b07268bc889568a714b37367733ec618f1b988ae4eb482e860fec433f6f74

SHA512
ec9406099d97caff9c269d49ac46df1a90dbb1f34997496f70bc7ff4d11cf11d7681ca005f7e2d813d6d007e0b1bd9d693db1bdceac6557e89f23b350e06ff63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001
Filesize
1KB

MD5
7e4568ea9c53a5b9634e01ae47a01528

SHA1
f3f0821d3c91f72a8f489a5f0dad2a1324cec78d

SHA256
315cf2c84ecc8b87bc72e391d1b12fe2a95330a58acf8acf6c286cb00796a45a

SHA512
354e65fea55cee3485102fbc7d6efe909ced8b7dea2bd9822f0df839b1f32f78facc8cafd81ac779027b7ff9d349e805222b0b87ea877da877ddf6cbf610dfdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\45253D621EA9F2E0253B4AF8D44565CD_E1C900220CC72433790F0B31F26E4F2D
Filesize
516B

MD5
5e1fc8720c345810aa736b694a0815b2

SHA1
7f9ba63184a095ff30d626549765f57e18b66e85

SHA256
e2645564923487d8c627db0e7378c386917b86874989d51e392166c26c8e32c4

SHA512
c868571b995ac62fa07c45a8e8cf7c502c3b739daf8f453d039c95ab5b619bdb0bbe7c19f101bbee234f521d33cadb0993b14e5ff0dc3da5bcc8d717ee21e2f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
052b9a18f8c273cd882533749988cfa9

SHA1
c9bc1377cf325c064efae12f73d88e55b838b189

SHA256
7cdb1ca178714764d8659e75ea9805e3511e0d4b757c3e205b4d877e33360558

SHA512
e6d7e9efaa2b3f3e829950778ede6c4934377924b2e4980e4e4213510bb632fe6d5220c7846f287869fc031347d0f40fbbb01917f5c8640ddd037e4cc16ba861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001
Filesize
492B

MD5
80a08e151b8a0fb77d6cb81a5a832ec6

SHA1
7baedd3a7e2759a204b73cd82f8631935be39e80

SHA256
f7f173cca1ae59f6a1e8c3a70486e9f6a18d94364965e1999e7b126fc2f1b800

SHA512
cb3e847fbb2bc2a9356c1a5b3c19424eab12e28615e1503ba958ec35e32b599b8202082890a42f65e214aa4df9696b4e5aa43298d8f1d28c4d66b6ee4aad71ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
c68165add9312b4f4a312dd09d10d795

SHA1
27ec9e1c38c61e475816d6a3bbb9c8ca443d2b1c

SHA256
7863e949e7ae5cb72da2f26f691355d39753a5667b727c2fdedacaddbd847436

SHA512
9680ea77ba21fbf3a0ed94706573c96d150e9c83ed8727ebf2092d5440d6772625185a3de03f94702ecb1539460767e6618138b08d6534c4b7f1a290ece20562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
Filesize
8KB

MD5
d0bcfd37ddf352789871bf4a54f5cb85

SHA1
571c3cc329b1b8c76882027760e13fc68a15decd

SHA256
6d21325e79746fc0b8a5f119d371f1d66117dd9c4242c5f7e67b34a577204716

SHA512
e8d83fc0ee7a30c6a9e20903e24be2ebf1503ead66feba306ffe65e016f394ca27c9323d0f8ba88108d647fdcaf8952f7a6c1d1ba88f5c1883fdf1cb3b0c027e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4L8STY83.txt
Filesize
602B

MD5
1fc0f34401d5ec311982311607c8d1d7

SHA1
51a3660b98b120be8fdecae9c860f7cddc2a62da

SHA256
f8aa156d424aab196fbc717bd4903a8cda04b28aafc22c7a5aa1cd309202dab9

SHA512
3159ca7e3e89f1722f851610387d16167f880a9e9cd1f24dbd20980503f623d0af29a0be72c3ddd3d1459998ec9b0756657f6575856a4344683c1d3bd76b2561

Download Submit
memory/856-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/856-59-0x0000000000970000-0x0000000000C53000-memory.dmp

Filesize
2.9MB

Download
memory/856-58-0x0000000000970000-0x0000000000C53000-memory.dmp

Filesize
2.9MB

Download
memory/856-56-0x0000000000970000-0x0000000000C53000-memory.dmp

Filesize
2.9MB

Download
memory/856-57-0x0000000000970000-0x0000000000C53000-memory.dmp

Filesize
2.9MB

Download
memory/856-55-0x0000000000970000-0x0000000000C53000-memory.dmp

Filesize
2.9MB

Download