c4732374433027ca946478c475d71635c3da71b0b9af40964d9fa122afdcae1c

Analysis

max time kernel
68s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IP互刷平台 v2.0/bbs/1.htm
Size

496B
MD5

8fbdc282598a7ccf6ff892dd494ed555
SHA1

46a5d00dfaf596ed5372b44a2439e97f641f3433
SHA256

1d7bbcbe3bb82d1370c31c6db2a2800d53c3d41d307ff6db9603eb94a37837d6
SHA512

1322092fe0364bfde18c539578fe23fba9adbf447fe7f907d9bf26cf91194de5c78de304e55a8c6e2beb2cb94e67e38af0e062a72fec0069f16a0b8a0fa68363

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{326BCB31-AC01-11EE-B432-EEC5CD00071E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000025ee8568952fb74cdd171bc5fa4e87d4ff5657bb61c0ec5fa22bd02bbb7688fa000000000e800000000200002000000027056b9b4e5c3d68701ede389931b8237808c28057dea8e94899310fb59e5fab200000000762e3b44c70599fe07ac8f52232851a93758dfec92551dce61f98c884f42bf6400000009250c7f529cf6dbccaba04c89b40dfb224a025dd2d2a4222fb7e84b539b6b49353e8fbd99d23462e33d2fe42c045127dd88d3ab05a275553bd6e40ad44e686b0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fc46130e40da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000030e47be00a92ece975f7773dc208cb04de77f394f2c3a55e2165a124a8cddfc3000000000e8000000002000020000000cf59cd7879f996823ca00ba45f40d4f35de8b1f12b0f9bbbb366a2ef17c1c9ce90000000c48f0377782b036e470019e5493cf2eaed4f884dee8d47def1081af1e5d76a0095fba85a04021b39cb672915fd61acc1f1b7b63d3e86e1bbaca3f7533b68869606182ec9a46001b738eb59eb65499d02f522b8b21f5f24b9817b1f793babeb9f5f594ac82d4783e8a5338b38a02b4d76f7e37bdb31c33c5611509fb56b5412c3a43f67f7abdd4db86583a4fc2bddba724000000020266d52d5587538166192f7015ac4cac2500f6ac4630a4f06fe162878c292094a7451731e36dd7bae560e8d4ab75769d3927381c5c88a1a5916ac8175fb25ed	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3048	iexplore.exe
3048	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2708	3048	iexplore.exe	16
PID 3048 wrote to memory of 2708	3048	iexplore.exe	16
PID 3048 wrote to memory of 2708	3048	iexplore.exe	16
PID 3048 wrote to memory of 2708	3048	iexplore.exe	16

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\IP互刷平台 v2.0\bbs\1.htm"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
432a52e77e1f1a72269a8e396f1252a0

SHA1
24d3062723d38e068f97cda51c6d5bc8e91632bc

SHA256
7d4077615bc43826b655565c8fb1fa308ebcae6624db85b1d80a017cf7ddeae1

SHA512
8909e95c934a9a658de43caeac0fad62c7b5ee18d506d215d665b92d3c1b85610d229bb1e6bea2f7cf3b22c7792405cb56f6bdae949c003487dee400a0440184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3893d5f0729627e1b463a78a4571270

SHA1
90e3058a70ebddd1b9505d89d5060d8ca37d4179

SHA256
a3923f36d6c873ac34c0f08fbaa507b3801802d8f671e5e7f910aec26e7a19e4

SHA512
1ae5a54320ab34338b1bc035679900b1e85099ca0c562283a36d70b653fd7cc9ef73232f68c50a655a4ec64326cc162129deaf118fe99bffe8dd1a2141bca1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4f129f5f2c0510d245a2e1e301402b4

SHA1
6851ede1d4123c83e9104263139e36b26423e82e

SHA256
7c0b704a4b2d2e62182ff3a8e866785232701bdea661ae7babc0d9d531d13eb1

SHA512
1f0d6e7c31d0505e48d52a601730ebe0d2a58471704560bd3b51562a98ab21c410767c577cd7696ba473e0b8d26cb22f9a3b32e4f547e605cf487d6681c6bd09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d7df0a0313fd28e1faad800ef1a7d32

SHA1
35fd28f0332ed3c2e3aa7c2cc2768009c58dea15

SHA256
b5db92a0f4ace56564c6c95dcc06be814214c4023dd30042e52d60399fa3ff66

SHA512
4d97ce989a15d1bf7254576cb92e5b1e40bf344b9e7044ce6b881965c1d779c02a9146246c0d7d2258394c0cb29ab84fc8dce5b7767666eef8e39cebb5c8ad18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3443ee281bcf9c053f588c67cffda4f7

SHA1
d6fe384d5aedcd87e11feace5bfa69e825ba1b37

SHA256
9c85d5eb12b0dfe760a7b7275cc9644e3513ccafa959b0c8883edbf31205c1e9

SHA512
4b96e2fd4c4862293ef89dfe1ff3e40032ec3b0af8e84fec99195335acdfd53fb2fbe78d54c88e01ade25d8cac2577107b8c0b94bb3f5326449d1bd0db21f1c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22ab1ba679ce38f55ce44d9ac1b63dfd

SHA1
1ba1389ea099c74949045975cd558f6e4accc3b9

SHA256
7305f5d32840efa129b7fc3772e975f231a7cc3d1b00bce2246267cd7f869f70

SHA512
26c240f7ef0fb03c61bb67a1b63312649fe35a87d82103617dbc5310c4a0aaa45c6896ec63bf7b25db0c7cb65565480b43fe89559938846afef1b2f86b149dab

Download Submit