f811dce2898bc14ffbd5fa9ad41af3e34f72a3d3c8e455c0a24db18928445c13

Analysis

max time kernel
16s
max time network
176s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

youthblog/ad/ad_usertop.htm
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62BD7831-AB7D-11EE-A031-F6BE0C79E4FA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2208 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2208 iexplore.exe
2208 iexplore.exe
2800 IEXPLORE.EXE
2800 IEXPLORE.EXE
2800 IEXPLORE.EXE
2800 IEXPLORE.EXE

pid	process
2208	iexplore.exe

pid	process
2208	iexplore.exe
2208	iexplore.exe
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2208 wrote to memory of 2800	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 2800	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 2800	2208	iexplore.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 2800	2208	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\youthblog\ad\ad_usertop.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5b28cc972df2c08d3d730d5921398e9

SHA1
f55952ae20d0d0e136062d4afdfb7f9853701800

SHA256
79a4d041f54eb6290c7c360ef0ef20ec3b4eea385b5965baa0cdbb108d68bd29

SHA512
3e25c453275eee7a519bde42045d749bba227bd142ec8a2bbf5ec78b6b611bb2cd025f71d8cffedb9c8534877eba41dd12abe442c76a9260c787a1151f5baaa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e31a335532b5fcd790648361c41eb232

SHA1
4fb0caf73db62527058f47e3ad50d338e1156bf2

SHA256
6e8b75329a37434db63f19c931fcc71b7525cbea738b74dca92acad470565fcc

SHA512
d956fbdde0a750dbe226cd93a2d7568e62db99589b726721d907ab68003b5c3039ed5b0e2018bac76fa8762a7e548fe25ff973eb3a00a1ff04fc0afe15ff5eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
088d83e6df8921d13883292f70ad33c8

SHA1
5ebe80d901e85789480259f77974b09c2035b7c2

SHA256
43373b2bc691a7c7ea491f6e6882005d744a3db0d81b955bb0e0a71a1d812d0c

SHA512
83cc9b1f2d19591601d338d815401b312fd0a8f818e5f878bb6dd828a529fe4ce74f4bb778fd742a39175f4c4377be3e74a7de05cfa7a2f0d86f5162ded568f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c97289a882ef242729de205b92a08051

SHA1
05541a09f977919488e3e3e5694ace3f78a5b04f

SHA256
ca16111e9b4c314f0472ec8b6e706b969560be5cf0a2f4e4966054b4ccd8a1b0

SHA512
8d838760892906ea77ff11f655dff34ed93838080a2bb7179b0f175a8ecdb943ed665ec12e635c1ee59a4d0f95c1d18057725ba38b60093e54e265ef23e44889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03934047ee675d4500ff94a290d544b9

SHA1
a76775bbb31067d3e7ed39f36e11d9afb17819bf

SHA256
7c9aa05943f3adc841ea33681bf740f626fde81e903a7fb677d154ddf62f8860

SHA512
c37c74527d485481d0def17f8aa42d8db0c196a4fd8624f9f2df5d427dc59ede5a52800b85b85722c54546bd3fd6f936297178ea3d534a91fdeacc668809b986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d43d26b059c17c1848b24e4fe289a35f

SHA1
6daa8ab176728a0bb908cdcde11cea7bec4a55fa

SHA256
c0d48c4837d3c22e5961b0a055df04a22de5003147d9f13debe8c4b4ef344d10

SHA512
9e16d3cbf9f74a79f4ea3fffe8d099b5637d874e94ef3d6d7d0f4f06a07d76c848885707971980c4ffa479faa9cc354e1b8cd6eaea7c4bbc987d6961d2fd69fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8933ba3383c5dca776431564e2ccd15f

SHA1
76f6fe129a6f51e1f1a6f4275e487ee8c315600c

SHA256
4b04e2a58bc7a94775cb4b2e911349e9a42d3e0ae397e599d8cb477172b68122

SHA512
031bb20134b76a67ae0a0d449e5c3e655d287c672ab65dc2e3f5e5262fa7860aa94fc8b79a8ee0a694eac99d9739cba9684250d1d862da91c42dbe4d498aa057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46d6d5984da4aa11089c15fccc95d319

SHA1
115dfe29b4dc793ee6c0c84df7beeb6feda83d0e

SHA256
03a47d77974fe294803c1d99138f5f18c15b988312f565747bf2ce8554f7dee0

SHA512
022a51b8e7cfbf6dc5ddb685dfb779346831ac765b23929cf948aee55a99538751846ad49a3304bd1cda1c5405de92c7576c510d7022bc314aca39dc6a6c209e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f06495778497c55cab4906249c44f05b

SHA1
4d97e3e9e0c6de0df2b248a0f3189a993163aa57

SHA256
fd4fcd7d322460961a0c2a6dc42958885a1b36dd0b2b5af56a3f303c7a5e6cd1

SHA512
2084bfc8d17c97c1bb061f3ab713f5a53b9ebe5635a64c360128965c5f3c26e7ba6c207fcbf998e5dd66fdaed35047fa8d4e6e6a5dac9c4c56105ea19fa7422c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35f7f21e0ffe93314dc3172aa8ec85f9

SHA1
fa546e363dd92ad89590cf9a1bd911a44c5f52f8

SHA256
df5d7e9f3ae3e15d5b8fb2df47adc1272ec2074c222218f71cce18b01042e79a

SHA512
5a379838b4e142e44f8216172f88ac19edc32804b3c3b514d0398d2c722f9f0fa51406e57dc48e270236aa46e8478da2db84ad6c0fd252c2f32103470b3e61ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9108cdcee0a8874647cf6ee115eff7d5

SHA1
d10ed214f7bf5a317df8f5b8543b7c1eeef85463

SHA256
a0c02df82a36f16bf3e132c9a7a23919bbfb221b56af22df024ae22d7c82eb35

SHA512
3264ba048ddb411177dc63b50b029aa7f8b85dea94b1527102b12a0386f2a4e13e5580c7b975f32244f31ec9b27208d3970117aa0391e93e794d99e80e881804

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c1ffc8152bdd817777ac108d0a6c223

SHA1
d369b899fb21488552ada23b1b06003c3d7de247

SHA256
327d082c18b10446dfbb36d3f51a2fbf89f8dbdd7ffbc6791ac586175434e52b

SHA512
39382d867f830052c3f8bf78fcde7af30938eb573a382cd67aed4754771344283b72644721c0587578634fefeb3234fd7458b021a377fb08466509bf618cf9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEC7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEF9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit