7d60bbf9f20f72559a24f4ca2c19d31b6740ada84d4f0cbc8d02d0f8b19824c0

Analysis

max time kernel
138s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15-01-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChangeHope_B2B_Free_V2.3/ChangeHope_B2B_Free_V2.3/Blog/ad/ad_userbot.htm
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ca95b8dd47da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4345361-B3D0-11EE-9C0C-D6882E0F4692} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d6000000000200000000001066000000010000200000004173ba411dac8bc563fff5cafcc9dd551b0dcf8f5744a8e6834d97ffb4378408000000000e80000000020000200000009ec77a61dd7848807403ba067ea71bcab91e9af3ec615fc0905e0a3ecbadb047200000001ba94cd846ad41d4b0f80811342bfff6c6d30a8be85b40ca50d52c952baadc634000000093613ec43e43de44b8d43497e240a701749c6fa9d05365c9f856509a7cb62fbd4ed9c53361ea11e29f8d78a4b79bf400bd8e229917edb70f44e6e7db00e195dc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000faa527d1662a89e655c667e1094f1eba72aa5957c4644b550dd4c2cfcce723da000000000e80000000020000200000007426c8f36db1723c5a7ccc256d756d4c89d11c359c537a701d4c897e829e295b90000000f9f254829b814f5e19ed5d15bde0bdc6db45f76178babbbd301d42825f377dcba488e2f2d0302e09d55d247380f75af1cff49faab76aa93d23052721aa8a7cebe74f3453fb028e1bb15699ce5d0f8edfa94f6b9ee039898a0ba6bd5c242e80b2eb4d932ea81aa64d4cdcc91f75f42a0d223238b4ad7014ca7ebd78075db5a8338f51bb7c691d44267f93d5c700d7eeb240000000101ce0d5d8f264c422251dd0330efa6d63c07eddd15426aa58a352e7679c2a058bb3095a4c8c694a50a7992658115f4030ba067c092245f466c0f0171d7492ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411503897"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3028 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3028 iexplore.exe
3028 iexplore.exe
3024 IEXPLORE.EXE
3024 IEXPLORE.EXE
3024 IEXPLORE.EXE
3024 IEXPLORE.EXE

pid	process
3028	iexplore.exe

pid	process
3028	iexplore.exe
3028	iexplore.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 3028 wrote to memory of 3024	3028	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 3024	3028	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 3024	3028	iexplore.exe	IEXPLORE.EXE
PID 3028 wrote to memory of 3024	3028	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ChangeHope_B2B_Free_V2.3\ChangeHope_B2B_Free_V2.3\Blog\ad\ad_userbot.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d52d2772ad1a053cbc0a4f681b3520e

SHA1
0240c95e785ef61b67018fb776ed6ce92c1576de

SHA256
d0381aaf4ec126b91b9cf43aa29c8f223f88b753e428f8bbfb9bfe418702add8

SHA512
8cb51205e7573f9875319d76e8332b4a34fc8af79d61274334c2d965bb6fe87372b7b02e419bc59de1b0dd52e1f365aed85f5eb481ff2a3ac46dc7b5014fd84c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b1582f5c118bb9f97fc39cfadacba66

SHA1
7a313d2637aa198a17b236aadc0a58a0acfe8ae3

SHA256
474d40ee9763dc7022dc3ed11c8118bd5e3e6398c0ecb2df676604148154b24f

SHA512
ae4fddfa8a09edcccf835ab04c84919a1c8e1fc403659a3271d1a76e49f63e808a44d43ca9b4f8fccd17d66449b63d30b8ac0553b713d5089d751d8f39a88dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38f0b2030edd4c1c277963f7e30e27cc

SHA1
e13b4194e52e9aa89260324e8517b7d2f454e0a7

SHA256
cf47dade73e1688578adda218e127104743f6ced497cb14c18ea8d0555218d1e

SHA512
17cca7906e2d9fbf4a847d3cd66f2a34e83d5869640e1c67c3fde4676c4a04c268976c3327a69c9305473f32de32f810a1eafc289c6188423ae47780200f6bb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e241518d3a3e02066738717bee3172b

SHA1
f2b805a066383e2bc0f57731e6f91689d87eb607

SHA256
e486151dbaf46b25b6fe7ff713a14193e7d1b4991b1bd7cc9b999ba5bb48702f

SHA512
22808c07486d33c6c8fb0ac67e5fceb750c0804b5108a9ec879f908a8fcece7ba0735e47189510ee903d78ffff4ddfc5947be46cc4f01b83837dad24cc7020e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec438bd76ef21f15b2e7cfa2afee54ac

SHA1
222aa5ef17d0a4988594ee892488b4d141254905

SHA256
514ddb125f34a0697effb2831e72254ce5b6f6dd19db3019ab2f188a6a6111b2

SHA512
0143b466ea3f007df6d08419c54a3b711298825beece0f855588f0e64fcefacf78542ce8c33936bcdd2563cbef406adacd9a60f0beef6fdeb37b94bcfb94e7b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f55a17a3351a4c173b11f1b11c077fd0

SHA1
1c05e4a735dcb3ec88b876e0f97d36b60b624906

SHA256
be723a85d236409710754d6bcaff1f8e8505bc13e9c87fc0a9f1aa3c9a2eae45

SHA512
5e3d4996840e208a5aa3669d693cbaed5c1d5ab31fc19919f3b07c173e6abd331cb42777374a69c00beaf1174b7859990006a85910d7ef2383582ecd04d1c99b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d5402693f550417744a0a0ba052cf3e

SHA1
885cf33ac82651f5f61a0accf425ffd58be93625

SHA256
73f45b0ce34bbf70bfeb333d6664dca558d4a5b90bd8567dca0ca0086a26a58c

SHA512
dd8b93f5cc0898ff4c4f6d91df1f8f2f1318f23cda20cbaf5b62b868aee909bd73c5c58784bfbc2d035aa43788e7ad093c4961b1a5f62b5f36ac76f4bc7534d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f54252e95af13128895cfbd56f392b3

SHA1
5edd5093ff9739c5e6d150cad0fdf5a683b18f45

SHA256
f6913b59f76775edf91ed2e751d6feb3720493223ddf67e563a021296b1c0d81

SHA512
4dbfb253eb59ad94d26c01c8fd5ce3a1141424bed61e9ddb5ce3822b6ec4fa4ccf15026aaeb702a0602ed5ff3b5296eab8476172d4fc25eec59a5d36202a6df9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96d1cf70f98fb32345c1e5481a944d1f

SHA1
f8d38839694098f52e1c08a86579a4606456cc23

SHA256
6b0327de609ff88b113eef406797cf7afe85bb969956149173b267466013a69d

SHA512
83fdabf9079bc008810962601b0837adafe3f926dc24e9c783e13bbb58d6826ccbedfb68b85202a7faed0d071a49933177a9cec13f5ce563f68a098816de8a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb382096efe530fe2f633056e1d4af5e

SHA1
2fa1d22d0ac56e70cac77887dd869298da1deedf

SHA256
2547a0694041aea64e761942ca85db1659a3f1d3241049f7980ca68fa1762d11

SHA512
92835fb79c62ad1795f355f0d34b53c2b837850bc3a69b0275a9c1a9520420e4bdc5c20d92079a1299ba940ce0fb41930005e86a883f6f21a7fc02cbe6bb54bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0096186f4920c4bee5d76cc083f5005a

SHA1
39278a65a188b5119079794eb6436ffd1382ab8c

SHA256
5a82451c9e93d660c43dc45bd443668db4a42f3a9446d5b1f61f45741bcdb8e6

SHA512
fc7e35b23777f526733202804f28ba4498497d09d9f9d0c6126a7ff65719067069b27bacbb7cb50d0a91fb5abbb7c86065dd4ac0f082f0b0b914f31060886d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3305.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3318.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit