Overview

overview

5

Static

static

1

sample.html

windows7-x64

1

sample.html

windows10-2004-x64

5

Analysis

  • max time kernel
    58s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2024, 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.html

  • Size

    45KB

  • MD5

    9592146a8c930c56adc011f65c1b546a

  • SHA1

    3a2f81c776a588d70dffb2b173c7199a77a17b1b

  • SHA256

    a3da0ea84a9eb15e0accf16f0abfede1f937a602af3badb6184839ebc26149a7

  • SHA512

    3967e24a480b632c1f92ef7fcbf0cd8e43d01c05d373a9d5fb4379c7a186413913e840f62bff36eb4b6fe9728d81437bd803b7875f61fe30d38865bd4317595c

  • SSDEEP

    768:qCsf8CdvAjCsEMQyAAgJtA2VpMM4h9AibbUebnQUfSQJfvIqAmGt/MDbaw/oxzRv:qCQsguZei/tpIbmKMbo1RVMG7

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\sample.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3320 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\msdt.exe
        -modal "786498" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFF7DD.tmp" -ep "NetworkDiagnosticsWeb"
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:5068
  • C:\Windows\SysWOW64\sdiagnhost.exe
    C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
      2⤵
        PID:1044
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
        2⤵
          PID:1804
        • C:\Windows\SysWOW64\ROUTE.EXE
          "C:\Windows\system32\ROUTE.EXE" print
          2⤵
            PID:4208
          • C:\Windows\SysWOW64\makecab.exe
            "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
            2⤵
              PID:3692
            • C:\Windows\SysWOW64\ipconfig.exe
              "C:\Windows\system32\ipconfig.exe" /all
              2⤵
              • Gathers network information
              PID:1432
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
            1⤵
            • Checks processor information in registry
            PID:1556
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
            1⤵
              PID:4152
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
              1⤵
              • Drops file in System32 directory
              PID:4556
              • C:\Windows\System32\rundll32.exe
                "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
                2⤵
                  PID:3704

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
                Filesize

                4KB

                MD5

                da597791be3b6e732f0bc8b20e38ee62

                SHA1

                1125c45d285c360542027d7554a5c442288974de

                SHA256

                5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

                SHA512

                d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

                Download Submit

              • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024010814.000\NetworkDiagnostics.debugreport.xml
                Filesize

                209KB

                MD5

                c77173c63cc125f7f542bcba9c12a263

                SHA1

                6827691bcf73191a741099159be2de306909537d

                SHA256

                206458fa479259e0ced8363b2a549437b767defa2e56a54224406213ef4a2a58

                SHA512

                80bf020e08acdee8de6812932f3e902351d0c0e3441648482fdb2fedfdae3f556644ce7130c3c5dd372b37fcd98a0dce3025951f8debddad3ec704ebc706ac7e

                Download Submit

              • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024010814.000\ResultReport.xml
                Filesize

                37KB

                MD5

                2be61998b95c57554ac4e3157af2dfd4

                SHA1

                2b5c9777d7174c34f986ffbe54d5c68339c3ac0e

                SHA256

                fdfd86585d33a0397dcb62a14cef33afb22b6805f3cdcda612ba4fd7dfe12007

                SHA512

                b7098b8ff43fe8f8ef2829b2a1b5050d73e3d24b03471fc571e3047088b40a4ea0f29cae2ab48d6fcda1989894caf397366bc46c3536d155ee072539387624f4

                Download Submit

              • C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024010814.000\results.xsl
                Filesize

                47KB

                MD5

                310e1da2344ba6ca96666fb639840ea9

                SHA1

                e8694edf9ee68782aa1de05470b884cc1a0e1ded

                SHA256

                67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

                SHA512

                62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-01082024-1456.etl
                Filesize

                15KB

                MD5

                6e46ed5d23144138e7160bd4022e5d90

                SHA1

                a00fca2be2e168a1866c6f0999906aa097e852cf

                SHA256

                11c29b04d648e154f652b00b5873272f6c25614bea428542f115eae3bf6a387c

                SHA512

                3a839e2e7c891bcc080f508dc57794ba9819f7ee331f8d7931a2b6ddb4e8d59e8c769a38dfe97e9fa226310d8cdf02c52a4c08a514b2231936dc72c2c55cf22a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\suggestions[1].en-US
                Filesize

                17KB

                MD5

                5a34cb996293fde2cb7a4ac89587393a

                SHA1

                3c96c993500690d1a77873cd62bc639b3a10653f

                SHA256

                c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                SHA512

                e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NDFF7DD.tmp
                Filesize

                3KB

                MD5

                152baf1b6df3ec6b64446e53be751028

                SHA1

                2d28a7592da1da19632799f5f16baed9ff22a098

                SHA256

                3a610578f583beb0607b598e8be6280469d34d2ae3a4acc25762a36dc3bed730

                SHA512

                a743875d61823703c9eb24ac4440e5a7e4146d5ce09e679eacbe55100ff2027194fdff588acbf71919f4fa9da557b0a21693f3586e83468e4c4e77d5ac23a3b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vztfktnl.ymw.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp\NetworkConfiguration.cab
                Filesize

                1KB

                MD5

                b314fc6410233434005f5d81ea96bf97

                SHA1

                41222f24896af9ecb42d5a8578c8a748ab65ce9c

                SHA256

                4dc74ef85f707d82df6f986f15f6fe01f24d3a5d6fe8db88dc085b0b647f5e1e

                SHA512

                664e4f0e696259e3d7f2dcb91d2fd61205fc55be7acdac2586ad7ed98a6463694f702333f678aca0f90487e6fad5ecbc47ee5a46eb853c66acfa8cd27624ffd9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp\NetworkConfiguration.ddf
                Filesize

                231B

                MD5

                00848049d4218c485d9e9d7a54aa3b5f

                SHA1

                d1d5f388221417985c365e8acaec127b971c40d0

                SHA256

                ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

                SHA512

                3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp\ipconfig.all.txt
                Filesize

                2KB

                MD5

                840e3dd0e05cc190a726cadb82bdb82c

                SHA1

                e2ae8ad03c8ce238b55ad4245bd3813c25840e4b

                SHA256

                d823d6e163ff1735bfc0fee6eb6f980a28e434466345c5e421d276e2ca5adf4d

                SHA512

                250766853d11099bf16bca0b349d8d976b6f835b9dfda8db40da6aecb92704f8babeb190a31011396989b36c30bcf8c083af7f7592521b6bb8cf30968669a178

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp\route.print.txt
                Filesize

                4KB

                MD5

                c5a8c938f0c2863e1f0f8b44a7e1797f

                SHA1

                4c741d5bdf4634f3912c52dab37f2add67bd3e29

                SHA256

                59671447e4ddb790f0442011c43c61a4cd0fe5aa2f3e298bf7b612ea99f5584e

                SHA512

                969f41bc1bfde8d458c07b3d15decae52190d2e3b8e682c9ddc5145ae250c460d122c650ecc26b23e3745530b2a6b10d29f2e2e73b6895c189cd023aae566651

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp\setup.inf
                Filesize

                978B

                MD5

                043f011154ec41f4f2ba32121378b8fa

                SHA1

                6760db006daf26203bef1c52eca5bf288d04d2bf

                SHA256

                4bbbeb6125214c034d710f94a22bceda0b23586669f3cd0b854f39a92c05e566

                SHA512

                c70e56f74e6bd4c7a4253712e97ee7a439d5785dab7ca16522761835b0646fe8152065f3a55c180a9b17643323950e582b6bc6b3358ea392bab8e585281bcfb1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp1B43.tmp\setup.rpt
                Filesize

                283B

                MD5

                c1ccabc9226bfb6a41f8b5d658872fa3

                SHA1

                560eed367f662fbd25d75fb737067a3cf5222bcc

                SHA256

                f936ebb9deeab8b23c8844a57bced581732902d95d684e9eb4404b6fc1f10470

                SHA512

                d1ff8c4258204efccf33775afc6a5cd3a8d2a060be4a91be7c8c875becea09464e7095d14d6bb728a479047e2cbae85ac0496fe518efd2217ba1c40990deb597

                Download Submit

              • C:\Windows\TEMP\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\NetworkDiagnosticsTroubleshoot.ps1
                Filesize

                25KB

                MD5

                d0cfc204ca3968b891f7ce0dccfb2eda

                SHA1

                56dad1716554d8dc573d0ea391f808e7857b2206

                SHA256

                e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

                SHA512

                4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

                Download Submit

              • C:\Windows\TEMP\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\NetworkDiagnosticsVerify.ps1
                Filesize

                10KB

                MD5

                9b222d8ec4b20860f10ebf303035b984

                SHA1

                b30eea35c2516afcab2c49ef6531af94efaf7e1a

                SHA256

                a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

                SHA512

                8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

                Download Submit

              • C:\Windows\TEMP\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\StartDPSService.ps1
                Filesize

                567B

                MD5

                a660422059d953c6d681b53a6977100e

                SHA1

                0c95dd05514d062354c0eecc9ae8d437123305bb

                SHA256

                d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

                SHA512

                26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

                Download Submit

              • C:\Windows\TEMP\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\UtilityFunctions.ps1
                Filesize

                53KB

                MD5

                c912faa190464ce7dec867464c35a8dc

                SHA1

                d1c6482dad37720db6bdc594c4757914d1b1dd70

                SHA256

                3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

                SHA512

                5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

                Download Submit

              • C:\Windows\TEMP\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\UtilitySetConstants.ps1
                Filesize

                2KB

                MD5

                0c75ae5e75c3e181d13768909c8240ba

                SHA1

                288403fc4bedaacebccf4f74d3073f082ef70eb9

                SHA256

                de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

                SHA512

                8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

                Download Submit

              • C:\Windows\TEMP\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\en-US\LocalizationData.psd1
                Filesize

                5KB

                MD5

                380768979618b7097b0476179ec494ed

                SHA1

                af2a03a17c546e4eeb896b230e4f2a52720545ab

                SHA256

                0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

                SHA512

                b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

                Download Submit

              • C:\Windows\Temp\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\DiagPackage.dll
                Filesize

                478KB

                MD5

                580dc3658fa3fe42c41c99c52a9ce6b0

                SHA1

                3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

                SHA256

                5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

                SHA512

                68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

                Download Submit

              • C:\Windows\Temp\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\en-US\DiagPackage.dll.mui
                Filesize

                17KB

                MD5

                44c4385447d4fa46b407fc47c8a467d0

                SHA1

                41e4e0e83b74943f5c41648f263b832419c05256

                SHA256

                8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

                SHA512

                191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

                Download Submit

              • C:\Windows\Temp\SDIAG_ca49efc0-48f9-47bf-a313-e18947668a86\result\3154D2DE-7DB8-4E9E-AF01-D6641BB88682.Diagnose.Admin.0.etl
                Filesize

                92KB

                MD5

                ba3a5b876bb14a91e40945c257981508

                SHA1

                73fabdf8650d48267df36c7490ab9c7327f11167

                SHA256

                05dd6a066e761ffe57cffcc2d4d54a2d29d634e603b142c5ed9d6d391605e424

                SHA512

                a23dfb897f981fa660507b02b4692ba35b174c4f7ff3d8e1e5d5965cdccbe48a25dc099c4c86028569c32d1dfe4487a802904849613f188e5f9b5f9760e4bf60

                Download Submit

              • memory/848-422-0x0000000005140000-0x000000000518A000-memory.dmp

                Filesize

                296KB

                Download

              • memory/848-415-0x0000000004E90000-0x0000000004EC6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/848-431-0x0000000004C80000-0x0000000004C90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/848-418-0x0000000004F00000-0x0000000004F22000-memory.dmp

                Filesize

                136KB

                Download

              • memory/848-424-0x0000000006BA0000-0x0000000006C06000-memory.dmp

                Filesize

                408KB

                Download

              • memory/848-420-0x00000000065F0000-0x0000000006B94000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/848-421-0x0000000005040000-0x000000000505E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/848-423-0x0000000005AB0000-0x0000000005E04000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/848-419-0x0000000005080000-0x00000000050E6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/848-417-0x0000000004F70000-0x0000000005006000-memory.dmp

                Filesize

                600KB

                Download

              • memory/848-414-0x0000000004E30000-0x0000000004E4A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/848-416-0x0000000005F70000-0x00000000065EA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/848-425-0x0000000006D20000-0x0000000006D6C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/848-426-0x0000000006E20000-0x0000000006E42000-memory.dmp

                Filesize

                136KB

                Download

              • memory/848-402-0x000000006DFE0000-0x000000006E790000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/848-403-0x00000000052C0000-0x00000000058E8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/848-404-0x0000000004C80000-0x0000000004C90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/848-538-0x000000006DFE0000-0x000000006E790000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1556-480-0x000001F736A90000-0x000001F736A91000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1556-472-0x000001F735F90000-0x000001F735FA0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1556-476-0x000001F736200000-0x000001F736210000-memory.dmp

                Filesize

                64KB

                Download