hxxp://kdrcloud[.]co[.]uk/game[.]php

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://kdrcloud.co.uk/game.php

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0805862f329da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000007b259ee741c6022ce535aea7794b8e24320faff5b376e4e4d4e314d66ccf958a000000000e8000000002000020000000783c4af6bb1222de3eed137ba33c07040ad3ef19d8dee0d5cdacd50b634eff8090000000246a7dc67b306ee97e6950b32505535538f9eb597e3a4dc70b8e968d119b727094ebdeeac911c23575fbfcec814d062d62e0d40b63a5a1268f8c08564ae3a7c1195d1cfeb147e5a8d2346becb814327b9dcebd38a111f80df9fe98d135a68d6dd9c34bf43d81524113202c126260b351d18b5f14421e8fdb197e545e012aca9ce617f79c4722ae4759f33b64d66e243a40000000ade23bf2a803055ae89b8bccd032725ca1f1f7bea27c9f5f888c07da153cb35ca21021f26fdb6115b78fcbab474d60729ed9fda6760cbd05531603ec8cacc670	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8CC1C571-95E6-11EE-B1DD-C6C66E3C4B36} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000bd80dee6989980c825f65dc7812df4a5deff62292010e43654683a02329997a2000000000e8000000002000020000000156e1d814ff355ed2160ef84ca33730ffa74b974d552870f32fe4ca33882169220000000768e9160096e67833077506ed571da74227ceaa90d80efa692022189a3c9bbf1400000003b7ec4ca0419314e5122af2e9af9cf66de6a7883d6e0076e8ffbc9dbd2d653250ebf864ef3de312f22ff5306743d5f1b120dcf81b9ed179e54102d0977ad30ed	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408214662"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2136 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2136 iexplore.exe
2136 iexplore.exe
436 IEXPLORE.EXE
436 IEXPLORE.EXE
436 IEXPLORE.EXE
436 IEXPLORE.EXE

pid	process
2136	iexplore.exe

pid	process
2136	iexplore.exe
2136	iexplore.exe
436	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE
436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2136 wrote to memory of 436	2136	iexplore.exe	IEXPLORE.EXE
PID 2136 wrote to memory of 436	2136	iexplore.exe	IEXPLORE.EXE
PID 2136 wrote to memory of 436	2136	iexplore.exe	IEXPLORE.EXE
PID 2136 wrote to memory of 436	2136	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://kdrcloud.co.uk/game.php
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e123de2c4575ed0e5d5176c6a3a215d8

SHA1
51e7f0293cb71d8ae91b258b8bdbbbe2fd0944b5

SHA256
7799a39916506f9a52e3c304429fec2a6a7d68444601d6a6c81ee47a260423c6

SHA512
4d56e09b0429a5e5186e0be1c6901355e529612619057d59b6c2efe57d820c70289e90cd0d037df6c13d1ff68a4332142c6ce66856e3eb234f9800880f08bdad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5273f8b070077e3997bc500cd042b552

SHA1
b47c9b8de213990768f2ed91bcfd1c500afad6dc

SHA256
2c7cbfbe77327628fa69fbbcfea3c22f67f50e55d13193832b0682d1326801a6

SHA512
4f4d43891b2522c12c189040ee29d7c2590bca54c38c988f499ae2c6147ab4a31e0840ac343f09a8e417829f6c300248e8a9acb088c9a83b85e26887a3697868

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8063304de4e32e8896b2d7d1c5d1aa52

SHA1
3c1d50f99c6a0c50d40bc881672a6e141793e45f

SHA256
3abb2aaf25ed7d96b34e770faa57a666843053a66c6a785969e0f584ef152939

SHA512
4e8cc24b868467fcfb274d2452f0f0c95e46783b2a0caee841bdcf38977d433e1a0d71f380e5b5e8a4d1af28e9ab7fa619242aa87eec1c5340f2d7962e2ad85a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8244dfd45f351b4112d28f882f4376df

SHA1
00b00c0594de91a796e7c934ac0afa36049f309b

SHA256
417a839e5b3a342836b9d38be67006704e6d38322e8264b793babf9c809c3159

SHA512
cd8cd6cb3deb158986c1decee404277b7b773aa19f38e0ae405c0f54c4c6306021e3ba7cd3dfaaf682976fa9c7a7dae829f37478813ca9a9406c1fbe327dab7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
048590b8eb1ff01df4170228e70d52dd

SHA1
2fca540de2735cf53b2aed1d9ad5c9427be67ac5

SHA256
009670e711f92e15b010ec111181c155295a65020ce84f4ad3a6e34742396105

SHA512
94e5cbc0460c1d8131343009ef09f258cde68a7bc0bced47f9c1cd69497a88691fb4243a9531c91eafa3ba1cdd7dd9d3109324fe522a120f7371392d0bde7cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6e2ec8c45c3faf0f2fe5a0ee5d0a714d

SHA1
4c6325e7252ca440a2cb7dc541d618a8f653f504

SHA256
f8c77619ff158bd834e762d21df2f92d17fd0170246f649a1edd95ebcbf35906

SHA512
af233e5eb34ed8baaa25c28f84b33db0f5f4b59d9ae5099a8f887328875a32bb3bfb641b53919155cdd782ac26de913830d406846d739435f9a69461ade43bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dc52eaa62029faa6aaa2e4e69cf769a3

SHA1
89dcb9950929c3e77a725ccec4764428f3112361

SHA256
9486793d7629bbcc3f2d77db9aef394913360090eb543309cca56e1f053023f4

SHA512
0fb48400c7726da8d9d78c204a19daa33e8447b921676164bcaa028ad8a9dc559f724e877cc97530366306377b46841b4bf21d4767ba02f36c5a2107d452ea3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ea80c352b7617c9da68f591456f7429a

SHA1
982ec0251b087006e62ce96fb3359c7caa0799b6

SHA256
69f2352b8469e6c2122e230ae60a01532f72224b90ae74defb387238a26c128c

SHA512
099fd0d0979ac6154a82b1a77e07fbe10da1d4508be92cf7a67802954307c5748ebaa5fe4603aad93cf98174607ffd1fb8bba8eeca025a2254e38e26623eded7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ac25c55cde167abf31c5799b2ba64cc

SHA1
e56a254efaf94d4d348dea8c500197e311749c9c

SHA256
5fc6bd1fae33023b43ccb1a28a6954af68aa96d57e7f5b718b1ce681fc8d01f7

SHA512
739e8f64d81b4da49c7025e52db0028e2491148feed9d0296705d86933183b1e9501d8b3c80198fb81d3f2120e776db35677eb109825fc4cb01d40907b8e3e30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e7ed775c510bd0e03cf22a6bb65460e0

SHA1
d3982c88ae7ae9e7fe54c29c2610c59cd4adfd46

SHA256
a36a4e8ca0d8a03f1eff19f726db16622ee2d76a90157ce7f19cafd1c238109b

SHA512
30278dd77887cb7aef85cf45bf6281586382cd181cb5c567b37808abed40042e66d8862dcbbdd250f8c88b1b16dbb8c9b435b0c829d11ff1746f666cda5d3252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b6f562ff4c11291cfbf60d044dbf61be

SHA1
64611da80bd691c7c07a02e6917b8c905db335ae

SHA256
11a41ae50db3f721c17a678f2d1d665bc9166aa87459910ce02da36afbf6b2b5

SHA512
e671e9976fa20f5a63302f41e917474d3df1bf028a04ac1c6f82a7fdba107d15e2f93e69027b2c78e2c9683aa740b7efd91ebedd3f43786fa1937680a6730949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
344756e4478f108d1b17752debcb854c

SHA1
ea34c51d6fec09b0224faaf6147254d20d153d52

SHA256
6b8c1c684f5162aafc15732d23e6b3ecb42e33991294bc522edb1a2a17a802c4

SHA512
f3b938f5a741eef48a6fa29f468825057a8358e674e9033136e9a50a37f4f2065a9a742de06a255d199ab4b3cd0b854d5224078b95b276a026a610c3ed4d30fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3c99941b95a69b7a0f5865773cbe3ac4

SHA1
307aa8f5d86152721077b57fb39969119d0039ab

SHA256
4466a54e48b09b18c3fdcd02842309426a3482ab339ad46e3c91809bf326ccea

SHA512
6aea8ceda52a7939c7524e9d99fb59484dc04804871ce3f79780b992b7b494b63157dfc4d34adf40ec22bccec00a242e5c6ef75a2efaa3def8216ac3faa38416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4607bada15bb7df6c63e6e959c50cb2f

SHA1
d371abf48cbc6e3102a1dd07c0faf7bf86def7d2

SHA256
477b735ec138c1d0837c2170aace4901fab78c5b0697b09e23fed7824ed8fda8

SHA512
b5ba58e9ec4ded65d6503e9650bcd706acd7319f434581970790e2152f677e9bb6dfdfc2f579a8e88360187a085414c3d87353d7457fe0747064a2c853c07508

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4f57ccce2e80c07ddb09028d60af6357

SHA1
d16b9b1651b309e3a0969803b33dcd2c6b64acf9

SHA256
be19a11cc5eb057dd2f2830a77ddbbc26a8b61bdaed95154ba715783def90185

SHA512
955aaa2d1f4da4bc4975958542e434ba80cbc46cb464b13aea30c9aac36f02c9f626acce5fb30bb27bc2589678bcae2527ac570f01848b86b6aa31dce0786c51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6f755af8a95e0ffa144eff33fc257d3f

SHA1
e7602c377b2a1ded46486f1d04598b8a6ee8f657

SHA256
578e63e88fce5a22ca16406ef209c30f7bd8bb0b2e5604c5555ccee6994c6d79

SHA512
b58413c4ff0dfac7ad1cca3dbe00ce0e65c7bfe1273c61ccbd813e516df3be3c51fa55a383683c1009300601ff8e15d0903c0dadc1a851f036e07550fa0be232

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eb19525213db3924899b3a6f1c127b6d

SHA1
49d2493de5d9c12d860408b5f885a6a1fe46cce9

SHA256
cbd016fbe4a157c7acba63c12714568db57c6232299d84bb51013b679a162d7c

SHA512
acc818c0efbf561f48fa01a3784fb6d77175f7e31da2c778a63163875685714ae024ed8ce08f5fdacd22d36abf587d5bf86ae97e7243e2a59fcc792f9c1c4af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D2A.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F75.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit