a8d48c0c2c12b9a36bb0670fb1f18a48b32b98833c04191bd1ffd2c584202371

Analysis

max time kernel
138s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 13:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74c64cb79b91903789513188518a8191.exe
Size

18KB
MD5

74c64cb79b91903789513188518a8191
SHA1

bc88407718f9f0077cdd0e01ab43eece6e0c75ff
SHA256

a8d48c0c2c12b9a36bb0670fb1f18a48b32b98833c04191bd1ffd2c584202371
SHA512

49cdd45c5be1c722892f0d813faedf10c2993c2d4736062a64368712053f1571f6700f62cd406e96001088606bad71228abb4f5c4de1bd337ab97e0593c8ee9d
SSDEEP

384:7BgYlWIFFsVVKYChDmQyn3ApCfRps6ZQMEIdRYLifR3O3OHZ:7BgiKPKZh9S3AcRT2MRnR+3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c1930000000000200000000001066000000010000200000004a3afdf062bd6c533ccb2ce5a5c63e5d9a4115777556f4c251e025623de31424000000000e80000000020000200000006d1232744ccbc21cb509e46c0ccb0bb9477dd50e33fa8578099393f3e4d6b00c20000000167133f435ba4a7df8a95fd1bec67d1e11350e4620d19526a44f4da4a9290d04400000003384a6b4967b420c8df971712b62112efe895fc7a2fb5fe79494a6b213bc5396fe892fab4e30997fc85ca48af9b84b75d0af8b36f95c7d01469b99621adc80a0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10951a6c8f4fda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412349873"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a883829c536588438b4279b7bc6c193000000000020000000000106600000001000020000000ee92f4b68794e24b254ee9fddfd9c21090435a8f76fb18dc7f7498b777915f5a000000000e80000000020000200000004905c8b7125f0594b58d2b2ea032b9898fdcccff945c00b9f11dae3aa2c07a489000000096cd64f63673a3183118447ce1c06b45b6bbefd13e8c7d120095ecbda57120efa559e62198c969dd4d395d35056d2d8f2813aae427a564005f6a37fd2fb9165de32ffe71c084648caa60eb76cfeadaeb31ab073bae6c2bfb59fb718e336b6586d04b6e9609235dfebc122ae9f2c3f3f1fd6ecaf139dfe4903d14b0c27f17db42a442ecc4acb143e88f1c1fdf7d302ba24000000057259582f94395ce9cd1980a32163a1f04e42c72752a1fa86d378901df86731af0ce11b1a20cd593ebdf20e2eb18a960ddcdb676a81925ef33df03ba258baf62	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96CCE101-BB82-11EE-8C00-76B33C18F4CF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2532	iexplore.exe
2532	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2532	1728	74c64cb79b91903789513188518a8191.exe	28
PID 1728 wrote to memory of 2532	1728	74c64cb79b91903789513188518a8191.exe	28
PID 1728 wrote to memory of 2532	1728	74c64cb79b91903789513188518a8191.exe	28
PID 1728 wrote to memory of 2532	1728	74c64cb79b91903789513188518a8191.exe	28
PID 2532 wrote to memory of 2736	2532	iexplore.exe	29
PID 2532 wrote to memory of 2736	2532	iexplore.exe	29
PID 2532 wrote to memory of 2736	2532	iexplore.exe	29
PID 2532 wrote to memory of 2736	2532	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\74c64cb79b91903789513188518a8191.exe
"C:\Users\Admin\AppData\Local\Temp\74c64cb79b91903789513188518a8191.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://dd.tibsystems.com/e7.fcgi?err=311,0&params="C:\Users\Admin\AppData\Local\Temp\74c64cb79b91903789513188518a8191.exe"&prog=ldr&ver=7.000&winver=Windows+NT+6.1;7601;9.11.9600.16428&ci=1-12
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2791eabe55c1a23d9fbcda5e7a03c97a

SHA1
ee10ddfcb67466a5491c77f78bab242cd48ffa74

SHA256
64d40038ce5b7ea523b49b89280f5dc880568da722b9668e8ed11b943e38684b

SHA512
11d2e85ff9b3d26debbd638f33815058b9169f82eec83b63bf29a459211d2c1a5fe1f7acabd7efbd78a97faff79361bb94415fcf3ce1b05418b4736951b1f2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29b33439f475ab29fea8f3029e189708

SHA1
247a6bfda97e069f1bfe1687e6a8a659a865b57b

SHA256
33d1f7708367c938e19d33e95f7c3913287467c2bcd2d8ace1068042624cf1cf

SHA512
daab071c3a1d0f3cd46b581c5eaf0734057071adb0efcab0eef440b6e425c62590c21554014a1369bde14446800d23b0633e5523fde1fc76e3cb721d679e76b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3365fed1fe594f17b4dffabce446b934

SHA1
641f316216bf9eea40a263d8ccc479403af9f6b5

SHA256
7c509a36bcb09163b8797d22252c2fccc2cc77f4b833598623edc575b5b5435d

SHA512
779b7852e3180e238f49e1e96608b39cd10376790c3ec467a769ace5c43ae7dff19d14efbf45e8e0127345edbb37f0d9ce5d5c3498cb06894804ad45aa032b27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3adb5c8650801d53f48476b255486fcc

SHA1
ee8d5c363b5878d41b8fb8891adaf79b6d0c104e

SHA256
86f9dcaad40f89bac7e483be13c0de07dde86c78022467695da789dcc338d21d

SHA512
209f773ebc8d773ed3677e1dcdd2aabf97137147264fd3c8c351c0624b2ce4e99fb907f16a9c9cc36abf248ef12f21414956301f888c605f73c031d962ea5169

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ac276e891ea206e33db48d01105191c

SHA1
430809cc1bd035fd6c537929d56371a4d5b296c9

SHA256
4c345bb157822595ceed299c260f4da332f70e4f3002e4541990432ca0da77a3

SHA512
5aac6a64a1066ffa0278f837850bacf704ad1366444ac32ec86cd899df2b5171ab3c3d81e27ed68aa0edb7faf0f6ca3f3eb573028fc79f80ddc0b7959dc0687d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3edf2ec3cb9cee89531bc20ab76a139

SHA1
2a4e3e5c8637b4f5c0e4bf9335baf571f878eb7a

SHA256
7d5970ff1cbc500289bf0154c3f561a0d3f9721df880fb1d48c030e80c75ff61

SHA512
3e81487ffe72d6f064c26b95731fa6c9d4175117de9e2255faf340796233f1257efc2fc6b6f418e36224d8254f601196acd38948925a79a250d3743b7f3a148e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20dcc05ebc4ce1b28caae9a55592e1db

SHA1
94914221b189d4221ee6d7e560819099b4fbc48c

SHA256
76d4373d6e6aa2d5e15911b7721dd2927849473969394e64bfef5194cc71a97a

SHA512
a459f4f0f82e1ce87d93bb6d4407fd756fb8ecf2d00ca319cb375da59b224ef3adb6c536bafe9b3489f5875fa542244720d0f6865537a1c85982bf1e14a16df7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9efc2c3004cb37cf21e46af319ec920

SHA1
5a2b488ada3a520a8264cdc3dc0d1849a8eb98e2

SHA256
eff7e7dcd5c3c1512448b6668178cf92afdbfcee95b7b84c0edd550a5a256a83

SHA512
759494cbfe7a51db2925dd976c0923d9bef3723a6737bc81c840fd75a5a98edb9d5ffef6b3ac982d038ef54d3a31db34583a4ae68d6d12aadcd1b2bcc31ff5f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c77b91dc365684ed01a9d9e64bde120e

SHA1
e84983379af20eda86c65e1936ec392e391e262a

SHA256
84f862c0a12db9a975cb08858560702bba2f722e0a9aca860692498208538751

SHA512
787f9dacbbac7d6d006ff1976e5012a96fc7dcbe9d0896ca50a3d6a076e37bc39a23a49346c09c90df7f7a360e96f095b68020155c021c98b858cd2a31ccfe64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab9c851438f11013b0a72f41fe9738ff

SHA1
5d97be9891a309581672f80d5ad34940a7341e44

SHA256
548d8fe695e6c4cb34077c7572654a5a3429bc5368b57392d8bd013aa37aef27

SHA512
880f06609e232f75de9cbe5d669e1bbc0e321dcd38a46a0797722c22c02521e276488258c31857c1efeb46e20ca9271eafb6c90b6669c082aff0d774e21149f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30950e00e8ea836c6e1fe0ae50b673b1

SHA1
1d15d3a27195591bf74dff4b7295927816f0212b

SHA256
438ecaf45a5fa229da303d4d6a60276f2169a3b1e8f803c8602246bcbcc01e50

SHA512
4710cf6f0fba68cbab05d4a4a797fa4fd61677650edbb2edad80a68cc425b04b73990a3317b8fb728830daa1f47dfdd488ffe110a06ab48a4c398615127109db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f325a80d9e0f40f9874ea0e5a4bb3625

SHA1
63c6cba6d88d2f2a0dc1df825a403edefd0d340c

SHA256
e9b7afb2a971f5f05c258456c6acbade62d502dac7012495c6f750ee1fd8fe37

SHA512
5248fafb0d352b8e9509ac9e3f6c33a978cba18a381d5179065ff46074b3a7ea35cb7e18edd8d504abc6b38c275641c9db2071262c63260546390c215d0e7df6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d905c95481029a0ad67a301e419e0139

SHA1
63299303eda9555197331c54327da59dae77540b

SHA256
b1e44818e94e06156e337e6b020159e0d4e7a374b634cd581113402dde99df77

SHA512
89f1374a668e04bc6ad19975900ff55e6a94553c72902dae047038d4105dfcf3cfc6a2c7e2aee09235ce3827513e64312a3b7a83a7d9a30c3e47ac86a19df383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e51c5833a6d9ae2be2e43b39ba31c65

SHA1
328103cbc29e2b986b3f17783d13cee8cfce385e

SHA256
ca2c77e2f15673875a4c32c7453db7123014b4bee0da15ad0d0d6b536897737b

SHA512
71e6c22a89c8cf0063a31d0ebe36edd4a5460d79fa56f543e9fdedba8544f4c065524bf33d4c5dd3fab60cd3fd3f086045f037daf941a358dc235519d440b4b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
942d4f055f2de677cd3bb9d6af1462e7

SHA1
d1582821a89adceebfdc9967a6fd58683dcff7d0

SHA256
869e38c146e3b28d8f86c5b5301aff1dc3e6f27f7a4a262fb17ca303284739ac

SHA512
cca11c275b4cae8772871bf72db379f102e892c1359b968a9ba33925e8a9d6dffab867bd024a6d4f419eba3ed4f36bd4dfc8848bfa3743b785828752c196640d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
458450f0a43bbd795b6a6e7bf3408cd7

SHA1
0633164bb2435326a0ce52b2861f454f9b1e4f98

SHA256
49d14a5ba66ea0b3d4b72bdfb05efce5bf68c93df88ae244329f85bdc387bd30

SHA512
cadb3c1d93c822ffc7a48b17d8f0e1b8228bff4fce1518c44c20a01a8bb57169b58d5f178c250309e86d4a5f1c88a439539a753dda0afcf5a17f0eaada23c42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar567F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit