84d5868bd43f39df4aab9d0945a8f3c476e43a069f4438927ce5310a129e91e9

Analysis

max time kernel
0s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 12:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eac36ba6ca40a5c4f18d8b6e224a6d5.html
Size

3.3MB
MD5

6eac36ba6ca40a5c4f18d8b6e224a6d5
SHA1

0493dd2df28efd0b3ca456babfa7b1fafc537244
SHA256

84d5868bd43f39df4aab9d0945a8f3c476e43a069f4438927ce5310a129e91e9
SHA512

8b24052a86a59f41b289343230cde92bcfc9a2f2d8f561a9e4d2c96f147592458b624d1731d99696bc74240a90d1baac3f6a425a5a493d60fef725df070608be
SSDEEP

12288:jLZhBVKHfVfitmg11tmg1P16bf7axluxOT6NGH:jvpjte4tT6QH

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93E46881-A504-11EE-AA09-E6B549E8BD88} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2392	iexplore.exe
2392	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3016	2392	iexplore.exe	17
PID 2392 wrote to memory of 3016	2392	iexplore.exe	17
PID 2392 wrote to memory of 3016	2392	iexplore.exe	17
PID 2392 wrote to memory of 3016	2392	iexplore.exe	17

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6eac36ba6ca40a5c4f18d8b6e224a6d5.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2
  2⤵
  PID:3016

Network

DNS

ajax.googleapis.com

Remote address:

8.8.8.8:53

Request

ajax.googleapis.com

IN A

Response

ajax.googleapis.com

IN A

142.250.200.42
DNS

pki.goog

Remote address:

8.8.8.8:53

Request

pki.goog

IN A

Response

pki.goog

IN A

216.239.32.29
DNS

pki.goog

Remote address:

8.8.8.8:53

Request

pki.goog

IN A
DNS

pki.goog

Remote address:

8.8.8.8:53

Request

pki.goog

IN A

Response

pki.goog

IN A

216.239.32.29
DNS

pki.goog

Remote address:

8.8.8.8:53

Request

pki.goog

IN A
GET

http://pki.goog/gsr1/gsr1.crt

Remote address:

216.239.32.29:80

Request

GET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 889
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 27 Dec 2023 21:49:13 GMT
Expires: Wed, 27 Dec 2023 22:39:13 GMT
Cache-Control: public, max-age=3000
Age: 1208
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
GET

http://pki.goog/gsr1/gsr1.crt

Remote address:

216.239.32.29:80

Request

GET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 889
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 27 Dec 2023 21:42:04 GMT
Expires: Wed, 27 Dec 2023 22:32:04 GMT
Cache-Control: public, max-age=3000
Age: 1637
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

92.123.241.137
DNS

code.jquery.com

Remote address:

8.8.8.8:53

Request

code.jquery.com

IN A

Response

code.jquery.com

IN A

151.101.130.137

code.jquery.com

IN A

151.101.194.137

code.jquery.com

IN A

151.101.2.137

code.jquery.com

IN A

151.101.66.137

142.250.200.42:443

ajax.googleapis.com

tls

2.3kB
38.3kB
34
34
142.250.200.42:443

ajax.googleapis.com

tls

704 B
5.0kB
9
8
216.239.32.29:80

http://pki.goog/gsr1/gsr1.crt

http

351 B
1.8kB
5
4

HTTP Request

GET http://pki.goog/gsr1/gsr1.crt

HTTP Response

200
216.239.32.29:80

http://pki.goog/gsr1/gsr1.crt

http

351 B
1.8kB
5
4

HTTP Request

GET http://pki.goog/gsr1/gsr1.crt

HTTP Response

200
92.123.241.137:80

www.microsoft.com

152 B
3
151.101.130.137:443

code.jquery.com

tls

2.1kB
39.5kB
25
39
151.101.130.137:443

code.jquery.com

tls

844 B
6.4kB
11
14
192.229.221.95:80

46 B
1
192.229.221.95:80

46 B
1
192.229.221.95:80

46 B
1
104.17.25.14:443

92 B
40 B
2
1
104.17.25.14:443

92 B
2
142.250.187.234:443

92 B
40 B
2
1
142.250.187.234:443

92 B
40 B
2
1
104.18.10.207:443

92 B
40 B
2
1
104.18.10.207:443

92 B
2
92.123.128.161:80

92 B
40 B
2
1
92.123.128.161:80

92 B
2

8.8.8.8:53

ajax.googleapis.com

dns

65 B
81 B
1
1

DNS Request

ajax.googleapis.com

DNS Response

142.250.200.42
8.8.8.8:53

pki.goog

dns

108 B
70 B
2
1

DNS Request

pki.goog

DNS Request

pki.goog

DNS Response

216.239.32.29
8.8.8.8:53

pki.goog

dns

108 B
70 B
2
1

DNS Request

pki.goog

DNS Request

pki.goog

DNS Response

216.239.32.29
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

92.123.241.137
8.8.8.8:53

code.jquery.com

dns

61 B
125 B
1
1

DNS Request

code.jquery.com

DNS Response

151.101.130.137

151.101.194.137

151.101.2.137

151.101.66.137

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.