e4aa3e66ee5ac310023a53b6e047b2529f85dc100c6a4cbc35ec05db0881dbb3

Analysis

max time kernel
122s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43546c25a97c67895caf9210f291f463.html
Size

8KB
MD5

43546c25a97c67895caf9210f291f463
SHA1

d33b448003d74eae40f4b29e83f5c7fefcab783e
SHA256

e4aa3e66ee5ac310023a53b6e047b2529f85dc100c6a4cbc35ec05db0881dbb3
SHA512

2ab337577150b8b75de465d5e9dcfc5950004879603d80ba17f86be17a1ae9149495ff8e1ff350611f5427fff8ebf2e1acc965796ba9da27a45e320dff5cc4ad
SSDEEP

96:rgykys/Ef6KDf31d3gqWYTGAGvYGaGjAYGFTG8edZSl/H8zduSWahm5ZChhpcl:DkotDKjjNgFK8Ew/oMJF+pcl

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e9178664000000000200000000001066000000010000200000008e07215d6dc108b2a611b702f1d08573d74a593ea5a01b07ae7250f406e0188d000000000e8000000002000020000000adca63602f858f7fbe2c3a7d3486073e135b05281d2b19c0389bd75216e01b0f90000000e821fef7015f0d055d7d325bfcd7af123803212320e7497f43830f4d9e67ab7aa8da987e49563c461ba876588b548e4300e98bdc988c9738c4d949ca3bd9e3966ca686f728512c84111160f629211f28293ee69a60d1442651c20106418d74bf3a8fbc20ce4a8fd452a98135222de2f368379cb1fc9622f052be514a2ffff8610eac9a9e0fa14faec3ef682ec9cd112640000000c3d58e27e34f23a6042cc8cf7384f93da9281baa9b3ea611afd85b670300dc28b2e569aa31400db3defbab963522779fe793acfaade2932a8658538468d8488d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a9a6bd5638da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0720b1d8642c344adb870a2e917866400000000020000000000106600000001000020000000ee430d284ecf6e1ad741d1b0d283d3054935eff3445938a7a7286b5d607c4014000000000e8000000002000020000000627b629a6944ffaa3eaffaf8340f3fb8da3a025b13ad9ba8333c7a94a22681ad200000006d235e09457ff43dcf6940dd41d39101214ce7759b3ce85c7da4d77ca640253140000000a14578233edba29a56fc6c7a8256af7801f313a924545ff8eca9ee317ad2704d7129cb56146771da216fafa4e47fdb41b4431d05dd5b87994bd94ae431e50cb9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409796661"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E8B359E1-A449-11EE-B683-EE5B2FF970AA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3064	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3064	iexplore.exe
3064	iexplore.exe
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2016	3064	iexplore.exe	16
PID 3064 wrote to memory of 2016	3064	iexplore.exe	16
PID 3064 wrote to memory of 2016	3064	iexplore.exe	16
PID 3064 wrote to memory of 2016	3064	iexplore.exe	16

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\43546c25a97c67895caf9210f291f463.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffb30427009654bd5c0322408cbf53d8

SHA1
3695b83b8f5fce82259218f169a9bed8716dedd0

SHA256
6642811bb60066d59c164cce60fe95a95b9ff27e91bd35d15f0a4551e59cdabc

SHA512
bf608ab56f17d79fbcb88a1ae5da4ee7042fd44865946eb9f8956d746ce46f9a5dd5e4fb34afe71e579ced13b17b5f4ab39526ce6a49aae6babe57240393efc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3177cf7d95b680a2f468d1e6302ea1a

SHA1
e29f8f189dd82a00dcd3e01ecb0f46c62ba8e9f2

SHA256
c1882e5b01663b4986167c7d2cf501d81ddf6f8d85e41172b90282ce4ea3ff79

SHA512
8106e1521d7502add76d6f5148f98614c253a6f63c41ed81f971cba264f3d4c799eb0509c1c4150cdb773b130df71d499d95973f66eb1d11f843b68b67dba7be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
493ed0746d81bc73157b47d749afb27b

SHA1
be5b92707c2c5b01ee407a0b886af195d778d43f

SHA256
63a1c6276b65f8f94de4bd44c844d25a3eeb2215e12f5d8995555651304361be

SHA512
52f83ebff79f2d8e3fc71af605640b674ddaa6f0ad82ad623b406e90cf67ec89aaa00b13c0c76e0943fbe784dd938ff9647e1b84379d1aa21c8b99df79f81e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50C2.tmp

Filesize
61KB

MD5
64c4888712105a0bbbe72a482a491042

SHA1
d159bd00fbc1061e18b3030b9c23fd5c8730524a

SHA256
20e6f93bb007b96674d89c5f39b157f09980a9c29d132e1718644ef0f5fdb81e

SHA512
73d6df85e27b46a0d3f0586dcfcd9fa06df1af341f3e775da256a6ac9cde13339075f9eaed33ae97edafdf2234e94c3c975f7276efa565ceae5c45c413c883f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50D4.tmp

Filesize
18KB

MD5
e385e9201ba7d4afb229fdf690637375

SHA1
cc13b217947348db84b1219dfcce6cd2784a74c2

SHA256
2b7db3ddccd07b3c730227e25f33afd0f94fd8afc66e19731367a4b9cafe44e5

SHA512
f5e4fa413984e66353d314af8203770a5a2c3e445482b5d075059604604fac5e4e8eac12c08b031c430cd7c52da4b4cf007ced7e7183f1d3a1830aee22b0bccb

Download Submit