9f23df054570cf94a0fe1efe0fae1f6e7b2f66fdbd2700bb42c49c5e23214bbb

Analysis

max time kernel
120s
max time network
166s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paypal.html
Size

3KB
MD5

6e2f15c66234a7e12e150123fbd69ab6
SHA1

c45192d8b147e4c604bdae79ad3e4a8c4a4227af
SHA256

4121306c2b9cd81ff08ee1078b0359a9dc8baca6522b9fd806d8f805d9ee564c
SHA512

f47383d2e21b440091cb99dc1e3172e80dc171a51b92ecccd24004a7783444236d975e4eeecea27700b3bdf0eae6bc484f60ebb01c039878cc1e1ba545b7deba

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000000d3e9d3ded3b4927037d113b1e0a7b9d12f83c304b508f39b004603eaa8bdd67000000000e8000000002000020000000dc9e42e14f26e36b5216b23df81a849fa5d1dc0e97bf37121d40038920f4182b900000000528189fb952a8b47b6bda229d2556e63974bfe6b159a56ffea320deda666f89a26e81f142f1f375be03f41797eb99628306f1d23c301304a4c2e54c7fbb66ef5deb29931f732f03df28667b1f70895910fd2a5846b4de2ea5914d9abe67aa1f87ffdb7979f793b2977394fdec1b3844d8da11944e21f5ed9d369d84eee70efbe5073f13c263e4dbe355aed0e6c5102f400000007c4abe82a205182444b1f85a92b9357a4720841727ac0bde5148100808cbd10845a8185139e9c86cd1f52b44425fc1f0961e3ee41069174ad91d5d7c4415e624	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0c9c1b3e3fbd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000007de0c7b1c43d13ce2b8c5dce8e4f51597bb55389445565d4dc456e0be45897cd000000000e8000000002000020000000f970a0bd8ad69e319573c8680c99fd1d799f9f4afe91f1b39b5a1155c1c8716c20000000f153fd653a9abcd1ea434a7c872d44fcac2d169501911295685d483a3af9dd79400000001e89e1d022c0783b885be4ada4c467290a800bbf5778bea874c57c1cf10f8c519169301f4bb3e83532e06c3f27b256e45a9b7ba7a212b73facc2dc7c7752636e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DD131E41-67D6-11EE-A478-F2498EDA0870} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403150171"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2128	iexplore.exe
2128	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2616	2128	iexplore.exe	28
PID 2128 wrote to memory of 2616	2128	iexplore.exe	28
PID 2128 wrote to memory of 2616	2128	iexplore.exe	28
PID 2128 wrote to memory of 2616	2128	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\paypal.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4962cf4e5d2663fc3e3ce2b04927061

SHA1
355c8066799662c0c55ab62964ca6c08ca05f4e7

SHA256
0861f68b2fb213dcb6ffd6759539fcdece135a50c69064b55b7e37d10da6a55f

SHA512
e27748cd16f9d1690fb64cff3b4500593f5858512fe78897a0b440140f7d976cb192ba770656705f23262b7731b862379d15f2517e31d2bd1dac87368be8121d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc575799b30d754c2914db6fcce73971

SHA1
177fa3dd555752f4dd76bcd49799f1601a5c207f

SHA256
2440f860d34765510fbb7fd6df3bcbb3112b66c90bcb09db72c8c04a229bdf12

SHA512
0c9c10143b91b22950a11c819c57e187c752ad5ac3a437bd90efe4e7089c8df47d208c1a7d37242dbbf73c895083d0a47f753e57cf9cabf1abd886e203b6bb01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21f332a45ac50aa98129bb3056080cfc

SHA1
a1eec997b11d95ab102b032f7af69224c2cc8c90

SHA256
666205d80fb52eb8019d28ee4a623f91e801a455ded244267f6426d3306103f0

SHA512
5a12aa13a556b9c132a6e399d5eefe5cde3b0fbe0164344f8f3223f2d1e655a711c1b3dfbb42285f4d5d9d700d4b9a84ad395313f65665bc736ecd4c74c4513b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecaf0b25b07fd28488f171911b1faa07

SHA1
c04e10db2492b8f9176abdf0de339fbf9c3bbc4a

SHA256
82580a99444338f8d3f3de80b0dd1332297eb22e2fe34e1f072435da2b8438f3

SHA512
0f35bd9b2917c0f3bd8b54cf2b052ef5a85f82c3f2333a8dcd149507e0fb1fcd61191419487fe797de0b09d66b5f18f5edb84729f2c0622f74d1e9fbb5420879

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e58f3aacd9175954da1a9e35b2b8b6c

SHA1
eecebcb0197c300bca968ae848bd4be3dd11aaa3

SHA256
0b692bce11ce64a1a2b4d6eb33e43e3857cccd91d3c151b97fda281d17f5990d

SHA512
e9b69903d9b3726375787ef41965ed5a16b3d5aa7e34d50913cd58088037573a1c530bc621f535d18d366971da268749437e0b8cf102c199f4e2c0c447971667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7184bff4dc9d65162c2a9d5023a3c3d9

SHA1
92c99c75ec0ffbd700b94efdd21d97f31cfe9fa7

SHA256
f152cc3d6474123cd3c5829a800604d0eb748cee750d620f49f5cbb9bcda08c3

SHA512
9e32a2e2959f2a24702ded8e9cadcf51c7b53c6872d1fc1d428321dc4e3e5e1b29f43f8d92c1b82d88f55edba36ceab7d2f377b7c0a4e8e9b8c0e486721f373c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dd6d7cd8ce294ca9a74329cdacabbb3

SHA1
459a7a5d8bc1c5ed02f4ae9a880b2d8372004c4b

SHA256
c8fc8fbb3bf2256ad7d9d186e7d9e5d4b0c11374c1ea50d152c94dba1a98d7e9

SHA512
cb99e80df9eaae0797a00744aa798541f81ee63eb90d62497ce6198aa09238cbaeec14d885513956ed69d875d38030324663adbf3648b3e7f28db86951c33df9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e91e08a15c783a2c9925b9edde5daa6

SHA1
444352834e9017f2b3173596a1c32eaa9b78d7fd

SHA256
98e0bde4afb62bc4662c8e92e7ae438177934834cfbd9d0f2a67ddeb2936227d

SHA512
8e989eb3b15780f610caa2a9bbdad57a04b5a599b68f27cb4ebb50b20c21c05e298f7b0b03321711854b0f79f06d06398da22ed6f2e835123c45f3f37c984b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d46d98206b78d3802ecfbe7d27e5ea0e

SHA1
8ded720fbf97721cf5085c7e2b76ac907d205b6f

SHA256
4648187696cb3f18525115183d3d2c8af1273a47139f068d614d994783152ae2

SHA512
bcbe668b14624bcaac8666fc3ae5140716507c15c31dff1bc88c46dc0094979746c09979c3981ecad607b10aaed8b2a84103d8f3b81a319e9a00a2bbefd5a97d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ddab36678294e755e30a0cb25617901

SHA1
78aef6f6fced94be6ff248f60657517eb7fc9a51

SHA256
a302b588194bd9479f3deead7f376e1ac2fba42233442beb265b4f50c8f7df66

SHA512
08fe9bc9ee90652b55a4687905b92953875fa5679088958d699bf6a23029a3bff7ccbc949cb0b81fd2e2fcb36f75a7db7f3919571a6b0482da36dc8caa34edb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c656860ba96bc4a4d2552c3bf2da88ef

SHA1
c8ac464bb4120db3c6fd6dc4bf20c72772b083d8

SHA256
46694b5517ed0bfabe18286bce714f0995dd6dea4b389ab5abe72e8cb1c0cde2

SHA512
e5d8a419142ff133f8f102fc30989d1fb31584e465576a135294c2a46765dad4c51cb8790a99ca8f716a3d4fdd31090b08fe6286cca13e5dbdb4b2d6fbeb65a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6f575ea779c17aab94dfe150590ca30

SHA1
461b486d8cdb18bc605a28f56cd05b2bfe8d5ac5

SHA256
8e9300b89d9e8190dabd1b2e9913d11753a906bad136d620733909c673b2d428

SHA512
bb70c8c5f3a0fc992b8ac175f6ef72f46dcac599fc8a1c0bc8af39943e39782f20e30d78e1d5d335e4d5f38558368da7893919362224e4bbfacea26dde08c5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67b6bcb4d61241a48fb98117997e57da

SHA1
2eee05982d2192e20e65e48470a6640c15499547

SHA256
362879e889664639407bee13183cf6abb9e5035370ec233c380101b477e1e5a1

SHA512
56a48ee3316af0972b2596ecbbc4dbbd1848bcc076e24e0bca780364b2428883520aa7be44540880d764f12e7f9811e5ade94e800428449aa7b6ef6c1e84c101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a125895b7689d32d817e004fa1199dd

SHA1
27def9479396a3c918d13b6aae744e2375088bb6

SHA256
0f1dbd42257ad0aea5ff63ce332fa5c9ac64bf9249dda183c575a5933d2e3b65

SHA512
fb6342c21cbaaeecc0e2a0923ff817b19fde1bba30fdd59179a356a66b2a8df52aef548e6160f502d31cfe329be8b4668e984a342118650532eeec19ee83ca7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
440c8c9e775de1cec714da88844143a7

SHA1
5c87dd8a950a3f82323f901f58354f618260e586

SHA256
e2b32750bdd464ae7376600946aba48fea38db1c090a18b7dcbfc1cfe1e3c34c

SHA512
088d004c42150c89b3f0c19fd6528e9dd7bd49e39bdd3cf687b4236b1426a6bb4d9aa42f4a1b179fbd8ad5f74911fe9ae0c16888ba263ddf952f4d4dcee7be35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76e027bae46a9ce3b383994ec0b0eacb

SHA1
91ace6c1f016fb8340465c00d5b48788603f10ef

SHA256
bc0d4cd86882638d4cdd79512aa360da848f0880602637b5df837a93bd2f15cb

SHA512
baddbf7e6147366935643a094f54d8c5f8fcaca3fd94bf00eafab96a21aa879bfa7bac3e5d615e2f49c2debca963810c10ebc5b118da9375c1b225e6a1b250e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf494ed0d95206197441b33f7489605f

SHA1
99ccf4dc2a5a4e79d31f78592cf9d184e482ecea

SHA256
95a5505ca0dc0d80454167718f4bc950ea6b9d720a954fce16771ed582f2bd40

SHA512
5182b546f0518efaaa0d58daa085e2367dd3ec48f2fad746d766edf39d917a5b9364baaaffee3714788b1397e15b6bc17469ba3d1ba9ff299e1b049a5a3b8cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB16.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBA5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit