f289b4cf6ce9e3be9df1136a91c06a5eadcf2fdd7a5fb440330c1e3657b39780

Resubmissions

27-09-2023 04:24

230927-e1rdpsff41 10

27-09-2023 02:17

230927-cq4vyage88 10

Analysis

max time kernel
136s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
submitted
27-09-2023 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad.html

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FEC8F51-5CDC-11EE-A96A-6AEC76ABF58F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000b314bb750021bcad7edffb76133e0c35e91a525344baacbbf82cdcf0ba7302bc000000000e8000000002000020000000803cedaab02023a5376fca1e8f11a0673009db6279e582ee975e0fcb133116bb200000009ab6ba6fa96c70296ac03d07b21fce04b3acb0021a23182752e007cd3b86ed5d40000000649411b5a5fbf943b26a1b6e5b596f06411b7b49e8c00ce6ab11e1265ae23450a320bdbcecf062016719b9ea927eb29c8385b9115144c15eb4ac65bc286ec5f3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401942941"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40dcd5e4e8f0d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000085a488279584e10bcbc7221853e478405e83f4c3fffd14118a9c52d1b193face000000000e800000000200002000000022769be9d7de49c6d1a636af418ee99ad192fe6b5b95f908b732c3597df9f378900000006c6cae38fd4510d2ad655b3afb47d2561182c087625c4c5f18455d267e129e02d9603ca7feac6e460a9a41f9d80ae249abbbce158a05a75f9805911b685e31afa321d915756c784af468aa1ac7163dd9ae7191ebc557ec7d8d481a85ebf20517c29ca0cb67b7f569520bb3f35fcb9eb80f120041792f55f51f8216306d1c4cde1694d4884c171c1d391e557f3b77bb37400000004a3c5175f1e506578b90c4bddd29eb4735ea5e0b5375d6ef96270921d6ea1cce826fcd5ace6d96bc68eb36e3ce92887657e0e53bd2616d07a5c06651312dcfce	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2692 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2692 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2692 iexplore.exe
2692 iexplore.exe
2716 IEXPLORE.EXE
2716 IEXPLORE.EXE
2716 IEXPLORE.EXE
2716 IEXPLORE.EXE

pid	process
2692	iexplore.exe

pid	process
2692	iexplore.exe

pid	process
2692	iexplore.exe
2692	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2692 wrote to memory of 2716	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 2716	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 2716	2692	iexplore.exe	IEXPLORE.EXE
PID 2692 wrote to memory of 2716	2692	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ad.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83b5c5b4049b9c0d632f4c8efd3e47fe

SHA1
eff6fd8e3fba19ad8cc4d9bb39b40725bcda678c

SHA256
357e3a7b3cdc6dcc36a07d97a055cbf9bd082693ede1ad3cce175612b797c3e1

SHA512
cee464fa9fa9f71c94d60387508d1b9812145abab7afe194d19492d312b42ae526370c43fd1747734de8df9e315360a1f59478eac245961e5edc00dd20f70968

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2128f83d796cfcfd8c2cf003aadf49e6

SHA1
dab2f99e7854d0f324ec6f55ca7a7ac9b4e6382c

SHA256
518d078c63f472014fc96c1414bec629b3557b9ce8e65b7323cb5f37b423c068

SHA512
ab4eec8d0d7c6bf63362a298d834f645d5efe43335bc5adbc817ac6b7794ce969e8cd43515983f1502f94d487798fc5a682c0770cb401a3a663466a96d53e7fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a0bbe447261cb8f5a7da4af1fda12c6

SHA1
dfc38f87dde66b1ee10706aba8e94d7ae92383a3

SHA256
df40b1f58c2d616736369b98cd62d782beafa948367b62c193cac3476d47c5ae

SHA512
7226787a3d3a416758fc14ffebb444cd637f26f46154b8e24f3e06509a72854512e0005434a87d7242c21d5e34625ec04f0ae2121f0623aa44148935b6a7131d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a28423316c2e8adfe7bbe87677d4a00b

SHA1
295e556c1692c328a70b4e8073d8c653b94be353

SHA256
0a97ae496d5b92fcdf5bf9196557b29011d53f50e040419cf33e84c9128ae0ba

SHA512
6fdb1e6a41306665dc53295d038ac35dcceb15b34ac6591e04ac806a74826642ee61766ceda5d217120c66ed78260dc93d2f3b3f339545fe07527d31ccb42a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cccdbae1200d37abc05def057c31d054

SHA1
83fde21ea93b849d368a65c54d21a8baa4f09425

SHA256
848672fd4af19258a7edfa274d923fc9cfcb1fcf9cb1321456b4e93cb491c4f3

SHA512
e1d3312fa2339c17ff1124117a56409aaeeccfe8b6efdf0034acb82197315ec2fdceada1b3e3bb8c0d8a515f39387dc9eee180549e95f9a45c6a3b9e5c964fdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d900f43785c316c04c398b9c9611f24

SHA1
cf2468ed2f98b084eb24f1c483421fa3686d9cf9

SHA256
b76b6f33bb158b694f0a885839aa7a5f16f88425bb7e57a11888c2f6ee988ea3

SHA512
6be6be33253bcf38fd63603d57dc3a08f70391fb0ef8f4a18b1e007ca1aaad4d573995a593833bcb414b671120661c83f8365da3acf35ffd9b63b8e671eced48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ae4a2599fd985c8b7573c9b94e6e295

