aef9774531f5348d6fd5891830a73782c1b3b34e00fa24e6dd03ae60a9c4ed52

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

admin/kindeditor/plugins/file_manager/file_manager.html
Size

1KB
MD5

f6551aa34ea3461453298bd40aa0d614
SHA1

58f993b9f7baa4ce4f753ba4ceea379d31f24961
SHA256

87c4cf0bdbc36c0abcc6053325e8ce320599ae02df6e0a397821ca6ca005335c
SHA512

330ff96750c74d0994d12ef854fc56d41e1b597efcff974e111262ef34d835c5d4f309b6d61ed0b733a4ca1728faad4008a462cbe9155a095546f2268ee97c51

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75410B91-AEA5-11EE-BEA9-FE29290FA5F9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909da849b242da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d7800000000020000000000106600000001000020000000bc1bf86f58c5b749ff34227eb9ff5b6df3b8e81fa7a5b0c875000197e5c5d58e000000000e8000000002000020000000211c31f72d68c0c117f4d47600c9d351dfc188cbc651a28f150f52d53a84e677200000000b1ee698be9ec9edba27776082e9298faeaaf4bc4da38ee59da3c48433ca8b86400000000079ed0c5e19753ff2651dfb4a54fc3dc15df70a678216035bbe32733b78fe162d2afd8d79f97fe4e824b57e138c4293778639845dc0bf4a185d855bd4469309	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410935486"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d780000000002000000000010660000000100002000000006c354ba1c3c965b364c8c9cfb88951b16d835b0402ed7c239e1b27f07c9bf51000000000e8000000002000020000000938b67d86d26343395707f878abfa2b3ea8a2491f686465b9851cbde101b5d2f900000008ff64a1e0134020dd5ef3162d5250b4922935668c4fc26721d3971f0861e2f12d45c5c55db0a42a150292c63c3eb4480539799aedfbd6efbaaaef6448008de4c978c06da86e884f8879ac6df030c402b80aac594a302101703ad6eecf0366c029c59379a920e1c546fd3fd2538e6eb140e05d692b8b34c637f2b2a07f5a88aa593dfba8b036722ee3cfc368e241fa5e94000000037ff6174d56fec23245ae66cb56663885981b5613a0001c712aaf0a0393758f47da9a30ad620a8de50a76eba92675553b1c7c97addf391fec5def3dbcd9dbcde	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1540	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1540	iexplore.exe
1540	iexplore.exe
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2196	1540	iexplore.exe	17
PID 1540 wrote to memory of 2196	1540	iexplore.exe	17
PID 1540 wrote to memory of 2196	1540	iexplore.exe	17
PID 1540 wrote to memory of 2196	1540	iexplore.exe	17

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\admin\kindeditor\plugins\file_manager\file_manager.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
5859dccae6bc955e02d8f9bbe18647b7

SHA1
e5cda9d2116991df3a75dcb6833d5fa36147bde6

SHA256
9bb2de13b13b82ccaff71980c3e7546e185709fc4ed992d3dd81e8e8b0bdd7eb

SHA512
131fa2d85bcb4ad89cd8057ca670a8a7df2bc7496837d0f5ff709a8e74155d6511f53db3bc1fb3d7190470e8d518fa82aaa112ce68b57d3f677a6ec24e50aa53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efd93eda63e21b1348ee284d3331511f

SHA1
30c227bce48744c6e8d4f7d6e4c6ea9f39bf20ee

SHA256
8c77ef0eb2470c1f7510be2719786f9c6697de276d9834a5001bd1de6e1f3657

SHA512
64d358e9169c0b40db2b6804a0f08ce41359996cbe6001c35c5edc127388551d43ae8d0dbecdfd705fd57ae50f0b7b5811764493cf518648542d20c9b371972c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a63c1c4e7958e14678e78b749877a15e

SHA1
df236038b457edd744f0ef21bfd127bcea988259

SHA256
db2ffe6e67073c97b809536636b325da6d6e00c9289969d2c4370b685e65c35d

SHA512
a250229f002dc56b8df1ca5a732e1cb53dab1bde77933a1135c30eb290a34e6dc0017b78c07cfcee8602ac9692de22f5ef9ce259509689003d281f7c805a0cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a52c1d3636cb2db69bc8e57c3c1cdf48

SHA1
f52f58d41dcfed3e110a626a48fc3a2aef7fe12b

SHA256
6a7fab0001fddb576229579291c999d1a3766106ed7b5e360737d9c5cbf6ea45

SHA512
a11ac28fbbf31151aa672af98b99fd3a92a23427b7d109f7053e3e50a771b5a8843f06c5e99479133be6f8b80f208e34df7a6be96737fcf531a04ee4c3973518

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c70b2e0ae5d4bd71ce796e25a4e2bf29

SHA1
c106849acd5bfd1be738b9a0d7816f1bd45aa317

SHA256
1b31229ceec8f19c9dfa6469546619aea106383d8dc8500ac0588aebc52820de

SHA512
acfd3c7341b1174b04578e3fd79777ade8c1005b885aa15db2e80ed5a91d063545c5c2d075aecda013411e6620606138e87cf6848cd4dc2bfec7f6f8f1291ac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
651a1d56b06c815067dbcc9fbd6599ed

SHA1
931d697d77f7928412e1e7ccbd273249f458f4fc

SHA256
c380dc3a0c1a7bdee18ffd11309d91cc207faf88e4f8138202cbcc2bb2fb6157

SHA512
584e9859f8039c2601acf6de0ffa241d406b5a80e3efc9233d8bea7f2b2cbbc2c0f0f3a6a6e9b6590114b0c37577f7c19f62e60a7fac6e003ccc66f840156f20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3fbd35c80b168ee70ea2596561d7730

SHA1
12ca177bd73030b410040b397baebdd9c71bbae0

SHA256
4ec589a990ce3a8ba745ad12f8a748e708c07195f3362667c676e19d3ea97de3

SHA512
a552b7f4443eeb0278e189556181d50e152691031bd9b4a74d1b9200a64923d073a9e8a36ee63d8a23ddb3b9eca38ec9add414038cf363d595dfdc49ad743b6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
59c262159fedc45a978612c9e3d51320

SHA1
6c06c0af0a20907111e9a5a681ccc7e27f6b877d

SHA256
2cba9ad37cdae675d23ec60eb5c10f95dee8d4fe9011d3c421ba554af07a8ad2

SHA512
2f2c2a2e1c2512b4953c499b8d9911be306108b5726ebd378e0027723cfe8ef6480f8307bdefad93efae4d051462b97f44c1dd268ed32ceb774894a3c6acbe93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar323D.tmp

Filesize
91KB

MD5
62fb6771959d6b061ef7a4bee3459b89

SHA1
d918ff7bb088f92f5e93377fbd82de86afefbe95

SHA256
fd9f3da55ef6c09f3f3c9eb272e1477489887e98bd7835e4a0196b131f05a334

SHA512
6ae8d4b85c5bb6d7e368ee806000ce7570e6b80cf1433856d92f001263da8700b279f5f5da8c4aefc41cfe75c332935bae313b9e00edeb703629d2015a42b32d

Download Submit