39e11c660ab5c85f9d7a277af1bdcb56e51710f7eaf71aed64eea167266bb764

Resubmissions

08-05-2023 13:17

230508-qjgzgsce9x 10

08-05-2023 13:13

230508-qgbdxsce8z 10

Analysis

max time kernel
34s
max time network
38s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

How_to_back_files.html
Size

4KB
MD5

0f9fca06847beeb3002ba6c5ef581b85
SHA1

f48f51ce214c3c9163338cbe602ad20ec94692c2
SHA256

f3f829da4ed0a712f900b44758c28fc2da0fbf086c4c30de7d5d6400b72c97e1
SHA512

215edd5bebca6539e7446455fc6eab03d14599dc346011f4ab3f24d16db611c4161c1074cbad8a18b778081739d76d1154558a5f35d13d7562e6da177846ac7d
SSDEEP

96:8y+cAl5azrn+DtZogW4mSrooF4kcZEiKFe8LuRj+:8OAl0zaDjvFrhKKYQ5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000e4149d16059a74a6212fcc5da704a654d77908499933edd4bbe578351c5752a2000000000e80000000020000200000003c8275109bbc82134cd0ffa587a6f9e001a8f84279d19dacb8ce1ffa4c8d7a142000000060254bf97f69a93592a839c6e09c99fc1d447b3e15f110bcaf52ae48897c2cdf400000006cb755c9583fcbc9a09010916431d90cc9578fd149295f248a2d67c67bcd8830993b51db6eafbcd61cfa389287fbdbaef766040e61e5328b0b3958a1e742a85c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02a1f01af81d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c000000000200000000001066000000010000200000001cc212a48a4b41fe307f9934b30a04157c6f582e0da5d00e8afdd7d06e4e4103000000000e800000000200002000000011d5b7c6765669cb2028e711f036890b5282cc1555780dc50a2b02e01e7cff979000000034204fd949053e2b5364450e48e0d78469dd81cbffc89792e81160c803bff061b48b019059dd071acc98e4cff9c451469c24d4730940e60ed5e9f18e57e9a321d9a79ac89f4f741367ca28dd954f60d6d3e424ce60d2cb4624a00f0c2d5e386b5b5cd3136d3d461c9c6ee3f1ce4c167e00cb8c77f73a58e82ae54f44af3b53dccc3dfd066f00512b89318a50f40b4cbb40000000e5ee04d4eea170122582ee43e57579de7ce25b761ecbcd6fd33da492b0564ca74230307b1cc341dd2f8ce48f72b96498ca8c87d6b701f27cca02cd0560d9a048	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A3DA001-EDA2-11ED-B07A-DE010D53120A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2012 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2012 iexplore.exe
2012 iexplore.exe
876 IEXPLORE.EXE
876 IEXPLORE.EXE
876 IEXPLORE.EXE
876 IEXPLORE.EXE
876 IEXPLORE.EXE
876 IEXPLORE.EXE
2012 iexplore.exe

pid	process
2012	iexplore.exe

pid	process
2012	iexplore.exe
2012	iexplore.exe
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
876	IEXPLORE.EXE
2012	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2012 wrote to memory of 876	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 876	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 876	2012	iexplore.exe	IEXPLORE.EXE
PID 2012 wrote to memory of 876	2012	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\How_to_back_files.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ee01f7eae6bf4aed7e2feb9ecbd7e0e

SHA1
40e042180f98f5a0bbb5c9af4e998d4a724041de

SHA256
273ed025620c35cea7c40c53a7d88937185540a312d8ff71f543d7ad46d65e96

SHA512
54ebfad1e59ad2b6ab24ecd9fb724245bead3d14dec1779d4d9b23c882ad3682772bb2f40f4bbf0ad1f25e01a7cfc533fa624676c1e50667a178e8a7b07af128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b02a3f3efa2dce298bab76f890e6293

SHA1
2bf6627ab240b947a3aa89d352c4acc5761464ab

SHA256
62c9d84dafb6047ba401a51b3b1c37650e61e3a1e9baf1ee72b01ba76dfc9929

SHA512
77e71077762831f7ba233df683840e34fa72742b8d4b882ed95512c38e5cd3f9613746ef54a3eb3766a8acbbea7bf2621b1393639de0fb3e3cf4188dec2270d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b02a3f3efa2dce298bab76f890e6293

SHA1
2bf6627ab240b947a3aa89d352c4acc5761464ab

SHA256
62c9d84dafb6047ba401a51b3b1c37650e61e3a1e9baf1ee72b01ba76dfc9929

SHA512
77e71077762831f7ba233df683840e34fa72742b8d4b882ed95512c38e5cd3f9613746ef54a3eb3766a8acbbea7bf2621b1393639de0fb3e3cf4188dec2270d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
412380edd2688936d7b417204818e09d

SHA1
a8154a362f218fac5fc3a49c0e652b7b7c41ce06

SHA256
6babc8ef72b50296347632adaccf1f62b8adc0e73611dfff92f2cc7ac3539da4

SHA512
368a630c91cb2f878a16c35f97bdcb1596160b446919f0dd673f8abe7765146fbb975d21da1e40d6261cd0cdeb6aacd8ed531f56cb205f7a42d831425876d60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13cbe18c323f13ff9e257b060c06913c

SHA1
963701ff8e4278aae52f0e350684572a8e87e786

SHA256
a901520532daab01f897b571d608ad584b056e0604392db97dcd5e1216216486

SHA512
6e65581eff1326429ff6f2bacb736fac528ed656f9177bd045bbde104b05a7598f7bfb7451c2dc671725429347bdebfb73b122776709c0c97f1490005fe98bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5885ff682503b66467e0a2f8f2326082

SHA1
de204eab8aab207954ec7e4af0a1841ca2b67df1

SHA256
47073117217ee62487fda3125700a04775f83ff510fd411a6002f6e1fc69e468

SHA512
ae05d20b0a49ed7d76c44ab6da298adccfdda154625a1cd03f71d01111ed09ca94bc89193ab7f154184e58f6da5bce4cd7aca7db8d492d8bca17f8c0c1ca5a3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e5083598c4a9bd8a7faf2412ca13aca

SHA1
7dca5ed2b99f5cce36ab6744471331980d3b832f

SHA256
89c04c8eb984c1d760861584ae89fb9ad95728838639f3a008a1c4795fbf87b1

SHA512
351c88c0cb0f31b0532ef7c04d8be0890297f163d8584f488fcf85489ccbbb818e6f80dc10d4ebf20f0e27905220713fb456336199383dcc54f03da1cceba568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05fc293a116c3694dc101601e960f077

SHA1
eb02eef3966a2e20e0c3b41dafb2caac0ea155fe

SHA256
91dea15f9940a68d1d1d9e985ba351734e0c114f792a3b90666401d7f2648a14

SHA512
5f2bd2101273783876ec4723685489ed6db1421124aceeb7708bc88f7dc7541f1526750b2137ecc0293b5fd4ada6a061b0d6f37d7d44660b51e7d87d872f1dc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a5690061ac758d26f9c935c908ed5e0

SHA1
670b81725e9ace1887bc197dd0324162995280dc

SHA256
efdf6423a3ef383c20043c5baec4e8da1d5684dce249e19316ad0f674b8f572b

SHA512
55f8aaed0b63dc87298fac8c3a1f184d87593ebf18fd59627f946667075b2beeb3ba40913c79b096f798796b1f0d2dce79ceff0536503ac17e2a0baa677848d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9BB6.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9CD9.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit