Analysis
-
max time kernel
303s -
max time network
383s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 14:49
Static task
static1
URLScan task
urlscan1
Sample
http://ntv-play.com/video/04169823/tls/console-play.exe
Behavioral task
behavioral1
Sample
http://ntv-play.com/video/04169823/tls/console-play.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
http://ntv-play.com/video/04169823/tls/console-play.exe
-
Sample
210824-aq597d398e
Score
1/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3553404132" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30906615" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3563404268" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3553404132" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d5d2d4f798d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "336630350" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF0CB034-04EA-11EC-A11C-7280A1B46CD1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000034773a8ab77c504caf8c2399da1a34c700000000020000000000106600000001000020000000e3f2e0459741e99e3213f7ef7278ed5a86836d6811629de266a35a5264aca5ab000000000e80000000020000200000004deda11537bce7179b7d5f5bc76e5f86914dc70c1cb5dc92eea5aabb79ec7e5920000000cba996b7d1cef9cf543856ed0c1371e9ae7661658c7a4f392190d049d34610bd40000000d58db59fe0fdb67a4e24a11a8ea2e0ae2c554bed363bdbb35bf8a571fde7c88dec498adb005d4d3b4c87866dd68a1c784c65d4f207d394aee090e4d2c681ae3e iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "336581764" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "336598358" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30906615" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30906615" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30bcded4f798d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000034773a8ab77c504caf8c2399da1a34c700000000020000000000106600000001000020000000260b9d1afe1c40d33b135db231b0349b293e7bfcf892ebdcc77181f5125d711f000000000e80000000020000200000004f953974fe6765bed02cededc47656cba213071d4b5c857862e67de66d0ef50f200000005bac39d5365b794e238aedcb0ff88f9fd0bf0ee153023e2c71ae22f81034127740000000cf44ae90069b717460a82e353b22e950aeb1d5f554664f65d8c38e131657fa88c59bec6d63f4da3105286c0e49b0fba1c95436d04c5fc1b832c3a3a34741c665 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3904 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3904 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3904 iexplore.exe 3904 iexplore.exe 1288 IEXPLORE.EXE 1288 IEXPLORE.EXE 1288 IEXPLORE.EXE 1288 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3904 wrote to memory of 1288 3904 iexplore.exe 73 PID 3904 wrote to memory of 1288 3904 iexplore.exe 73 PID 3904 wrote to memory of 1288 3904 iexplore.exe 73
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://ntv-play.com/video/04169823/tls/console-play.exe1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3904 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1288
-