f671a079f5f6ba764c5aa771b4c0bdfee1941aebe005eec073cb980893912c88

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$STARTMENU/Ա.lnk
Size

1KB
MD5

62d588bdb74e4e2e5d1689fa9272ce39
SHA1

9d0db515d8f65e57353381d707060f7343a74da7
SHA256

248402dd02a096f9721d61fe867fac5cacf4dc9001fa2aa6a50a59f7405606ef
SHA512

cbb47f7e4227177ad39a1c914e00e0ca13209fe0839d13819299ad203572b69026c541d71c5101e4cdddbcf7786c6adf339af3e4b0aab65cb188614f646a893e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000005256d61f990aad468f513a2a5afb26d65a8db09c039de8cb95fe65d4ab6bb0dd000000000e80000000020000200000006aa9c44281db44fd7354774425aa3fea971b1ee0e5e0ad3b319c5fe083311f4f200000007638082431415729eacc39646471afe28fa03a0d50f53a20b36ef6ce9373e4a940000000e04d571d2b8dc5a8ddecc787f90751f9a9462ab0b051534920a5b6c924feea02b27f0721c4ccb9130a86b32705a5c15327266b7fea7aaff4b85df45cde6998ee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000f7b7ce0c673b2fb5c3fafd776ebeff8b1e83f238278d5408cb49e8cb013bb6b5000000000e8000000002000020000000fbe42703c15f9a1acf446a5ee86465a736ffab71c1f8ca30081b9bc29a7b9a979000000057aec6ef8aeddbda23280479c9c4a0a1da23e4bae2a5277091f43d9ab8a4941ec778503e2914a8f87e03c9e7b0ca69146f3dfd388e4d6e13fad2763877dd8938a9bbf73567879990c414ade9c738fe65f37a44d8c6c20f25d4fea0e632abe56cf398941ae819325e512c6223f83a900c38e7216cfff3a52c1257518256ece4c9fe1880912fe694b7c9ff0ea88a2488694000000086272aa40e1bcb321a3506ffc5e8c7a20e3f4bae6faa0e57a72fd816cf0f14ada61989a08740623529b3933d806edb0678c8b26ffaa56d191c9c33da6d1d2fe6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18BE09B1-E143-11EE-9A09-E25BC60B6402} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08bb4065075da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416500750"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2104	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2104	iexplore.exe
2104	iexplore.exe
936	IEXPLORE.EXE
936	IEXPLORE.EXE
936	IEXPLORE.EXE
936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2104	2660	cmd.exe	29
PID 2660 wrote to memory of 2104	2660	cmd.exe	29
PID 2660 wrote to memory of 2104	2660	cmd.exe	29
PID 2104 wrote to memory of 936	2104	iexplore.exe	30
PID 2104 wrote to memory of 936	2104	iexplore.exe	30
PID 2104 wrote to memory of 936	2104	iexplore.exe	30
PID 2104 wrote to memory of 936	2104	iexplore.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$STARTMENU\Ա.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.mai520.com/?taobao
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d27686a4795640cc38b674957ce0f3f

SHA1
a054bfcccdf67f99b0c2be83e67334f00b10c803

SHA256
cad9e4873db69210114c3d9d088485a12e101212c139052696b93e213b3f9787

SHA512
89e2b1def6d94c5f9612ac4f5ba9372d72e9bedccfd53d3db435e4536f7bff477f722068c404c7c618d724a12523b9919076768e786bddcd653d826a5591f812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16306d402b7d9a845ea66bd4186be8d5

SHA1
18bd2445f88319b5b26fd7d2b964aece8aae3fdf

SHA256
e82cd30e5d85577bdc8619c2f907a13ad55daa9b5a110612dd536cc610f2a5df

SHA512
7933fa8223de7da1c87086943635acbe54ed7f832aeb0c0cae0166870e31de93665541311d41f97935fe9cf4c8d9d8d670795711ad2ba4281f30461ba7778f9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6346110484b8c390021e8aaf0f878e4

SHA1
928fd438b78f7985a20466d1612f36414a6c0201

SHA256
21501823a9c88bb21a78616187c06f3cd04cdf0984cf5503233143ac1ffd8b12

SHA512
d5d5376c80f9dab3840cd85a142ba04812f15213a5f496dff547288dfe2a5c5bf1a5cfe3dbe303a77b5e3b1afb80a4ea8cc162d8b457524b20a8c4bf197559e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b520c84c3a5995653b4fdcb4eff46e7

SHA1
145032667379b4aa4157cbee5248db2d56c956f6

SHA256
77149e56771c09583e16cc77b3e521acd76208032aa3fa0ebcea55bef158265d

SHA512
b21bd2e11396f2ea56847fb0e071d5f33719e8d52b78bc8687e065c0c5b72ce4ef55c38775263b4773125b263322dc276cf1f4b19eb866d782a70ed858e3ebda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb1e4ec598086efdc7fabf2127b10cca

SHA1
4ed2244a6555c4307e9ea566ebfbb2fba5a518f7

SHA256
c9e766b689679c97eb25c5ff43c35dbb9cec5bd406c9e404919ffaaa37917290

SHA512
b95051cb0b59cd75489676f169a66303689054c2aa212232ff0618f290ea4461508a0c7a4859893608f661c6d948240b5d8b7d93529dd1ec766207646a345210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9ba1cbb67153fb047ae79ff559409d5

SHA1
3ae63cc9336f2b3d83e5d7fa3d09ecb36ee87214

SHA256
6614b45948498d5f65aecb8e06d5b5ccef0bb4b4b48dc1b6d2ab1a7d57680806

SHA512
701066fbb52a1306e95dac944cd7124de524800b28227f98d50bfe41bb8c65e849ad0e75d71f80ac33013f4638b707bdee036cc090ff58a6fdce114b3896ff5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d7016f546c3a9ff5ebb57c187e5a22d

SHA1
49be80322339a83ae291a40aae72f29f54379d04

SHA256
a4886a81d2ebe4e53bc6872f59f3728581243098f544b6f359f786726b6cc279

SHA512
6e9c766d6c628067d0e951983761753577d46feb406a66f814e93e31bac50f75343f56f8ecdf9628911352b240cfac08377026ccbf0feb2d107fd287b11f539a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9a7c5171931727320b0074cbb9c56d2

SHA1
287958d1893dfc0983f4871d5ee52403bbd12b83

SHA256
e0930ed99c38a0a26a4b711c351614b9df7db6188c487e0689b02ba8d0290f1f

SHA512
0a1c540ce21b7f3a9308a5b80dcd31190f23bbe13bff8a9cc5ed0ca3baaee83906b7d0b7e62e1df41414c3fe2120c4d931ea473b497266cba4025611ce21df90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c252ee7c79e45e98cc1083d729f047c8

SHA1
fac6a8acfd3437fe12bf5e88aaecf0aaef17c8f5

SHA256
9bccc1b9f36f7273a7c52d71e4f5c477125a3bc96790d43dcda79284119e780b

SHA512
08c5ad21a76e5dfd59e2fc52b8331da93a56643044289d9d48c665d24248aa90799e708c9acd4a9bf93a333b5f79a7451a51e7f7653255dda67fdcd9f0ea4a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da9ef8e6105360a3888e3a7b14228eaf

SHA1
7eafe323cf45baa2e2264f193e8141b0818061a6

SHA256
3e420c2f6e4888ef9ff391b8f9c276a39e2be36f23402e3bbc0c3ff2edad9576

SHA512
3ed2f1d28e6c3a39a81c10e66fd09f75113e95f1d9caaaa7360437cf96ea2046a8960719f524a66b8ab29f6233b4f25229871134694297e8211b91633ee5a31e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76b4d86abbb041a60db1095e9720fe00

SHA1
4086c1e23977f15c57bd826e1862efde7cade0fa

SHA256
83210c0023370aae1cb444202568e277fd50ecdd3dd83c5a32e78ebccf01bf4b

SHA512
3468971139fc4341cfb45284a5ae5fe3d494ba8645edd98a564e4a956264a84b196ee441a0efeafb7b74a8771d0221c5f40b3b841fc96b11256a45999ba1cb95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
478aa6e45beb1c55aeb8c06fc7997372

SHA1
46abd0d6290d4b80cfbf071368e7e037c227e869

SHA256
a0da50d656fcdd8e5ce336e1adf2115428e61cd04a77f1e4c2299ca6ea99dfb2

SHA512
40beba664fc1d6ce867084c838880050d5c95e81869eff5783f3bc307624dd2bfc1bec21c0a8f5100144023d2d288a3053b466f8fb8f409b4543a41c038fad5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
145bb182bf371b8f35ecffad1fdeee23

SHA1
a38530c7106aead2a66e0e41d3c41b2390b1f66e

SHA256
6fa3847c6969d75dddbf80eb7ce1722c78af62309032eed8806c72f5ccbfff4d

SHA512
0ae83b254d041eecc7bf32c2ea0112d99801171d32babbb2cfd897439ed76dc001df67c726b0a4853b6f1ce993f59b30ac1f5b847bad9bdacd01b2e0a593a0ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c2033814030a6638912a12248577dee

SHA1
b483ab13678f44188273a78e84fc9ccd2e7fd45c

SHA256
e328e3f547d9fbc49b4d12b444845b7754489b8557537667f9a66f98279bb25c

SHA512
36711fd640be8e88d8b02ad7434848ef33007951f35591f6245a916d6b697abbe35c87fe646c8081d052918d534a03539eba2c9124b4cb190835a7e5e1a34280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c45ee35d95d8a824a548790112efdd5

SHA1
a3551017367014b4a00bbb80b357776ebb571e60

SHA256
e4712293204a9d1667fb3b1abf12af90a4a7b05fdfe801464a43a998b485a14a

SHA512
e23cae30fa77ffa964d67fe56083a4e5632146618be341e616cc868d593bee985d0a539b5655e4173600dbc6e1cc47ae6710422411a648ae530d54452bdcff7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1ad303da104cc42e360a557660f5024

SHA1
632ce7d802e117f3e9afb373d0ec54d5326d785a

SHA256
73effd1f05c780677f2ef6291751141f9d252b408513124ee3c23c26bbb8b294

SHA512
8b65af169c14aa2519efef419aa6fe472b8e7c425e584886eaf8dda688bc63269398d47384b6d460955a381abdbea9a0eb3bf3772dddcaa763a18d715a09c0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4AC9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DCC.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit