a734553eab322544cc5373f3b7f185e45fd02c5671e329e63756e1c59d4ac486

Analysis

max time kernel
265s
max time network
282s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rubyinstaller-2.7.8-1-x86/share/doc/ruby/html/AmbiguousCommandError.html
Size

2KB
MD5

430abfe3067efd6bfd1728739caa35eb
SHA1

7b6f45fa77ef5e9d850148611fccb2f0203ddb8a
SHA256

8241a87ba495065f0afcf937d753b3e4f0f34c39cb3c9274e795afd44f0868c8
SHA512

c95a7eff53b6de32239df293dc18f303e823868afe8c93c917d8f7bc7f587bef8f3d1fcf86f69c7eee8acae49b229dcd965ddb78f9d41d7c7dbb5257301bd3f7

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5149a7e5c0f224ca5f5cc8bd1b4b35300000000020000000000106600000001000020000000b281eb4501b5d253b04ac5fd9d683769c9508196656102e19c66238b7da3c2c4000000000e80000000020000200000004b5aa04e0d3710c7fc0b523b26382c406bc58a1767b9aef19cae90843de5725520000000069867d553fab67ec805bb04ecc0c9c403a3dbe53bf5038def931a3e34aa90b44000000048df35d3694f77fb4718561247a0d43449da5cc2e41c9384c87c5c1000383f4e8343bb3b932ea68a7ed6743ae50d58544a4e7c4f014944f264073ec3cb39540d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5149a7e5c0f224ca5f5cc8bd1b4b35300000000020000000000106600000001000020000000a08a940cd5a14cdd63750f332c628f501f5733bcf5a81f662c14a42729e91f65000000000e800000000200002000000026f6c346ed2a381ff8113dd98140f6bb743920f22283be57c2ad9b531524f6d390000000dc3bac332854733f8b24ccdaea6b0bacf4eb5c3cdb1357dfc22aa28b24994db6a74275dd527200967c627287e72f6a3888e1f431ae7d163645985815cabffdb2dd561b127de46b5982529eb0953e93db00bc980cd47fa2ab482622d9845cc58c5caff8f324f5a0494f0bc2203ee03ca3c4561d87f1946ba344fba3e4436ff1f3a7e97368549edd5f481759d411d1bf3640000000281c33cd9be21af075c739bc686ef22cbd56b7bc4f925997150571a604d68124645138de81baeb766d83912affa1115909cc4d109944e81dedb4ee4383b6bd18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404040735"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D7BA311-6FF0-11EE-84DB-CE951E2947DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b073e433fd03da01	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2696	iexplore.exe
3016	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2696	iexplore.exe
2696	iexplore.exe
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3016	2696	iexplore.exe	29
PID 2696 wrote to memory of 3016	2696	iexplore.exe	29
PID 2696 wrote to memory of 3016	2696	iexplore.exe	29
PID 2696 wrote to memory of 3016	2696	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\rubyinstaller-2.7.8-1-x86\share\doc\ruby\html\AmbiguousCommandError.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
340bd92a388d2e690fcd4f70927c0bc1

SHA1
4005e89666284ce960d977dede49377552920216

SHA256
f0e7a29ed9087641fec848b3db8574f689d18231a61ba932cdf60842311664aa

SHA512
efa2ed94dab9452969e3f71b98e77155c7a5a8d3ec7b98d7c31173c3b467f00167caaf435057a1650c48733a6272a4c4ef6205b6e5a3df5adfb5e7aa55eb620c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d501991ce8cf2104a2ee6272b049ce93

SHA1
377467d11aad7d0de799e066479ab5f33f2ee39a

SHA256
4acc138dd0ac59a26b3f87f0d373ca2975f0e7e3cb7dda7e384f6bbc301e8571

SHA512
473f02eae1b772b1250920f76f224dfe16320496acf50237dae47ee2997186be8a46165c2cbe04397fc5ab23f52f8609a21d39efa1eebc37f2a12e542898d954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7d1bef3ff9abd0baad06bfd9c4288365

SHA1
8937ac0aa521a9e224b08554d2a3d53f3be98655

SHA256
0b6f4e4995bfc42236ca871248173599400e6cbdf0bf616d8a0df7868a6d6f2e

SHA512
b76839b88930d35bd89a82d64cb38687d5d7d193af1556bcaedefb205269c05182b98592d2bc6d0bd90a818dae49a9f0a353e754f0fe137cb9744da63e5cf251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
173b250afe37388a173c6752b616df41

SHA1
70fc2f7d93c5412dad5b3cbb2dcd15c7c8afa2bc

SHA256
4767d02ce7ea889e949899f4b97e3077abecbfecf3f4dbca24adb43ce3f2d80c

SHA512
c6a36fc626adc4afe9e1aee4d91fb7a5b6046d712b01a24343ad06ab9c700eca6fe1a4b7d2072473648ab2dc1da5dbb88a311fcc5024d0cc7954200b3423f70e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
138d9ec00d0669739ae59bf482659f3c

SHA1
f2eca82920b01edd07d6680f7fdfbb891c864853

SHA256
34987ce464edd4c8d0c0f48b58ac5a55d1e8f56d164b1e38ac98f485c92f943d

SHA512
0d78ec5337b1e19f8454b3844a3e70d8a9cb7f0475a3bb7eec08357d7c5689726fdaaf5ae132560279e59190a218b445fe8f6b375dd9fad065f2ab02cb438681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9f316a2a0bcd2de0840b107d96d6d249

SHA1
95b863e7bd612894d598f6386a6bd0f8c5147103

SHA256
a8330d581d6765a6d15fde7497b6e190a375877bed7c2c0e5066cd77fe770f11

SHA512
7f99052326b640922ebed5bf53fa03aeeb7b03fafa5d92350dfff6aba5c889c4a892b64ff74d084c806703179aaf1e32d8b77cc06db015d485d85cda0c6c4cb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9f8fa75d9c17022f92003c176deeeab3

SHA1
c4dae2a95c68fc6def493bdf7bcb00bb68a07dbc

SHA256
c41edbeb23744ce00df8d2fca3ff5cc03620b3d89a9dc2eecb44d0a1cfad1a39

SHA512
a4ccab5b7c8fc64facb895b99b44380aa8c4370f5f81572df1b087968d52c73c8f639da52b0ff626d67ab8aae99f54ba26a53109d0c438abb7e8fdd17412ced9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
63021ac4101ec2d0b2a712ab24beca7c

SHA1
866c5e39e167826900f04155f9667855c42d347d

SHA256
ba591b64a792d11843f4d6abcc2901b7c865edafacf3d39dbcf36f1476592e9d

SHA512
f9f9bba3dbea2abf58022e45181bba51afa245026049add51619f696e52c155db9d19cec905cdc0abfae4fa962ef36782619f179e2252503ddfc3327543ca3bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1581bf67e9c1212c2480f744a55878fa

SHA1
89395023cd1afd8eef4253fcde583c92c7488515

SHA256
0e7f642d33c7f0ce7cad3703240ef0aabe69bdbf8101ccd48e39105b92a1680d

SHA512
2ae0a31f7b7305b642021ab60c981e1f4a508218faa9eef0c21a3423a00c0262238321e7a6699b38aab0a5372074cdb9ac3b58270a18d44919854099e65d8a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d167a74313b7138ba54edb431a261551

SHA1
edbd33d0180400389f4361263a1e8d2f9e63db10

SHA256
c71d72068f6e3b36b0b8a0857ca133dce7ec3920c95185b4ece2fe0b0aee2533

SHA512
3fcbe3f702848ff30aeafdd1b609dd206be7a56c3fb58fc6a12381594312f0fb94d26fb5c58539bb6a64ebba1b497535adc69056adaca5ac10687de341f89c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC1A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC5C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit