88a50ba6ab5d4368b10010758cc4bedc99d76393239207a2da1626627bfe80aa

Analysis

max time kernel
134s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01-10-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

help_cs.htm
Size

54KB
MD5

22d33848ee6cae8aa8c1e90bdcd65226
SHA1

982e9769391e13507289928289f11aa6e5b6c91b
SHA256

b8a728e6bd697922bc23732cd444d25697d418ec6fd7a8cc322029cd71670148
SHA512

25f1415f0b3e9c34fcd7f896b784d340622f74a7ff308c62da8961c1b7fa82f7ff038b54fed3d9a048a67039058d1c9f604f3be56f495288e417eacc034f7822
SSDEEP

768:/3AjqEZHfLqlREwa3CL+9pcYX/wXBSBHz114I8h9KQc3G6mq/zAIjRK0:/4qC/KEwan7/wXBSlD4I8h9KQc3GX0

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08B06E51-60A6-11EE-A171-5AE3C8A3AD14} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac20000000002000000000010660000000100002000000091b46705637612f643d40abfbe6ef2c8c3ed0ad5276d3ffc71db38c5ee666094000000000e80000000020000200000004098f2c576c2ed035d5f5a5239c9f8ef6963a44f7b03a293f4d4bfeeac249e0a200000000f76218fe3fbb485908a747c04d53bbd49edabf5e17dd7dd9f929aaa8be1fc43400000008903fe3523cbc74fc9bb41b05219a6561b89b0f2fc0f473846ea13e0ba301d227eb16776a920e8740f56b91fddbc168566a8f668a42cb6076bfa50910a26c68a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000e30bbdb201149fd280c780483e47e1468c9656213f4cdddbe97a2a2ee72cba96000000000e800000000200002000000018a0e10c2264736496fa26d94f387c6efd67a8243ec09aa515b7388765bb6b5890000000ba1cced7047a2c7078d098a294d3cca5477be15fc5ac1efb9b8b6503e25839b4cd99dada29d7e95c69b4fe85ace1a6174068d5a97a21f4fde4b25b6ba7b228c937d133dc7ad1073d7400bc7b6994d11d8df413092bb16089681578c6ec32def6e61fc1d99b278cae51e62da921e96a2b0963efda34d4fb0a134e28c5e2d0d3f5a5feffbe50e9b486c6acdf94dca1fe18400000009276d783414e089e414329606cfd94d363ce92545dc168ea155db5f76c82ac37eaf9b00877e918beaec083b32cc362b5c1b3cd8863d2d009df67e26bf8c6a532	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506debddb2f4d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402359562"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1696 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1696 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1696 iexplore.exe
1696 iexplore.exe
2968 IEXPLORE.EXE
2968 IEXPLORE.EXE
2968 IEXPLORE.EXE
2968 IEXPLORE.EXE

pid	process
1696	iexplore.exe

pid	process
1696	iexplore.exe

pid	process
1696	iexplore.exe
1696	iexplore.exe
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1696 wrote to memory of 2968	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 2968	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 2968	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 2968	1696	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\help_cs.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec59c71ebd99f7b92488b36b058c3611

SHA1
1da2892e9e09188a00b056a4290c84e475f7dae0

SHA256
275f65d816ee4228f68454a1bf294f1ea4a779177e841fcd59bf3272949581ce

SHA512
a9cae36a23dc192bd0eb761339dec3832f2e5c24f89707f3281f028ed94b8db56df72c7e411d6a0dcc305cbc268c292e5a56203fbf037cbd7f516ac3fa4e4d32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a796696d6b32e7694e81404d65f84dd0

SHA1
ddae74a0e27cbf245e9e07a23e3d2e848534051d

SHA256
7aa23bbcabd8e3f24726fcddc3cb081bb2a4c9f31ef88f8b945387c2ec958ec8

SHA512
fb94d24ada31a9f1ed37cab2850274d5ab0f6eb02cbbddd58b21753b2c822d5254073e9bfcde4f3163aaa927f2347237795db7e28f04537f31fa5f88fa16145f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d02db0ee66a4e18a58e55ec99b788f94

SHA1
7dc12c5616c3c8b947ec6f5e20afffcef6734646

SHA256
99a527275713a595ff2ecf9cf3d1ced27c667e9850151b98be57f9e39f1b63fd

SHA512
0f296cb04240cfa8db112ee07067227975e71518415373bbba67ab6d3f24ff4728c0ef1574c3f65e32cb69bc2583523cbccdbca926986cb22d068682962033fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3e6eefad00fe169a051a0e32c00109c6

SHA1
e977ded15b8fec426706ecf1f3c37610ab88bf01

SHA256
ad6444797576b1f71a4c17f1c694ad8df5d1903c160fa39bc0e2e30523e56895

SHA512
30e6606c53d03a4a24a946606a604be820b2d0f8927c616a12063aa4a76dc4451b93bfd6014d07b725afaaa529401188310f90004661b027d62f809454703305

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5dd46cb757e90b53cd669b19a1b449a9

SHA1
ac6cb28bafa115c046a8655b190d52958ae54f83

SHA256
54c5b6a616893137d7db79425b5ffbab97cd999bee3d46384c715d846f38fa44

SHA512
233d769ea9aa8445ed5089e852c4bd916ff0a65143c1853536096161a57424897b2908c7e91848b1c54867b8cdedd52c9628d39c748cd61afb0412f0e0bbd087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4c5034fb0f7d92a0221f9652f31d7745

SHA1
5cfd0eb7e5800d46d6a26d1e48d90530a18932a0

SHA256
0ad210ab6ca72d84868ca398ee26819c006440535f34287f221872da8f351f34

SHA512
8b3ad38bdde05f99dc24dee6a2d78ef04104f414eb0c231e929566843cb14e580928a9509fe6c816c032b1db03a9e6afdd6edac4cef1d2c541e793f1bdbbc532

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ccb9c9f99d5e648cd7cd6f47e4c5c70b

SHA1
bfdda66156056db17bb114fa696fcc5ebae450e7

SHA256
d78da9194f5e28f8f39472fde17e54af125e8382323a86beb168e43eb151d469

SHA512
afa14e18c255505978748b5a0c020a6287f0f18f85651d15f91abc05240732238ca7bf451fd0a0f006bc3974a3f43c185d76495e884d4e8f7b88dde21b4632a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eef950d83695e57f6d3098688a76b806

SHA1
3615d681a00e82e9d1a2eb192310c1d151f958ac

SHA256
4e11af1ef9fe8702007da44f6244fd167161f4b41d086063b36c3f23f4023bfa

SHA512
a16507ea47ede5605f6cdbac610386d01a52da566bf7aaaeb8fa16f36bf42b581dad6fe873e7d383f8edb6eef98b91c81724b806e0ed1a71ee2374a1913315a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c1a92b3bea360006f75bc1d9c572bc12

SHA1
8b87ee302465538c3683d046d455a3aa2a6257ee

SHA256
12709ce416380c871e3a2f1804cb07cb5aa34cdbf558dc59f4beb90c996cbb00

SHA512
3363995fe4a0091e229d0c2cad7afa81a85d769eab05d64aee8c092fadcfb4624268a77a2dda8216163a6fb001d82ac6fb90739e550ec68ccb525c6e4a3c1b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
68d93541ee63c09b5d495389273d6eef

SHA1
2c9f3d86d9ccc47b8dc3a2b7e3ae6eef7643f96d

SHA256
d910fcac09e977081ebd8ba726c0d2f05a41236270eea96fad6cf00a33bd3bd6

SHA512
86538e210f29f5b12a543f1cf52263c84197bf959ef2c1cf5a842af07bcf80d409731711a672f247df96305e29115fa2c21c6224cb22bb4415b58477c6bbe2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5277.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5299.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit