8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa

Analysis

max time kernel
48s
max time network
130s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe
Size

806KB
MD5

0076b163babeb1e8aa6b258c7e1a181f
SHA1

0b00ecf90d11029103bb89b5203d424b9aaab5d6
SHA256

8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa
SHA512

bcd43926c86f3a71b2159a1879dc768f8645c2ad9d95e075d218f1914424ba87fb74688d2376efb9f1b1acf76e59409223684caea9d185fbdf98ca34619a5682
SSDEEP

12288:EIJf7dcTDvOMf7TgzVddzdhxFE6nBuWsrv2GMgbEIcOuw/vRd4SVXXxNDhaUs2bQ:EIJfvMfaZFECIcOlnpvDzs2bsT7h

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wxlog\XiconShell_2024_03_08.log	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{509C2D61-DD76-11EE-AF55-CE46FB5C4681} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe
1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe
1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe
1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2928	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2928	iexplore.exe
2928	iexplore.exe
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2928	1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe	28
PID 1772 wrote to memory of 2928	1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe	28
PID 1772 wrote to memory of 2928	1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe	28
PID 1772 wrote to memory of 2928	1772	8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe	28
PID 2928 wrote to memory of 2596	2928	iexplore.exe	29
PID 2928 wrote to memory of 2596	2928	iexplore.exe	29
PID 2928 wrote to memory of 2596	2928	iexplore.exe	29
PID 2928 wrote to memory of 2596	2928	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe
"C:\Users\Admin\AppData\Local\Temp\8f11ac4dfae8b2a405166dcab53ae4ab1da9d279b163ff4109d17f9a7cf0befa.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://kedou8.com/voice-server-js/index/playmate?filterType=ALL&careerId=10008&sign=swp_zmtb_9902
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c2717d6a97c7e1ebe0268042a9e80a9

SHA1
591f1574b6093bd60c93e2aed6081c4b83fe04d4

SHA256
cd4a25d0a65215a51873eb5522c3b6546b62e65545b78995b47b5da6a5a6f7cf

SHA512
8fb9c4a7cebdd57471501e1508c65ff0bc0358481acf4e64f6c086d42fe2cb79015a3ffa40d7dc485c5cf1197018792c63b66782c6389112236fa05190201a1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a3b261a88c29f993842242f58f15e2b

SHA1
4f682d293fb49512c1d199c696930114381a663d

SHA256
b07ab2125a49e9276fee20d785aad39c4f4e6c79e62f299abdef10a7a96d14d4

SHA512
3249331ae858d24961450986c3c24b52dcad6559580871ed9c3bb99fd3fae39aa7ee3210ef343e03e2fb854202330d510d58dee9d5bd34027b180799708298f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bea0cbd10f6614451502a8b3bf08422

SHA1
a6082f1e16de7ef11f00326196a489822f4cdeeb

SHA256
ea8b8667496e79b622dc2508a597795b9887cffc632c43a73fb1efe185d62ad0

SHA512
1d9c7d1ef6993c7c3084bfb87a5fd4ab715c9e44fc6626d9cabc0d09a087ed1904469f3a2eef18e662c5e697960000996f31296e4173a0fa3fcff6a90ecda2af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b4eb2b0436bbb3cd974ee885b53dabf

SHA1
8a9c92c5d7aab05d7d7fdec1d2c1fef6a5e66fa1

SHA256
f6e2085c26d98eae03d790c0f537a88e461dfbedc21a7b64aa0d8401038c89b8

SHA512
504250a4b3f92b608226ffa1c4fe215a28143efe29610b5fb144e6f35499e8ae3bf6e344193893a8f8e3119c0f9aaf0363ef1b287fc2c809a017acc5acf20ae3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c72fea879265ce8119e37e4f98dd42c

SHA1
33c6e2b91d98c2aef4de5a12ee76e78a1c428797

SHA256
23ae334431ac66ec408a887969e721d2dea9e92734f259b2622e53f207f4db8d

SHA512
16c52b0a68a06492666e2636571c41d25ffbcb129913c38d2bdb1561f1b6a7810da0a55024428dbdf1ea83267a532e29d8c4e20eb6baa5ef9b1e1c1a8a73aba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1807f20baf17b1bfc96f57c9822629e

SHA1
f5fa061357e4136b2d65f3bc43c44eab69127cd3

SHA256
ac6e17e6d7922ae861164cc1ed204d0709be85bf7acda29ec72aec8fdb7f592a

SHA512
a124a2073a8d49c7f94a2e8303831e992c3daf065cd848da112db6d424fc1d41e44b5de6b017a549e12ac55dd49d7a599b4b1286e92d640882f3dd9a080b196c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
122fb3298c513a6a20c21a3850c54e03

SHA1
a4415687d6f0ae29636108f5669b5a24cb893cfd

SHA256
5e8e06f68fb11cd18b946ba7b4321a8ce68b2306743842ec2e7032e51bed50a6

SHA512
6f211a84b31123ae282d0d103ed81edb3f6c775c4d2bd163f203c9a59ea0d7733114ae42316def45fd472bd885989d9b31d8a70abda8fb3b26d9c826bd6a5f20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c33c324e230dae8937a2184e219abc42

SHA1
8ee6d5b1b96bb5dbf5ea25873659461c004b4d21

SHA256
fed442c39e1d6309030f03570b645f14a847453ce4808aa60f60b5ce021846fc

SHA512
b8a2c4f011f80b0c6e74699e5fa1642d3a86bda2ef0071d29b6dd0a1df9a002642fbe8946c7f2f78d4b6f4333686112bd1fb2c3347cae90ffa183c33cd40d4bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fcf7107f870ad8f9ab6e029a45fb09cc

SHA1
9f922e8743244ef83e703e7207007f5fb5fafee8

SHA256
c25f0866da7001a8f9abee510e8064334e5e837cd3b6bf70b6bfb2fe122c1cb2

SHA512
0114905f308332b4fc1c022f8e248c479e27a026c9daf093a9c36fb419e8654e5f415bb595e94b9c480a2be12aa3c53bebbd8318558fabfd15c31596f5f34881

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bca1d4f1a3b7cf5cded449c4d2db8c54

SHA1
5932cc9dbecbae0e7e4f7f87358a2d891ab479e7

SHA256
8f8db6fe59a431d3806d07f92ba009a576fbd19171b1d28cb10e64c978298ddc

SHA512
c1e6083dc0682ec346ea0a4fb0f2911dcfc899c1cf6137a217e204bd368e63b8bb0183bb820014e6aecd30ef0a212b6affa5891cb9a0463ccc90827041b54efa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3fd911a0dfe844141835d8d53218dedf

SHA1
30316e6d0dd2d2b18efc544a6b44a9c932f2dbe1

SHA256
12fcc63ca72ede8ac98c99f8cce78edf1425eaf093064cac3e2dab6d631a7e77

SHA512
4ac14add59d28a86ce12eb40adccbf1da84ac27c69d0a46a98669b0aea2dead748f4719c36f790cf7c761580d7e0c3fd27ed0b119dd5b25209b24eae43d4b0ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f73c9d15b63aacee00e129378ae6240c

SHA1
1f54eb4ae609e49b8fdbdca9f1cbe8b59657966f

SHA256
f8d818e92a7c6c5193285b7f85e177859088740fb14be2edb1e674ef3126b193

SHA512
042615b2791fabe970fd35f025c0225444f73b2693ac6a4afab63b15a2622e3b3981e7dafc3bc1886b413b9aec3ce534187f7bbe938f153ee009d4f43572346c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ef075374862b46d83987ea2fbfa210e

SHA1
4e2b996044fbe512179fb2c16bf7262f98700c5b

SHA256
4d8965c7d5837604b99c45b8555619a220deb5ca2431222bcd9368506a416f4e

SHA512
a6b6507e3081516c835e7c8ea9df2455204876d53ebc41e5f0285aaf351721dfd59ab6888e87161a716b7780e57a0cd6a8c3249e03759ef09563b66a1a32b4de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8983c6bf64425a039028c5481a9bb6d

SHA1
8a4ac31ca94de32e537f0cb167bcde3ea5973f87

SHA256
8eddad3b906a7deca7721cb99b2c69d75eeec9be541a9eb7d62cec9e2309b41c

SHA512
a2310342b65cf4747b381c8f6eea6964b5740a8a3f557cf71f6a15c13fd7faf60cc669069b25257921b4e245d7dc04615e54c986fe14834262a34d956c649962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa98c067361efcc0fe466ba49fa8e977

SHA1
f055a104dd75702125a6cb373519d121e3408faa

SHA256
3aa4ec2b5ba74a3e54ad7548078a14eb2f4ef3be82f88901f5c7e6dea17274b2

SHA512
b13bca7e28e9b0843c28ee5fd523a8dec484f5570cd248e363a720ead773e52184d5be65d7924b43778dd21ff6c95a92a731c74fad8d59b10e1c6bdaa5757718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d91912bfb9e92ef38e2814c3d818cb66

SHA1
c278065970cb65150fd76f9cffb3068dcdda43ac

SHA256
50ff1c3899b82486c3f8e62224ea51ab79fa8051945b8111aed8debc636b78c8

SHA512
5bd1248e4950abdd199a1045414ee363c60c1b6eb717d6b7ac13ec322fc291458254967610b562ead3205bfa56b79d50cf51d783a13e25c710f2f292907a0f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fb1f0dd7b4afa0638bc954f66c5d55c

SHA1
548a86e6c40bf9b7193da9c43b8c65fc6243fa48

SHA256
f29ac3a3975e9c1e02667aa9d3dcee22b80a0920a7948a308fc8b6505a2d495b

SHA512
b04a5e5dbd3fef3287fd92f9092a3542186696f48d7e8ae870d7db8957ef224c45e9413cfac62366ea4f14c1e7eb80ca7116b7bacf2f9360d04a1a75b700740f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a141620817bfc850c6fa770800db0c9

SHA1
eaab7f05de66c7d9be2e27c35f1892ade3b9f2db

SHA256
c167ae1eaa56b507981d9b7a42a619ff32ddca62df695e01fd6a15faef446980

SHA512
8a0c2be8828247dd61b309b7f890b23154d369244ec73fa35d7facabbde565a6d054647da2fb33a8569ac2b5f65c83da21e2cc391ef65abe6351122a5294e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCDDB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEFD.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit