hxxp://exp[.]westarshop[.]com

Analysis

max time kernel
196s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-01-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://exp.westarshop.com

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000007ab17558288bd0e9684e6a6caeb621b2dd7206c71e4913bc2f14c42787773059000000000e80000000020000200000001794904bdb7f84e4b6f0e2ad53aee27f1f285a0a72fb2f675a347d425cc1fe142000000023a7e85f7a59c9bfa4f99d43db416000fb54fd709afbdf21fd479edee0cfa77a400000007f2e76511d032cdaf2b1de7c3f640a7439d25851dfa65b160d97f8d13b8e19c9b46783f4e79ae32c9f9b38e66a6788f0410e75b2593d941a051e76667539afa7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411684242"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000002ff9b2360dd9ec7383f2bd9863cd8b30fb4924272b4f99b1509da1edd2d983e9000000000e800000000200002000000063eeb889a3bd453330b69d91fad80387e1acdaa3e5842ca9bfe76f6aa2568fb290000000ee0b040aeeb6d158b8b4c0a04fefd0916f879d761787a0429995b8288c14197f1244199ba46e4c43b5498b7e593b6ab520d0a9ba45ef519e3581959548d92f68f96df5a7cc28ccadeec36d6bec6f83cf806d4c0b8bf54a8d8c125853fa2624fce938506c69890bef8dafe5e597eef821235affea58bc2bdc0816392052c2e9b3e6f4c7d018baceb222ce068380a0e96240000000fc2979a933126be5283d9b657730713e6b4810ebcefd98464d15d51bf99076dc5a021c599f38b381cb2e469d84769ed6964f2789fff0a0702b315ffb59086a83	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CAD4DE31-B574-11EE-9201-42DF7B237CB2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501afe9f8149da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2088	iexplore.exe
2088	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2728	2088	iexplore.exe	28
PID 2088 wrote to memory of 2728	2088	iexplore.exe	28
PID 2088 wrote to memory of 2728	2088	iexplore.exe	28
PID 2088 wrote to memory of 2728	2088	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://exp.westarshop.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e807d56598480554cb831c9acbda911

SHA1
1935fb1fe555377ca3967074d3bda3442e97b838

SHA256
aecc11727976e517a10e764ce17eb76160abcc9efd6437b3ef4e7c918d3eed2e

SHA512
9cded3c95c2ed0cd3067fedbe178010c2d41e97bb13de88c595e44faf3da85515d37dcbc3e355a9d4032913c217d7528c4c0f1b2545a20a5eaec0f1880eded17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e62e6178432f5fb2d3e72e790c3ea851

SHA1
bbbea7fe2c0de5542f2794b2d92ea9c901d00356

SHA256
ceca1334237e7081e367f8bedc9102a5c971298667bd5e3995be666fc157034a

SHA512
0b4d598bcf7b00b7085b49372034affb2280f094462d3117d92b46619bfc5e907b8ef98c6270b558e0d45c661d747756fa0281f1c2211486990d90f3f7bf7c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85264168b4eb1960e49d43752a5afeb4

SHA1
67a2754d7c0d42efc1ea55114978f229241dc163

SHA256
200db512eec0194e63bf10e363f9db3c79cf3e9f008d2993b493cfd069af3015

SHA512
46450973a4d7d8d58d46f42b1fd2f17a52910db42332b43bd0acaa5258d215a5b7bd28cdb9bb4ed4d5f3c3145e3d74e9a09c1225c3ee4e36834ca2c436d0625e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80157df7e77efee2c74cab4303fd081f

SHA1
e91fdcd98bac9258c6a13f95cb6f4d429d3899c5

SHA256
35822d69c57d3db8c5eb3b33f1c53dfbf87f9ed98a0ef189f063fb42067c60f6

SHA512
95c0080c373fb929330f89ae2b3d2cb062b34df8a6a3706e48e4c02e53a8a1f8f4eec34650b1284e7aebbfde7c96dec60abd124b281088f1acd7879c890deb52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ac34f84f60457fbcad6a13d6bde327f

SHA1
1cb5aa7d0cc283070d8495db8d4ec2830fab627f

SHA256
268fe8e13e2cebcd729229893854b67d244e355e9ea91edbd0e8c676b07110bd

SHA512
438b581402c3363232e7cee6e461443aa56be8979d1f209b58e74edf37afb45723c3cbc9395db96b9fb7a6d346460bd3ee327d38ca4075132c150298f9c333b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa0eca201e8b2d2ca6d65b3bb0e6a0ba

SHA1
e7a2143e76ca6dd03d6b4a8089d849fc5112b3d0

SHA256
3ca1b017eef444ada328336cdd01c46d25f11f8611fa39ed20e0245c2ee5e282

SHA512
b67ad9809c1e1cbe1431d2a9e666709f9f5004f5aeef9f895e88afe04bc1762392b2d33f234da7dd362d1f4babe1856f9d51838c6f88a161c55378534f892fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16f9b9967108bb44c2d2367caefe5fa4

SHA1
45b1998f7aa12348bfd30160742c82a34bb1fdf6

SHA256
2d77abb3100384873fafb4e31d7fcae5fe0a30754f54c15691230a67354b1b00

SHA512
b26f867fd935cc0cf94e57e635aeb3af66a6a6d8dcfe183c4aebe1417b74d45d9b0aa68fc5c2714fe4c0304120446795d24fb42624883875e90c0bcb0025ebef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c57976d7cdc190de9f9c93782c3d5832

SHA1
45dd2acfed1036813d9cf3b85c8d9580af5ece18

SHA256
53f89c05566540f069762c30ec2e876b6dbbbbc979f9fbff5a92bd931004821a

SHA512
ece86ff352b48b38ef5953566703b97978b1d7220e2bce3b0388fe156dc3b0fbf68fd15df8619911f01ab45f1313c465f8096dca80d38807a5e29ab0c525fe8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3e67e271de2da0f3739166c1b3fbd01

SHA1
d0abb4738ab630bbc6167f9b5e480177429a7c05

SHA256
93f5f82955b4503d625b8c51d75bf253ee24ce5833f22832c76b0e29c012590c

SHA512
9874c2506deb1c2370e5edcfce60bf262eaa46e725b16e76f2666953abd2a462cef22110abeb360e1028e5e8bda26d6e68e3021ca5650375265f640bcc033dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
daaf6565db44bead7551fbed509b1816

SHA1
13f9e4f04f6190b26ec554978efe253d16ea07fc

SHA256
8546cac6cf4525cc24c45f71cd0a4c8cabb4fecee0dbec2b778535fb90c9eef9

SHA512
80d049afb40683bea423946d180f3d12bb056f9dc0c51b068cef57d89e729eb83c63cc824f4f713c8e19ac731d4ed930ffdaa8caa904d39e6b5d2de6a713fb5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8bce2205ba0f71c033ee686fa1b6ea3

SHA1
b7d331a54266136eb5dcd563379231a6e1cfe521

SHA256
3f235241089d9255d0cf6be315787e2bfac50477c85ccc088b8c0f3a7eba1960

SHA512
1179602b0383f912210d6bcbe80f580fd2d2fe1aeaef6b80419bb85ae704813714e3c257341008433b44c866fb13be2f0d634bc32db4a57d3c6fb95a47eab66f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35ed04063094c932379e7c5e0dbd2859

SHA1
016fc3d37a034e0a2aee64e662aec86aa6bbd2a9

SHA256
81a1f0fea06d2e878228c161ea02ee983c268fcefe7858fc950eaa7158e2a214

SHA512
3280fc60e826b8ed1ebc0dba41d9641a8e2441b351a6544e216ff03e54540bb563bb80397cab0e078b1c5ebf7ee314ed6da0bad8a2d6991839f3aef8b0f624bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7ac7f0d473d5c0391cad0ecbd888749

SHA1
f783c37b6ddc8a1ab7a6822b6c3f0e51482ff7b4

SHA256
767c5ddabb3deeb45e681891b797af651a38cb30c9365410583eb57f859aefa2

SHA512
7084a7af7d9bd31c7b5ede41abcc4788ded37e8148924c9c9194be59745a181361c78433781d427db589a89ee0e513a9a67180889a4a3fd63dbc23aa4b95e1fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d4603822c2067b6d3bd7fcfc18e00e2

SHA1
4fede583a9269e58232bc3a697c471dc6ebd891b

SHA256
b096995b5f34f4b62cb2af79a34fcd2f306bc36e87c7295054980673d8be43e5

SHA512
882a30aedc7f6a3f2578092e2e895f648899e92d971699fa2aa1c24ffdf59d7f6f988d4a97919fc9c441ca5b42accf05d46f98d10d200b19d7e9c255c45af90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d201b56099c41692bc83e18afa2890e5

SHA1
71c64181d1621ca0ab9a469ac618de2787e8dbc4

SHA256
bea9ad6c86a4e7221dffba0534241d09300d63a441af60163c50f342dd074999

SHA512
521318d97cc819f16e14273e89acf98d22422131e282d6de170d0fa68b9a9809eb23d69ff97d2cb4e0374abad0c0f00841adcbd145d66d4b2d04674b9f0e103e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
714c347e2703ead4339738148e5f5d00

SHA1
a1310f5142f5b90758ddc64b9026576f59f992be

SHA256
037af20e848dc8159801386464642f22c19dc34cc8c213774a464337dae5aa52

SHA512
c56a146a7293398fa707f3b8789633b709ddec10193ef2e3ad6cbf59dcb37811b1b915abaff80e5095cb9ecb928fd6ff7877aa35d6599211a9b51bd0f0426cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37c2f1b46aca0cf0ef3827be1f1ed458

SHA1
0c3cd16504ae33862b7b613d0f2cec4ad65c4ce3

SHA256
713d238db05c30dc80b44cbf5f4920242329874d052dadc7cf473357e3315a66

SHA512
395c982b72160005d99564b7e4351de7eea90c04e7a70d88832b70b3c7381fee5d3bf87be6ee061745258f20bd3171273d330e6284b5eb1bc3e50ca6dd79fe50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0382bc9084b1955415886e81b81ea46

SHA1
c750a9ad71f55eba88f5d68dfe0d5d827c904f6f

SHA256
7fd102acd13f71cf3dd0ace922310621c671fa70286f83846f4b6066566c7d9c

SHA512
cea15cb4575fcd16eda2c3d6c43ff4793bda6bc5d1a95700a6ff0bc1b3f8440ea6bfc1d395dfcdf4c18f143a4106e08a54fb35820ea5b32dcac19f3492ceafbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71AA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71DC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit