e197583514fa600f24a3b88cf6b24102c5c09dc39bad6ac9626bd55f23ff9def

Analysis

max time kernel
121s
max time network
140s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lua/http/dialogs/mosaic_window.html
Size

4KB
MD5

fbd60881ff01355e0acf55ae6ec77580
SHA1

2b9b99f754bd7b85789a3ad6d3e4965c59093627
SHA256

e474ca66e17ecad86fdecd0ff4db1eff7eee70083c2cb30498f81bce71d03e18
SHA512

1ddfeed4b0530b9c8606b6d0e53d656ed19213afac2d16d13d8bd9bf159e6883fc2ea943d5c5044579a51b11c98b6854ceca8c6e44796c5c511ca83250f60cf0
SSDEEP

96:9ODRbniQxE7XrCubCMJrhfrHlUdBrDjdjosn:9ckYaXruMLblSBrD5josn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000029d3002a53b7a296971c92b32b89a3e3f0334bda35f835f11c031b70e3054a12000000000e80000000020000200000002e2d8f13b76d4a2a0203daf87ae39f557179f98ba201944036b4b40a37325b48900000001d55de4f61667479a603ab5eafdfc75d1e4901007f8d3273ab95dec4e3a892d9baf97feab3bc638a0c06615d5ce5898359b7edf7acf9cb22eb818ccf2527e9f0c77ad836f76d2b1e709fde2040dfc1861df26403f92cddc99176dcd40a0121dfa025421fbc54c61ac4a7e598fa681c3623ba96823c13ae5dd0ba82ef84bb51a92287015576f99904765b14228ae27d8140000000fecd15fd20a8adc1f88597f2e1261a4f5556ac4cf7e8c362c00b02565351677a59ab486f3c3b5bef811284e38e69b8638bc5c76145e549e1becfe291280b6874	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000007f4da32efa8e2af0d8de0b0e7b44eb7ee60c0cec76e0857c460b5aab2ee0e8cd000000000e800000000200002000000011c6d783fce4b2278af19a4d3985b69ba57f4e003e4b68456567d9467a102e77200000001f637a4d0c8bde01e8ca42dcb827fbaaa0e47a28342ae87c7b17b96eef8e190c40000000ab8f25f4fd2ddd6d45cb8548214271138de6c84b0b74e863f13aac8ef20b0f8c1f7410a380d0d10574284aba2e53e898a663cb5235db4e62d6412f22300e5d63	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC3B0DD1-E0AF-11EE-B411-768C8F534424} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0072d280bc74da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416437432"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
768	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2240	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2240	iexplore.exe
2240	iexplore.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE
768	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 768	2240	iexplore.exe	28
PID 2240 wrote to memory of 768	2240	iexplore.exe	28
PID 2240 wrote to memory of 768	2240	iexplore.exe	28
PID 2240 wrote to memory of 768	2240	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\lua\http\dialogs\mosaic_window.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca08f894306bfa71ff6453f3041c841b

SHA1
a1ed7b5d4d4fdc0c3b9b572d3f779cc8172195d3

SHA256
7d9516d251d5def0fd0b2a06057a717111d05f9393bc31ce626daaacd6e77caa

SHA512
a01e8db84b3f96bdb3068d2040b881d0ce4c28d91971cf9c47064acf81dface8afcef83496fc959ec30a8fbb91befd3ae666cbb3f2c708a40656845860c56fc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46184665b4089b7ecd02cd7c15449240

SHA1
2a7fe31ef517921fd9f7cef537c38b12508bdf29

SHA256
727a033cb4e469b076f5be842af77a068d393fb9a493a05e8179117ae4770fea

SHA512
b9c29e7151c0e6fe4c560299f63a5966163f1d7d30575bd8542dadac0a19ab14f31a6f610b0ab31baec8cd6595473bb4940880b5941639dee39cf63018fb51c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16e46def78b88d23f713e3a0a5548a06

SHA1
c4187816b7012d3dfacdddf7af3f0191b076aca2

SHA256
4a5a255790913d8c79137afdbb3426da61a78bd87a86f91b56489ffeac83d519

SHA512
cec0499ce1667c5a9e984337e6508b78ac3aacd4624ed03b364ce38a1bbb4bf71f4db92d0d716eecdbad477a0a09e4d0e3985e80dc6981a72522fb176d4d9629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50e3bc8e87459e9f99210dfccdf25e83

SHA1
f6ffb7c4bcf9cd982fbcd9f096f658652aec17af

SHA256
8372ac29eba3352272bd3335da8ef9268fac72fde12ea3d2ac16dc4dc5517547

SHA512
d7508766b25267077e4833897f24a0e417cfb9cbd3fa0be6ad5902917ffe19be5e5ac05c25d59d1e409293f7ecf1aa5a5d89bfdab3079eac7b80c39de933e6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97af98f4f6ffa8fbd9609b26c558fa64

SHA1
51f8364ae545aa6f98edc49ebb7e08b30441fbf4

SHA256
601289ba280ecb48de036774b1737f99fab5b76c3131059b8f1b6e1aa5a99887

SHA512
badd99a7b0ee109f936c0a6bb535254e8f08e9240641985db98a1c96064ba3030606688b5325c53e55a434302e4c6b049cc97758b1c7d6742cdc74164f4f6798

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a24569224d55964dfd6802797a7b9293

SHA1
a722d971b53d0281e6dea6012cae52bb1fa3478f

SHA256
26d2930080fe5e97ef1efc66577da07c511da04558d46d0031974c798f98f704

SHA512
be99edf74f50c456a813c13c3951d5c903fbdd02ed5ffa0a6448c4887acbcf974582d14a054ec1aa59598ea010a971956129e7349bfa26d24bf6717b86e62c93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09c5af6929b4fe95b3b3f8c2d2bc9f3a

SHA1
d058a3b9d5b670c6bc1dbcb52d45eaad369d5b71

SHA256
356f1d5e090bfc415ccf0745a991887c2861fa39272640e506a24a169bcace01

SHA512
850e2b4f55c848158a35575d7f924c4266b19468ad0c4674cee244a90dce07701f73f2360982f79d2b05ae3bf9228d3bbce0005cf94885b1de84e21b722b42c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d69f8b9d94f8a1ad6d2d4912115eda3

SHA1
f0b353bd8d03a6c933e936fb59f001f2fde3af0b

SHA256
20670191a8de291f2d52ed26bf4a85c8086334b6792f8f67c55631b6bf12a6f3

SHA512
689734f9f6e8d6fa6c6bc82ec4373111441382945bb02577e90ec8afca8ada34f9e9cc69e8158a7ac22c114bfdcbe3473501d4f40b41a3e2a7569607ad0674d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c5c7b0260eb20a8355cdcef0d700eb4

SHA1
59cd83b970b6f6a6003a135853bdc1030b088bfe

SHA256
2c7a7d49f701c24f481ef7150b66a80ddf2a90eac9c6dadadbca5b2653fadd9e

SHA512
8afe4fe751f9878b28f0a3b88ca4d63aa62031dccb5b0ab31778264b672b03492a9c47450967709979b0c1845ec5c4f45f317fe735d22dd4cd56355393e69e5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12b5201ce88645b5130c4e0d78db48d0

SHA1
656c762d9e000d0a4f2498c396684018a2b54ef1

SHA256
75bc1848daba3541b3d45b1c696d71cc10bb8be0f4caa62739b15ea079b82ce3

SHA512
2afc37e96d18fc899e9333e7e80dac810753d43c087e0cfc7ea971738d8839f39bfef370db1c2a6728481a85d17ac6fbf86b68bd3588d1ee4b9a6e4e50a7e110

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eef224d15c5886f12d196ce37a131cdb

SHA1
82d8fb1677baabde697c1d3fd1763a04cd026159

SHA256
dce3dfe0f1825c7c5ea9efed7747031ed19edb8cc07dffdd9ebb785dca527c4b

SHA512
935e2d0f31a9b5e959540bdee855f39ebdae2a7a691e5a27cd5971a1169d42c9e45c052b11d7c379741a44e8e348fdb4fe3a8d11332a1c6dab5c36d6c47b97c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17a870038bee410f1bb078e930e6ab40

SHA1
abce684491454ccc08c9da741ff4aa1ed3803842

SHA256
d4c11f6c6bb15cd7ef3cf6a14e559a0867f47fd5ab239bc7fc796b27f3aa3fe6

SHA512
3598d02f56fa3d221159385dc23ef3f76766b98088f026054faddcf3426c9a5d4c75760dd7e1ff90305da23123b8177b0cf7baf389626b660d8e5dd31ad6582a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
291ece5258b0c7aee5adab76713d7848

SHA1
75fd0f5b8540f6ce4b6ea0bf246cae7fcb96399c

SHA256
1e15fd49a82ca7aacd13de3cdf08af444735965a74108da5605bdb4777439b29

SHA512
55ec6c047310de2bf9ae1ba401a51a5f96d74b7cc6282a75366ae738f06e02b93d57111f1ca6b27429f01f3086eebec9652842bd0f84ed11968810ef300b7b98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44bfd4f1dfb0bee26ada0ae5b4ea15f5

SHA1
7cc2328e33a75b1096b1a6008ec4c0cd5456034f

SHA256
6c41a3ca16cae09f12043078671d593b63c08919a6314cc7fe33b3d979f14daa

SHA512
1057aac885a2621e0dc5b17571a7bf9c52a84fc655c6d869fa0785d5632a747d6f11587c682e8a2b19c8a9828789af7cdac1378754dc732e201f5f0725ef6005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
881f767027a24399ae3f29b4f9b60455

SHA1
0de670e7337d77d85bbb5a6c0fb15509ed3f43b8

SHA256
eb5540f172cb3bc9b00df02e342b1c088f881bc5111fa296e94046c0956e449c

SHA512
51753a99e9fa5f521033f7b99afa14426170b32578a639ad32cff1722037667edf7f46516d51d3502390f0fe7494427f8cdc5e51378453c00c8ea95cb7ef19e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab37B4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4484.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44A8.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit