9d78796c2d3c581b917d4b46411e2cff25cf407427d772223b3d5ef4787e49f5

Analysis

max time kernel
144s
max time network
173s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

老宫在线整站修复版/old/HTMLEdit/inc/replace.html
Size

863B
MD5

f2e17c37c2af495c20b656a9e0a29481
SHA1

1e7c796c344da7d5620428055fe5a9f8f57a69c9
SHA256

9b17a11bd3b30fc3ce4adb11fc84189822a09add9c383892f4fe0b97843ef092
SHA512

e86eb6483d48d72dfec59ee3783a6e00314ad495f7bdbe5c23bfec90aeedec43bd10d2cc6dfa955f5ff98124cfc9a47ae57e4aa6abbfa24c5a6a7755fe6c86e2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d30000000000200000000001066000000010000200000001fbbf892b879b953a879ae8efa3b0640622b4ed8bd951233e7fd631102b6422b000000000e80000000020000200000002dc27fa31d897209ab98b4a81788194f9ec225a5c4c89935d4c1d230499bcd7620000000b93fe07b451b215ab3efe8c02a0c8df26100d90d617b478f2d1cc1e10cc94ebb40000000551c835f05cad4abceff612bc8d7eea2173249b551e30513619598ba1883ddd2d36a59e9b91e4183e7f7c1a881d26e4cefd4edd57f29386eec426fca167ea80e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d30000000000200000000001066000000010000200000007aec61115472fd253077596f15094c54dd9369a34da62784e2cae413d214647d000000000e80000000020000200000005ccb862a0bd99f7e107dff23d70d66d270db02b52825be9f833c77e17be890839000000086e81de33405be26f65962d1171968a4bd3dc0e38eae75ea14d6cf6fafc69522b7e5f85619c471666f20b28dd1027eccf89be2c009a2ad535eb437dd8d8838d5435f1c5f83691053e64f4c6aea1a021ab9adc8a9e662eaceea6fb64d374f29b2e6815e08334362def2c440763cccf5a500a0cfabdadca792a950a23a9f2212a7793bb15ae25bee47e935ccca23f60c2c400000007f054605ac2d14b7a0f37068aea77ef4ebc03058644241b8a3fdd9bd22e932a1f11a559be62c0d61310211e644e30a74bb553acbdc9b2f7a94a8399e20a1da39	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D00D9BB1-AAEA-11EE-B1E2-4A7F2EE8F0A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07f95b1f73eda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410525474"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2868	iexplore.exe
2868	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2600	2868	iexplore.exe	30
PID 2868 wrote to memory of 2600	2868	iexplore.exe	30
PID 2868 wrote to memory of 2600	2868	iexplore.exe	30
PID 2868 wrote to memory of 2600	2868	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\老宫在线整站修复版\old\HTMLEdit\inc\replace.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a991febca049cdbc371cfebff5772edd

SHA1
a9a826ffa91a7272fd5bd5833e3ed6e51bd7c873

SHA256
658da977f5e59f57ced93cb1f5f832a4a392839e6c3e50796b666c37313168aa

SHA512
ce4976f564b9f15aee3dcbb38198dabc952ad15b6061c80404b044a8cb86fbec407fdf9168e0fde6537e68a2c8d6147735726d195d489d429e31f59199e82494

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ea72da5b09ceb96638dba355b234893

SHA1
13fcf50ead04af03cc437cf17e11d803525a239e

SHA256
d26078e9be160c7b4144052e190b684e9abaf18dab7d44e33de393bb9187ec7a

SHA512
425d310f76147fe96b1d39598f458aa876ee316d0da9a7a22ee932fc218ce6c8bca5a8b0f423c853b7a29d45d936af6bf48644e42f542793aa3e5550dfa0014f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b66416e95ccd9e7de6223983f10cabab

SHA1
79de9818fd3d01231314a6ff49cc67d9cdcc864f

SHA256
86f620571fe138a40af30660918145eb9a165ad1d203302e657009cb82153826

SHA512
65d795bed051aae3728f6bc83187249d50a78a208466150632bdd72f0216e63f8c2c172f7b876a479ea55443f589115024e7b5402c6ec6414b34e2a499943185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b273469e025bdfc8fde39485e443e26

SHA1
e6adb418161dae46e3b744d38167566badc9047c

SHA256
16306723d89e39172da233ae12600bd4b7268d44abfe39f16ab7e34a2851e9f9

SHA512
3549fd7d322cb988fc6cd09b97cea5f48f76f435ef3d8bd9c1f4eb4bed76fa0f7b57ef9500c6a1288d7b93fcc7eceeabc79833c8071bfd04bec246e1bb6ced1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e989c109b425f7f5b260129112404b7

SHA1
84134af91661b9f597aa4a3b3b9f18c5e30a85d9

SHA256
49cf8d5503f38e258e5d411c9f4f6eae21d5e50d5d248c29c0fc219a712deb12

SHA512
f4c21bdb353f9bd4f3006e89b1890122d4eb2f37f7f260099234c3917c07504c610b8695bbcf86efef5c2365be4e28d4ad2b04b7068737c9aa394986065d68b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8d84904ab9958e9ef8eb1c77157bb2b

SHA1
016264160dc357a8d765e45f239158e96e67091a

SHA256
5b3b2be90448a13cbc12963f336ca23575bec8a3eb58453cd6cacb3566fd3a00

SHA512
495a2b27b55b352bf326ed1f12e19af078b092812a7b4e324bcd9ebc81043506ee1ffb76ab4fe2fe7a7d148923a1911d8ccd715ed7b37a4b66943f7fb3374ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18e7b0d68033d737dbe01d2b1390ed79

SHA1
5d6506ae07e0e13cdd6dd6a5d73bcd14b79fc8c2

SHA256
4c8b893fbc1de486ff2fc226d426dab5a1762d2cd65e9504863af6f786ca5c80

SHA512
2472ceb64bbc3f6a0bc88d21b42ec0d2a9942116759a4346d9da761261577912d08bad828e2df582d99d807f9cd806013fc656e319d86fcfea1aee8af6ded651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d35dd55be200bc086fe1ce1be897a6a8

SHA1
66a5bebbe04daeaf6cc33fc960968a9886740b73

SHA256
54659822796b10d2ef2b6ddb1d232fc9d6fa2f88405806e16daa5626ed186996

SHA512
787afbaddcc7bf7cf2db641375fb693393697961738c4fddc462b0f0377c7098154479070ae74d0940cd4e31a4aab2de010fde9cb0a306d818bd84f09ba0ae0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92bde6dcb32237734a85c661d82e0bde

SHA1
291c980212f08c03d7bceec687c8031e12d6deed

SHA256
04fb862cadbf68e4206b5cce42a61fabddb17e8f7818140f9877e9e3fad0f677

SHA512
265a03858a87b87c2e2f3bd5307ea4d4c76d25e29fa24c878fff522620462325c6ff5f920bb1203e4906b11527e5a800e32064a15f9384aecded26fcb99778b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0a3dd0673663800e4d72f97bc54bc2a

SHA1
3f0eca4697c3310f06d05dbc4114ea049cebc3b1

SHA256
e05e33ae0da48a0fb21a07a8ec488e1398cf403a176069cce7c241255579f353

SHA512
288da7c687fb088d0386e6d33327d85f2293a591d1795970d5ce81c648a67b6132b632b6bd6753c983fc64b6f8bdff9360c9b3c9e6ef7c02834677fc9f39aae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1f9f3b6949b66ac6943325feb63587b

SHA1
a46f77b816e67c42ea8edfac48df5f48ad6c267a

SHA256
3e620f825a447035bafb58ec6ed0fbc842c659100ff6b40ba50e7f34990cd901

SHA512
ba6dfadea74ee9dbd26644417b8ce281f52e5aa52172447704e6cdd292ba87aaf9b2a2fcd6dbbda21eb4b4930aa92a1c36bd80a09e68ff40ca911686b395ab6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d336aef48d166ab19513e17d4eb88c9f

SHA1
9bc80946922cae81be03e87e04cc1e797fec2301

SHA256
7b129943dd27fa246e064ccd33ad2704538c05399c15e3befb37b3216f0d99ed

SHA512
e663277e7b7d8fb07ea90f19fced55ddf0b9bb609a8eab5243b39721aa218891c015a4ab39bb15e4bcf0c9c861553ba98d1af1de7b9405942f171e3e6dee0c69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99458987294ad9dd95e9d80af6029d07

SHA1
db9b927662633264084689fb61fee8a8aa85aa41

SHA256
8f3234efedace0040741f3115f727db7e3b6ce36fe7a7e5b5f72fc10a98655c7

SHA512
aeb9fbac89a531e06637cc8e0d575d8ef1f07ee56550b305845b31bcdcaf1da4baf8a507e9dc94006ee0b90da617258a6f2beb2ebba70abd27387fb950dd8910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e76cd1687192580d40ea7d3f66236eff

SHA1
9fe69ac6f799ea9f7744ffa55237bd831f1cb18b

SHA256
4bc6cb5c0ccfc7ae077d0434b7ba2723cc3aa3d28012157a483a5a1ee145d68a

SHA512
382c6958a3ba88ed5a9b2f6d07f95850eede6059ad1111811487590c65e189560133d31b574386b85c49d82a477fb4d5f78c14ac82a9230dda611f67a7a4c221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
063b7869236475c6dcd12551d1efc832

SHA1
3cad3c2bdc9f5ffe87124051f88240cd7cabce16

SHA256
9b4f265a40fe8185320705cecae2e2a73144f751a624308a0115716a5e4dfbd4

SHA512
4fe97362b032b92a0da6297fbcd29c09d78740fda1230ebea7478ef064c7e38a447fabd5b21e6ae849310a24acd37a99cf7f9bb43aa1fb3e93f61561852ef0d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0639bc96b271876ed7432077346f404e

SHA1
223f26c2fdeb5abaaf9db2121acf8810eec9282b

SHA256
21b5dcce03310e9034402adb20d1367946b422cc4516074adee5fbad907b7f03

SHA512
fdff99a1ec372dc2b4532603325eff5bbfa52ab8f2e5b1895259c838a61d77c6a79745d6b8657488d5e14b31c453165ecafe0d21a94df6fc13d1b9f41def00ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab53DB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar54EA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit