aef9774531f5348d6fd5891830a73782c1b3b34e00fa24e6dd03ae60a9c4ed52

Analysis

max time kernel
0s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

admin/kindeditor/plugins/plainpaste.html
Size

918B
MD5

9787000c1e77e14ec1c7b4088030f518
SHA1

ca31b1a2506fabaa5717ba0177255bd300105c2a
SHA256

eb9c01621abb71c3bdc87b4e573d52486ce6c8d36255c0803a83814c4ca621a0
SHA512

337af29ab33caee63377693dd2a1cf50754f2a678dba94df317b5d9981ddfbb545f8f4739877e57334cece00fc9466d3fefc0843596992e851c38af511addba8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{753B3761-AEA5-11EE-A76C-6E3D54FB2439} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2448	1668	iexplore.exe	16
PID 1668 wrote to memory of 2448	1668	iexplore.exe	16
PID 1668 wrote to memory of 2448	1668	iexplore.exe	16
PID 1668 wrote to memory of 2448	1668	iexplore.exe	16

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
1⤵
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\admin\kindeditor\plugins\plainpaste.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91178160ea0ec1acddcdf30024f8bdfa

SHA1
a81ff544991dccb69889dfb68aa89322efcbbcd8

SHA256
35c3b81f56d5a22fa83851a886ce750a0de26b449d24c821c95bbfdb780c459a

SHA512
ba9751f6a2b643913877633333f7c30e508c7996c2fd030fdda7947ad98e5cf83f318ee4bb0f7c38daba256fe37c0ca7778637e9ba31edda941d03fb4029dc02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b216eb626c883624d3b3c7584e7bb4cf

SHA1
34d693f865f1eac29cb90c19e9d2bbf83aa2a721

SHA256
e96894fa904baddee4b1b639bf85d3b145701b28a6a70a110c8c6aee4f63e719

SHA512
c8499f70b74d77bb3631ad0c2e395e0eb766050e0eb50fec561772f6ac16d4845d03fa6b4e41db008368e6fc81a77a7fd3fd18eac5c4d7679f697a9488276dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c4c04ec87366167f53b6d132d60c9b2

SHA1
26455f397ad6148f8a294e38a4212aad1cf46813

SHA256
b4f0888e4ab794ce2930e10039395dc0efdadd910e2eb8102fb312d4101e42cc

SHA512
1fa1fc7df8fa36d0bc7af9e08381221cf0d1d46f6fe5e2172a78a8a828863b7cb678286177f00abc2689376dfe8dfded0770bc5dfed2e8a280f040e1b4f794bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5de12679bcdb270e89f865e2a2730600

SHA1
143077d0d989a035332c6c6edf9bbbdf0fcec681

SHA256
cc473af7d7d9cb0bbec14a31ca6ca0ff447cdf47c844c008ae8f5a0dd7daee70

SHA512
fb170eb6990a400640fa0882563bb80a1625e9c48a7c4be3ce061abd11f57e9f6824ea94eea3326b3b7940eb27e153ff275009a6ae4cb3edca6a400c8977cbf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26dd50405ed41aef635e939b9e5852a5

SHA1
a848886737b2de94d194da49ec00ad37a45645db

SHA256
5c4ed2e208552c261990e85f4d0fe87763db75ca70f5c3b87a3ad7d6572ba07a

SHA512
9e4be0723b63ed1a467f289297d27447f11e2731f09ea90c2054eaa256c8303234361c1b2b7975e827c8977e7e68570374c853e85172ae2218e210bd69db01ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9c6b86bbbb67ab9ce9af7e2e4fb217d

SHA1
7eff3b4ba788d598267b1dcb08625c827e01d66c

SHA256
527617b988c5ce752da3868719a76e136771c5d4e90872f525778ee08e3d7b5e

SHA512
4d8e079431284db28df090530dcc8c87abd63dbe0f61cd1e26e14cb3d574fccbe8fa261f57f668025948503b0236efa345df5e1a119caaa2286703253719798b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d29a2fc4270f7bf9c9448179fa0b2acd

SHA1
ff9da3f975bf7348df8b4074513c16c182fd6df4

SHA256
a673f2b51ecb9bff7df16b2cceee601f73b6581ba4c1b8c5fad60a116568ae4c

SHA512
7d9cc2c1428813e3a1c63f9ef7fe12aa0cadfd5d1fd09a387acf154a6e2a8ee5ea76008e8576a980e9e383121c5feffbeb644ba750d85ef0145eb8f8e64380c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
284003dc7696b7fc638991f004824ecb

SHA1
4c412422d566fb6c99b6add17acb3ea83cbd8ffc

SHA256
0359611b1927cbafa69059b56eba851d95b672fa4cf764824e84a490d1aa14be

SHA512
cf1e56b447ece23e8f2aee3b83bb456a133b6e3cf797dcb446fae54f624e12c8a70f54680686a491e6e3edf9016f995df2cf101f884b9be1400761ceae9346cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1bc766ee64741496489604b29db71948

SHA1
20096fa06e04a96b6ad83d077e1c08b37a5e4cf3

SHA256
79834f724c33d50d65ed529251f33fbfce37bdedb0709e6937ce04102a99888f

SHA512
c7ff6943b850c45b2ef1e68165a8f28599b365bc6bb4b55a74871737e9616a503110f83ea441cd5d54587adca54bf940c0c239ea9c57f9c8c6716841bc5ca562

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1EAB.tmp

Filesize
1KB

MD5
1f1a3b101012e27df35286ed1cf74aa6

SHA1
46f36d1c9715589e45558bd53b721e8f7f52a888

SHA256
7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c

SHA512
d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2ACE.tmp

Filesize
1KB

MD5
fa527dcd6b5eb05e72fc51570a2a6608

SHA1
3380c5ef74408265fba2f67e790636d0ad0a51cc

SHA256
4dc7a4a6cb3be2c334a27a49df89f18f8f91749fe6aa1cf28d548e0e0c75ce3d

SHA512
05c0e217c433949cab210102a26ca7f6a765515b228b217e25c7409408fc167b5a59a8494e1181284e9ec72849c90288f3a066faa284e29d871097ec76291a5a

Download Submit