Analysis
-
max time kernel
43s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 17:01
Static task
static1
Behavioral task
behavioral1
Sample
EDD_CA_Form _02701220.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
EDD_CA_Form _02701220.html
Resource
win10v2004-20230220-en
General
-
Target
EDD_CA_Form _02701220.html
-
Size
43KB
-
MD5
4313657954a8ea67e7623ee326f4c380
-
SHA1
e64b29dcce144168037a5dc110d3ecc4f24d7273
-
SHA256
ae73d68868298a76d8d12339a2befe7d071e4c9d46269172e12a0f54fc4f11c6
-
SHA512
fc1235a9f3d15d44f9c50295921f84c6c816235ddf5d4da74441f03055c174d22c731876e13b9429f7df57eb4d27889298eed85faeadf5450288f8c895c771be
-
SSDEEP
768:UVfBXqLio/9omkwkSJ6q1J6s7xfpUalrjBr:UVfRq7/9omkwkSJ6q1J6s7xfpUalrjBr
Malware Config
Signatures
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 103 api.ipify.org 104 api.ipify.org 105 api.ipify.org -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e006da044e66d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28C0E1F1-D241-11ED-A03C-C29C0423A1DF} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000a596b70de8bc704766a3a2d43583191f774c27e58eeec1bf58fdca8979a4f4f5000000000e80000000020000200000004956c9ed483f2c089ab9a28f65cf8f8f167daa4b3475dd5cc6c501ea527883e1200000008c44818a48f1c2a13b593b5120ce6e06d3fe7e59b48d45b4ec5a91d8980bbb4d40000000b06c17ee52ecc311820123891a2ef293fc58b9b4a6777f2cdd36bdd97d6ba7c731c809837685efef00805700c978343ab84f70f01ba30d02184de09a14998303 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c000000000200000000001066000000010000200000003f56ade265e954fa3155fa7a5f515e03efec440b4f84b45d33f62023a3173d47000000000e80000000020000200000006791ef65eddb9d5760298b660a88f51a7d30224f41180a0b1f14936e587382a990000000c865cfa9dcca41ecfbe5f459d3c98db92f9c576da84be83a430be432cce874c0acc5622aedd9ca54d62cc53a987707e0aed0be46d58570f6f6f68f185d2fd562c87f443a1017ab0f0ec5f4fa64b5265b96525015d2fa45c6ea4f5bb2af022a97f8c05b8a1cfbbae7904b98b5fa54e62a7d1a674a5272bcad255791f374f1af54b38059830e6d43e6bc3bdcca25f1536340000000013bfffd91fe4bec6e17de691f9101a51b3d48e5c29f9b9e8543787fddd99f9462aeff488ecc73002b2652102e6c737de2cf0b8a9bd39f48f59ed9a492eceb2d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1072 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1072 iexplore.exe 1072 iexplore.exe 564 IEXPLORE.EXE 564 IEXPLORE.EXE 564 IEXPLORE.EXE 564 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1072 wrote to memory of 564 1072 iexplore.exe 28 PID 1072 wrote to memory of 564 1072 iexplore.exe 28 PID 1072 wrote to memory of 564 1072 iexplore.exe 28 PID 1072 wrote to memory of 564 1072 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\EDD_CA_Form _02701220.html"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:564
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5742ad51fe45e95a227f40b34db98eda8
SHA1878b72c2565225ae4709488272fea2c829a65dfb
SHA2566bafb4deec3c0de40c8684e32c29d602746f7db8c8fa049e30f014d81a2cc640
SHA512083c2c8c7ad39a4f03f1e8019354d51d8bc4a17122caddf379118148ba6068c89731605733422398b23f1f006684852e9c5e4791060dc0eb7e20f1fcc5bca279
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51764e63dec1b21d0731b7294fee42fa0
SHA18fbd70d0edc53fd4d130ea867c43806b1e270992
SHA2563272d47bf1da107643d3f6508ff7f6a0666385f648a8c56e4a108c81ae87150b
SHA51243fc9adac933633a3489d0ca3e1216fad526c17082688a869f4ab16f33edf050c5827a64bafb56e3c579d531892063555a1bc60d5aa80210e6a6b5077a86d72e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57c24ebe767c3eaa1653c262dd0cd1469
SHA16bb7679fc534250812db04429cae20425ede9843
SHA256ffbe35a0bef3a351a41e1edde5c16dfbe2db1f068b1df9945441791f421e855d
SHA51261f60de248c103339368642358e83e6bc0689628cffe7986faf4b6424b4dc62cd135f47e8ff8de5893b0a0336450fabb41a68419057b822325b971e3f9f57674
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c98ccae108f319169025e6d8563592fe
SHA16c160264d02a275d4ba6ccc755afe2f29694c547
SHA256526472b3c5a753e05caac2a7b259edda5f61b3c38a95eceba5685eaf13955ceb
SHA5120ab95b2f2b38fbe4701b365690781da8ffc1ec5aa9990c01f1b6b967c27dcc131913112feb5cc0d85dd2c15f791a36b9d0d6993e2c2e0b3ac58b77c3fadd121a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e288805ed5b33920d3dfba11d9cadc0
SHA1b823ebf2a3bdd07955a754ee3fc1433da1ad83d6
SHA2562efdf5e57d51acfc76d46a999eeda82fb821ad9e366454b6ef08cdd3029e20fa
SHA512ab777dbb9730f29a44c509b9a4210c75a3c305c176341c8c79068409f1b78228c6c8ba4d6ef5e993d49f1593c5df64577ca45e851fb105bf615808f03b265f47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9060cf38a4dac53512b928c7080aa45
SHA1635b724ccdfdeceb5d9144230728239250a6621e
SHA256d97c288452e56f49c5155b84d8c522ca3a4561412de835bd796bc3cfbd4578d0
SHA512e5bf75ab8740e12b1cadfe2b76b39005249e0ea09af9eb8a4685becd9843f1db0d1e0901e88b4031ce56f5c756fd1e54a57e4934b9b9d959b1d321bd7b0c64a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58647da905625bb54f08d1479b6f0d489
SHA136951ff3f5ebf51d8a341dd9ffaca03c255c850b
SHA2562eebe24f4a0c7e01b8614b9708bcdea853f5910c7ce9437c5c28b29aa2f152db
SHA51290fccaad8f3a14c81b0063ce4b8f36c67bc66c2ad263b5fd36f3e967c04b16cb05be568e5eb176c215c45e0b0b35c9f1728888c9b8de7350b8c35056ca4492dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551762bedfb2f597926f761797702ca13
SHA1160e7b6f1999969a2c620fde3faf5df229baceb4
SHA2568a73db92cef3835358bfeb97e1872539ab7dc5a8a94da2b132ead4c4d1c0cd09
SHA5129953f4cc1e64ac7c437e039f6ca8897d03a6c8bfb990b77a812b2dc093854e1e2e598a3511390ea290db74920a47638abf1280d2e8864a26689171801041384e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5093a548e7a507f9b9e209d86c48d0c94
SHA17ae655ccac432b8a49c6119a57ea3a6a5e3af570
SHA2564890cbf930e3cfea54d52340d1595f4487be364f47e6afd576d7d469da088246
SHA512b6a6b51ae6168e3838f58cea7da02ed9527c4ac7eb28688e72086f9cdd9b0b8805b5296e63594a825ee124d4e9577041b31388bf018f29add1b92b84487b5df2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dc0c29d30e1e3a918007845149aa4fbf
SHA147563c2a40403f0c8fcd3ba2db2a7d5a87c17bd3
SHA256fdab36e7434022eda05747bc434e07344c1f0e4604458ce31cb80fda66bb0344
SHA512949a1597b832bd2fccc23b2e7b491e3b66850eb32ebd1f5fb291dec8890bb5cd7245b376ad57dbced5f09758b4780eb1e6ea6a1352da485835666609ee4a5253
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d9d1bca109d6af000cd6f0f30863e7d
SHA1b1ac17c33c4a9d125eb0abfd039b6bee41fe8cdb
SHA2566b51a4f1f0b03fd32a66b82c80ba68ef33689613dc6bc7f5e3662477573778b0
SHA51262dde7d54ce654c09615f14a283ad29a86285d02cbf5d53a2e44c8628a6f6114e862cb8bec0c60ca00e5313c92cb508eec050999d403e1d3a6ef45520f67f53f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59568b161fb925a3f0af080474d45b61a
SHA1b9830681e96955f12e892007b91f1ce81f7d2970
SHA2560534da725df9e5279f5d2d9d4bd9438a301d38b9c31a58a9a9f6eb0d5055df70
SHA512a40e28cffcd6c2c4cc24ee898ff04b9ce03ad678d21e7d5216774ab013a435c1150cb0fa9e07f5dbe14839cbc2ac33a1e24d1e26e5004580b31b8f19bdcc945e
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
161KB
MD573b4b714b42fc9a6aaefd0ae59adb009
SHA1efdaffd5b0ad21913d22001d91bf6c19ecb4ac41
SHA256c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd
SHA51273af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff