71a0f2b24b485d71da41c037e0e996e8cf13209695c5bad6cf5b765761780239

Analysis

max time kernel
148s
max time network
159s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

桌面壁纸-高清.html
Size

265B
MD5

8add59acd6d7b416ef59d4c8dc7e1bcc
SHA1

056a6bea7f7b14bc962fa79ce167c2432828cc3c
SHA256

8cef4a991e9995720ecc8751da2be8618d108dbc667bcfaa67f0d7abb0c75930
SHA512

6865ea244a5cd90bafbe2f119b8c25e0cde50b07a7aef210b504fc05ecc334582362e1886a8981237aa365f237bfeead1feaa9cfef8e5e25f0bed5b89c2859af

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000001f5fd26f8ce2da9b2191a352511cd26eea9fdb09a18e0ab65484743636578df7000000000e80000000020000200000000396c1006c38cf0cd8001dac77f47f7b117cc60487c3119a205cd6a355c39a6d9000000065377152727722ba2b1e3ac24aa776ccaff3de910a692ae9b9c122b7ca97bfdcc25fc4edbb04cfc053382b4fa83191bf51b6e0e3607b9327ca76218963d6113c7686d9f3a2df3507949c6d5038a1f96d0fb652876eaa087389104f7fe9fdd681db1077119b3a6b4cfb385b7d1959d4117af7b0572bf42ec860740fe2e19be3690ea51b83c1bb04c055768d76ce90b0f0400000003d469dc018d911caaa320e0c83cec70250cbec2ed41b821bf1b1fa9f0a1b49a630d71c6110c1705fceb84cd95dc2aef2711543b677e50b58daf7444c0b988826	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.kutoo8.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\kutoo8.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\kutoo8.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\kutoo8.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.kutoo8.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\kutoo8.com\Total = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a100000000020000000000106600000001000020000000525cb63dd9e1fbf530ebde72af7e8c26813149ad191c9068963f2a111ccdddeb000000000e80000000020000200000008f6dcbc9db2b9e4d99831cd870d0182ee578829bbb9e6f87bebbb579b44d891a200000007ccddae80317c47becf8d0382b15c3dc35ea140e90be83584f5bfd0820ba0c9a40000000d27174ae82c8768830c30ab1378737a9f7a050100b72ae69b0f66d8301af3fa3d00f8183f1527c1b9956710eff3b3c046005477f89c6128275624f745c1bcd21	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.kutoo8.com\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006619"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2413FD81-6B7C-11ED-9956-4ADA2A0CA6C6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308af0fb88ffd801	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

472 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1428 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1428 iexplore.exe
1428 iexplore.exe
472 IEXPLORE.EXE
472 IEXPLORE.EXE
472 IEXPLORE.EXE
472 IEXPLORE.EXE

pid	process
472	IEXPLORE.EXE

pid	process
1428	iexplore.exe

pid	process
1428	iexplore.exe
1428	iexplore.exe
472	IEXPLORE.EXE
472	IEXPLORE.EXE
472	IEXPLORE.EXE
472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1428 wrote to memory of 472	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 472	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 472	1428	iexplore.exe	IEXPLORE.EXE
PID 1428 wrote to memory of 472	1428	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\桌面壁纸-高清.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b77cd1b9a687e97c1125038b96b23400

SHA1
441c76ab236b54ac30766f86db81feeac43546eb

SHA256
611df724e8ce6ab9e93eac56f0bb66d8ee531e8aa81ac4f7d713459f9166a09d

SHA512
1842d0ab758143cb907d967a1494115da33d2f4cd66218c09acd7dbc13f4ae29e77269698d34a17eeb40e6caef34792d70120a46087cf29345bf8356d1a8835a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fbac9f78c0f51247e579ac8a3a7d080e

SHA1
8c4aefc99df967ad8142986af77f2241c623fd3b

SHA256
4c5cc5fd7c549342d7e611d886d2c22069e95a155dd8025a06b160248fa704d1

SHA512
c797e40dd8113600fe1aec2ab9b11805d108ed85ea48b4c1a4c1dea8defae10e5876c16eb9d0d1ff81465d2fe9886fdcdb6adac0fe46b82327cb12c65ccb7db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fbac9f78c0f51247e579ac8a3a7d080e

SHA1
8c4aefc99df967ad8142986af77f2241c623fd3b

SHA256
4c5cc5fd7c549342d7e611d886d2c22069e95a155dd8025a06b160248fa704d1

SHA512
c797e40dd8113600fe1aec2ab9b11805d108ed85ea48b4c1a4c1dea8defae10e5876c16eb9d0d1ff81465d2fe9886fdcdb6adac0fe46b82327cb12c65ccb7db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fbac9f78c0f51247e579ac8a3a7d080e

SHA1
8c4aefc99df967ad8142986af77f2241c623fd3b

SHA256
4c5cc5fd7c549342d7e611d886d2c22069e95a155dd8025a06b160248fa704d1

SHA512
c797e40dd8113600fe1aec2ab9b11805d108ed85ea48b4c1a4c1dea8defae10e5876c16eb9d0d1ff81465d2fe9886fdcdb6adac0fe46b82327cb12c65ccb7db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1wzfztv\imagestore.dat
Filesize
1KB

MD5
21e95432b7d03afcb76bef6fdfd4aefc

SHA1
565ed6412f1deeee312192c6992edcca8b2dbed0

SHA256
b9a0f78e68a54ae2da4e4565a800d316f8126445152ce6aace4bd2ae5ad94f55

SHA512
3050ecc6118d35d6313cd59a4485836feaa41f08b1d862234d207769ecd00eff280d392fc963b6e13020efac0ed84004501c192bccbe7d0c39ebd0e237c51cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9ENLWXPK.txt
Filesize
601B

MD5
0e9f8c6ce9dbce857cce5f317e237afc

SHA1
8664e5055bedcfc223a73612b715b83504dbb629

SHA256
ca37a802748dd85ce84f143e8fa4166ca183be0ee80b330313e9ebf5d43bfb85

SHA512
f75a090163af21eba4c0d56e672fcbef402320935005c2d9b2d887f3fa30e681ce26d44514e67450ff47d178698fcbb534be8fb4f1a4fdf5077deaae65780fa6

Download Submit