SHA1
c37e2293db0dcdf4beed14427f1e10bfee862ed7

SHA256
38b65e0efa27ad14f00f61b4c4884fe63f74571bcea83d65bfdd702cc1f9ec04

SHA512
00cc6a95e0ca6bdeb72e921177bf5125c2723dde3f713a453b55b8afc3a1dd7fdc116b291a6e5b8d60b89d48babc67f8dca74db79ab393aff514f2cfa522aa61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6044d30eec249c39c2853dfa9d248295

SHA1
9b30d8043ff76f24913814d980945db38df84cf0

SHA256
f430e57ab8c754d7a798298d44ffbeb715ede105123d70b7531d9c1b17377e4d

SHA512
fd450cfa78742411d0b25fb1d5a5a1fd320131ac6d3e809f5be81ab4bfcb40751f1aa2cc09ed2b6aa6e933e339d1e4bfaf191ae02ddfd43a46439a314aeb0ee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7f0ef7ee24a8e7795643342a9f4e8a7

SHA1
a6c10c2f26a340c3135c4a03df4bd2b1e9ae072d

SHA256
55f59d5cadef99fcb8c40e5b5f5ec7d446463018f29c245ec7700bcde04fa1a3

SHA512
740b10d9f794229448f0c0970bfc3fdba0c02c76f188d7763f1e7b1909c1fda959994938ff6553b97e5e3ff8fea9bb7b31bf4335a9d7c1964ac1146d5be7cede

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31fccfc7121c9bc48f6a64ee64940a73

SHA1
b65bb793d03f322c1bbc0802f8b53dc45726d1e0

SHA256
da0861b27f776fae5a41c3fd329a5831a911a2768db1323e94677c081a4af993

SHA512
d9b40dbb7ed37daad9bda2f999c813b0a2cf605427f359371d58459d12595c2ac95535d9219bea39d7ba6138424cff81d81c73fb37bad8276f7b79e5646b3a0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9cd8118686fe144c92e87dea3d1807a

SHA1
2fc7dba5fefe7186a93198499a057f88cecc3e1e

SHA256
ce512a0a9c83522baedd955fc518fd408f582bc2e2844a50481e1789aab853d9

SHA512
88549b3b8f0b8607a68a83bf81e233f506cfc29733abb93b944372800e567f91815d413363ae4c914f54401987cff34cc28a2f54f7bf6a6fe250def13b2597ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd12da46672f5e133242695adebf3aa6

SHA1
098106aaa77144583d7c9ce91debf3f37045a79e

SHA256
22e797c6796e94e754fcd41f97f49a1b82371069d9dcec3d93cc8821bff4c4d2

SHA512
680babd84825334093aa37fd7d50c290df117acf5dc56cc84a7dd057486ef906fe9e76ebf92d004f1398e780d3412148e95b6500a44d2a0c7bb417e34ec66776

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3921905803bedf2bad6b18f02005c010

SHA1
1b4550e06af72aa82b67b955975f50ddf218dab6

SHA256
2becf5f1d830cb21a42ffc2cecde5b81c988e5d8286fd16471a78cda2218f3b9

SHA512
00968e2c1ace03478545ac1475fbbc425f519a71d9776002108843786b47929d82d39283c41f83e593553b13da554414c714ee4023ba1d13fa71574748941d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cdc5afed2bb1b5a74bcc9d9323f14a3

SHA1
7cf831eeab8305730545eab36b8f38de86d15771

SHA256
3782b476bac0bd1e8b80ae2f34f5e68a70eb9c6e7ef9ae3e04e36dcf891c07f7

SHA512
ead380f9d09e5bd957ce5d0617925ae5114e5f0e1470bdbcc365dc9489f596a83ba8f6cf7824b8df7f7c7f7d4e35b6a60d7224a90256775f9bd2bbaf1fe95248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b44b90bea40822ee81b32a48dae42a35

SHA1
009e2c3e47833fe0338501a3ca1a6c22d343f74e

SHA256
afd10b99a65d9ef39f6bf0de3f513a3b12ead9bd1adadd7f2f962305cbefb13f

SHA512
d9465c6376ed65714c04315622f031288146c5f9db7a0e92cfc7a04fe24496f5a5402a807f3a917c66cfc259f160c1da1db1197ebbff75c6ac6ae40ab682bf84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c244b785ffb3f97894bd039895d3ff8

SHA1
00bec9e7f2d6de6680cc07c49c04d50b6c708be6

SHA256
2dcacff0c521b02b4a51a765f47cd60a2c19148b5776253fbeb3ba4cabae9b3e

SHA512
4442548fef8677d6b520ef2ae0b0ad3402813bc229fb8bc1e8ed8f1bdb8524950ebd9efbb292b199c3ac12a8d801257330f10b87be2338db71afcee2122775b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3aca8fe8778a69514d4d011051d773b2

SHA1
bb8c3d993211272a76854fe4c1c18d65c2629790

SHA256
709303e4d4d0b1a7368aa15e5e53d6a5d73d295fe6d643757798d5d2f29a2cc8

SHA512
ed14ed6405c01100a130419a6e263cd09492ac5e95b0de4947259665b363a4b2caf34aea0a6029c4abbcbbfcc037371df4f2848f3d894b3eec61513a18c1d2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6412.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar64B2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit