541d4eb22d645ee6a7f84519078bbe1b4c5e36f4f419576675fd0800d8cee9a4

Analysis

max time kernel
186s
max time network
192s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

广捷居程序gjj（去后门版）/wwwroot/ad/468X60.htm
Size

544B
MD5

f0cdc6f1abe538b439130dbfc4cee232
SHA1

31dc9dcce808edf31ddf293de045d4ec400af49d
SHA256

956e29c143bfa6c5d69bfee724eae446ba25eda61f61bb16228f37193dc496e2
SHA512

29af9f0ec81d10616c782e2a6aae71bb097ca6c5c49e5f55da0a07ee7289379b359cb9d9a780068166029896d94d68c2fb8c99c048700b9328ac2d31e529592d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AAF53F1-A6E8-11EE-B7E3-EE9A2FAC8CC3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c0000000002000000000010660000000100002000000044c75e57354669a0d300facb253cc8e1c897a242778aa999215333e427272a2a000000000e8000000002000020000000b3ab2543923d93dd234e587d3a109bcac21ded159b687e5d26529cba60604ec290000000ab3544d16ad5010928f82f5e59a073bbb1b468d4b15fca56f08ba603b9de06577d9798fbed90fa8ae72181b8e4bc74d04ecb00ddc4cd76f110c963457972d1e2d39449d5c609550d4e434069285a0ae8bb12564c88beae29ad32949fbacfd63cf341e72b9c8a6c6f0fdb7c7d49ade00efa143438d30126350eb9f133649604e932627e075e826c3ac82f2ce73b22ccd640000000772079e6d5ce77a0e3d4677ac5f1d3e60cfabdaeb97606cf45a085a504006a0c52c8987abd06e05f0706e893a132c060ac96230e2e2f8af8274a2b751477f180	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2016d8e0f43ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000580e1c8c6faee54b80ab28599b83677c00000000020000000000106600000001000020000000e47a57507f0c512f6e39d4478c397ce2fccaa69dc9269ca2c3168d0403763d88000000000e8000000002000020000000305e5258f91577b00f6b7a0556a7e52037d583a0c39868b7b7075c9d63d10f272000000066d078761b36bb1e0cc2e7a931fb4228a176dc9ddfb05a2012f3c327c68b6f0640000000cd5ca34b8d7fa7acfb2bc6c65bd6c9b31bfbb912bf52c4327900fe22ffba271bf505a79d70b3d706fcbd74704d8996cd54eb07b6465306c67b4cae31fa028369	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410084479"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2832	iexplore.exe
2832	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2628	2832	iexplore.exe	21
PID 2832 wrote to memory of 2628	2832	iexplore.exe	21
PID 2832 wrote to memory of 2628	2832	iexplore.exe	21
PID 2832 wrote to memory of 2628	2832	iexplore.exe	21

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\广捷居程序gjj（去后门版）\wwwroot\ad\468X60.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd6a54bba81eb2c39e86669ace3057f6

SHA1
f0fad52a183cb52da46875ed5441dd964fb03126

SHA256
a21c2ae13d8216b0431ea0a91ae3fb7c106fdc9a516871f6371482b93fd3ecf2

SHA512
0ce96fbe5e69ac0821ee548159601d0f35d652f0f711082ddf0d9c66991c6dec5d2394e01355696ede7e9967e1d141ffd28f8ecdb6edccfd02f3d87b52bd5592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89234b1a0846d53c8ca0770ca7294d1d

SHA1
1d644f2370d1a8aa49da6b9cddf1391a9464e378

SHA256
0d31094a012bc601897eb3a4c097aa6e4dbbe9c53de5eff0470db41f8902e723

SHA512
2f29f67133ac84f4f61d324eec9397deb166045d1c893418d80e019f045a2a7420c4562b7fa05624cf7cd88d69c194662fdbcff5c18d642e50256d58578f2b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c78a3b0db5e97a67e997b5140b3b76e

SHA1
5fc2310461fd3df943fc02e6d23230c8dee4a867

SHA256
6bbfa1e8e4100a254a6be3166e29b4e1088cee4200abdfe7f9dfbafa236c2d42

SHA512
c5a5d88415357d8033a4228bec8c49bb1a638230a0f47c531d904e58a0d994543877e1f64fd7c29674d55e98b60fc4c8872f229c51350a8a6112d12b754993cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6528d8954a46f8aa03b244fcd4898b22

SHA1
5b379e258b575cf4bc28c32f9d56cd4e9dd13e79

SHA256
18c37eb9ec07007bac4bf3f56a9c206b4fd546e1c124c18aa7b9096deefffd8a

SHA512
46361461db53124dfa6b36de71dc9f87eb59581b70da9b19fb543a3edd12a870cb77066689204390a510695fef7502d042d45dd129c2ac5b0a34af4579106fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar106B.tmp

Filesize
148KB

MD5
483f5a88d959aac7ffb26771709b8ad6

SHA1
3ecc85e92c846131c2e0c625475d1786b324c2d9

SHA256
dcc4bc3c0270dfadd7e3976e4f9e330870e53bb13f4f50acbe6530ab701e8788

SHA512
23119d90fe13fc5ad82006678c78438c9f18c72499f9a8ebb80dea84f45e4837c5ba5f6f7cc3d410e1f5308cd5b85ea163bb74439d1b229d3ada15ba2624f4be

Download Submit