c4732374433027ca946478c475d71635c3da71b0b9af40964d9fa122afdcae1c

Analysis

max time kernel
119s
max time network
170s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IP互刷平台 v2.0/bbs/3.htm
Size

496B
MD5

8fbdc282598a7ccf6ff892dd494ed555
SHA1

46a5d00dfaf596ed5372b44a2439e97f641f3433
SHA256

1d7bbcbe3bb82d1370c31c6db2a2800d53c3d41d307ff6db9603eb94a37837d6
SHA512

1322092fe0364bfde18c539578fe23fba9adbf447fe7f907d9bf26cf91194de5c78de304e55a8c6e2beb2cb94e67e38af0e062a72fec0069f16a0b8a0fa68363

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d3000000000020000000000106600000001000020000000a5a034262776a8833042e9eab3029e9c8e6785956c362f551e1ac2b2891fc64a000000000e8000000002000020000000b012ab18acc6b99a263473eb28908b25b1e85a806615fa83b25eba58a9bdcc0b900000001c87b244fbb32f407ab626f9713d6fd5ce630be3311901e269067fbe688747709308f682d2508cb3bb6aabdc9ddcccf601e769fc6545880296379199630f26d2b4dc5ad4ade118042f4f2e8b5e7d65614453cde2fecbffb8ad9e84b6f5ab73423ea7d7dd5276ed5aa0029b2258493e9600e43dd8e7bd20a0bf4582e93de32d64862b9cd900da4002b5b6ec50c45002df400000005e013bce3ebc3f515613df319be8e3589fe01959168c4d97d7da6c57593b27ad5edcff75317381aa083f569ab418fcf91a2e4ad41fcf46177fa5098dde6fb2c2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AAA38521-AC01-11EE-A0A1-56B3956C75C7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dcd4c448ce8fb42a8f577f49cde6d30000000000200000000001066000000010000200000008b6bfcfff4bd4edde9fa20710c1175ad439771997ca7be9a8a7adbcfbe5dae2c000000000e8000000002000020000000a96b59b7b081a7462008c5afc5afd1f7e5b23be3a679fa421bf7b940b114eb49200000002da39c7270bb43b99ffcbab8ff25f51179ca7f53fb5f23023479acbb87d31346400000001a3804190be570e3469a2d3b8f14805909e5fbbb8f5b263f78d7431052bffa179fe675f9b51f3c06adf35055949adc0dcbadc1097f0333878af687891ccd108a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4076759a0e40da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410645246"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1936	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1936	iexplore.exe
1936	iexplore.exe
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2904	1936	iexplore.exe	28
PID 1936 wrote to memory of 2904	1936	iexplore.exe	28
PID 1936 wrote to memory of 2904	1936	iexplore.exe	28
PID 1936 wrote to memory of 2904	1936	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\IP互刷平台 v2.0\bbs\3.htm"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
217627dd9857da4be74011c9bdd392a6

SHA1
d264ef9d9b8d0d58f5d50246d521025cc384effc

SHA256
fe16e89d2311cde2b1b3e97d7c5d2b81641d045e7c7e51d76efae2ddaa958804

SHA512
14980bec0333204268a3f93c4b97faad5f9d98b253854b94a33a42f5eb37ad849201afca88b1802657ea93c2a43722495c82b7f6ae7e4d6dd3b75b7799a04cc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2cf5e17f4de623506dbade14937e8533

SHA1
19a472a7ed0f04161951a8a469561cfc79d0f073

SHA256
f717dd01cd47cd61854f8e203fe6dd7035ed14e43794b9ffe3404b35658f6a7e

SHA512
c6df1ad0d1ea38f2c912285453dca2ecd43d0c8f068156545950a892b5f51ba690275d32e6acdd99e59854fdc04155fdc0df406d625c83ade78315cb87d6efa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9109208d8557040dc5d06a9d5d1054f

SHA1
f67f69f451720726c3f331d47de4a31bed261bac

SHA256
0c000ba08549b40c1cc5960742e3ce0b8368a4b58f90073fd006bbe0afaa9229

SHA512
ac6df7121a6e4d75de90429b808951f771ea6c44ae8f79bd4a1564ce3841a8e9e5a4289adf3af16335c5f5c3cd3c67b69c9a214136cb29e7953b849e7e9ec041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
868b69638a403363b65a6a280f761869

SHA1
bd596c65fadbef7ab5360d076ffaedbb2d3dd748

SHA256
717c0f2a8f57f51cbe270611e41e082e27137f447a40bbdcfea61c83f0f64670

SHA512
7f504ea4b181a074213e536ffdaed1ebe6ae85bbdf4e1d1fa6978aa174beb9c4453cf2ab42020bf2b6280a5f9d29052720169095fa85501858e9f326c4dd2e3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
302c1b2586c513afeebe6dff111dcf0c

SHA1
ec3197cbda782172400edbddc9f482e6404befa8

SHA256
607949956d1ad07c7dd5d4e7a0d813b9900a8ffc04673e2798b3b75e378957ed

SHA512
cc189b3de0a840df8e4ea62fb68715e1f7eacd2cccda9d69083394657b53724b43c707bb7d50686126c917c773c8187f5f260cbfc8a787a61fb1405157efee53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68527c93c98098f54076df191b375614

SHA1
d948302cded95a8ec34e314ec866e55bf4194907

SHA256
8a790cdcc7ec35ff522d00240980b8a0dbd7bf5367d44058523c0f6817c72973

SHA512
ffc44030dd2f47fa85971699ed645c35ee8b57f74f72d4697d8a6cdce5a3ceaccbf8bd99a161e737a18c0d864ef20a92a3923fc6f5956faa1b24308bbeff8293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
695b4ba089a0c9c9903ceb3194c29d72

SHA1
22f45bc074d17689bf85e452cbf3806c8f520ce9

SHA256
13b9cf108e1b8ab50f6863ff4c98f3f6f0ac0def72561ef5b7180783e4906201

SHA512
08081b110e589da4d42e22156db723a1449904fad36c656511ffd8baa320a19bfac778ee34ab0fee0f2c0ef10bc9e56ee861066379ebbed8b3658e8dffe723db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e50620c65f7b623ccabb8300c66f9967

SHA1
db6e8c1b1e22faffa71f33a06dbacf9db7cefdeb

SHA256
0029822279abc741997226778509ffb0eef32fe63cc9032ec828433505f51b8e

SHA512
2045ea67fe1009c206dddeb40b909c791cda475f441ebdb5a9805ab00fbcadf110c3579cc423ee72979cc68ec7826084f0621098a3640629f522b48ed18e5ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
508268199f7ae2d07ba74cce8e1be61d

SHA1
b09b4bb5d5b073c7b8e4653e19112ab236d7ad1f

SHA256
44edc5cb89885bb22c77e6300a2386d4c9d4574bbec09148bec433fb8365512c

SHA512
787ebc8a09e0d371685e976f6947d4b3b3f83939b24cf5be8a249127aeac029403916e22068289f7b4fecac4f3295df1354735cdfe4dc6b1ac5b968d30c7a64b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
acf760980f42f64d88900f95368a122f

SHA1
6b4a2395483a9a853614a0f709e1f422fb00468b

SHA256
ed1dad79b8af835d5e59e5645a9eccfe14c2dd917f5e98a2a20871a816b853d8

SHA512
29b913b1490d1f97f30cae4b74b409bd1bf15467504f5797b204e5598205bacabb7e7f0de6cfad5e8deae3c92c2a30d586e5eae65c66ab8a2575cea91677a00d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b13875f400ec788426ddf27b92cb657

SHA1
83f78cc3ab3f5505ff0d03d7ff8854ab9e7a539e

SHA256
5c1a80c051e79891ae879e636a050e6fadcef0dcbde4cff23069431259987940

SHA512
230011e41fc2aa8c7c4c6c7c653d2491a66393dc78634bb5303487273abfb36c826614011ffecdf999a9efd8806119b0be1a7e0c78bbadc4824c300408f8e02d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2463684decffc1dad3dbd682cb365fa

SHA1
e39dfe1b656c37c0d63ca61f73a56c0c22b9346b

SHA256
c9a4741210a50204cad0f9181c0e3535682304cc4504a31da149f2bf3d4b3f71

SHA512
85cb67f44a91762aea18ba016bb089f593bbcaa4e2091264873a35b4c546ffe524d6d2a8a3bdcc82478dd2406f3b1ff34356638668e98099f1a90ee043da0d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adeb5ea7a2bdf26ea475d39cf7b6ccfa

SHA1
4e07caca78a03854797b10eadd9396850b489462

SHA256
80be8cfb17cbd992fc8f9958a95738b7f779a42b01c28a16639285cfb5789d44

SHA512
04d2991e9aa640fecc52c4a05aa634aecaa2f8073d5d8dce1e8af037c337af3d1e90317a4fc745b75ad5b6128b349c3ba0a2b38e3c06e535455abe56f0205691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
317383a98e681b1e88ec7b0e60c62899

SHA1
7cd2a186f2f9f0b72c9906f1d5ed6f81d7dae8e7

SHA256
4b4c674d856379969068c4a7efc702a15e0c0a90cdac5c48ceecd0d0a33013ad

SHA512
4c3b8e6e796b5496425b8224b5b7350f4cef5cbf2201f40aed0f729e44254a1b96bb556e6cd80ebb64cc5be6eb9a7c2c566c75be4d0ad668769d95e930c72cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1af5ceb2fa19ed5fe21c167fc7433eb

SHA1
dad760164ef836058de75bbf361acb49bd8b0e3a

SHA256
93f27b860c5401269d87162d8089d30c216bd8595ae5565bbb2fe4dd93ccb3b0

SHA512
44a367489c15466cc1ad37b2db1ef0622d25244428a8a9166072006d310959e9075679dbcc60087c6ca94f0e62388e107235e899ba6a8cb3563d3eadc865b252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab86A0.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8B64.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit