b2bd92702fe96c6b5eba92e7b96bc9a65c569b6a9d62383f58da31eb94ad6a7a

Analysis

max time kernel
120s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 01:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

index2.html
Size

1KB
MD5

c1cb85e06dd5dbe543a471ce0a19d567
SHA1

09ccaaae29a7adc9213ddf7d90c098a37ba85a54
SHA256

fdb664023f1f4a190518c6b8e240d09b4f2d3b13596819a879721577a5a3ce37
SHA512

97292372575815a2e3ec7a3ef4aa92f31cfbfc1c85e7a67fe1ece2e278e261ae976fd52ed8fe7d93d868d075b08da14d1447b4c56a4dd795387ef6c8628b3cbc

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x0005000000019302-32.dat	acprotect

Loads dropped DLL 7 IoCs

pid	Process
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0005000000019302-32.dat	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\DownloaderActiveX.INF	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET6B12.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET6B12.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\DownloaderActiveX.ocx	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET6BBF.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET6BBF.tmp	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af60000000002000000000010660000000100002000000009ce58e2b5cd3f092832698550baf57081347240cefb1bc738d95ab0ff7a7c0b000000000e8000000002000020000000170d1c86668b22aba06440f52e97af73ecd91442626c76d6d898f46da707a9e890000000a80959ac4cfddbd4652c6df278f203739afe6c415031d86e44d128f5c50fb8a59130873b6e30ccea00efffe675f1337661670b3334187684f38c16b0f1dfd7ee81bfd71fb7559e210ba41d10daa7d1a17022cf6cb9c12817c3159908338857dd7bac44b288f29e7170ec68e887d173a873a53e56be91b04936caf37a65ac0765bf744a3109c23d7638597e031ebe09bc400000000c6113199d093e91876d93ad1baeadcb08ae82b3c2c59ed3704f507c30ff2b1561dd846330b15d0b410c0a65833f86e10150bab9b5fe40398acc32dd0e2e7eda	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416972078"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af6000000000200000000001066000000010000200000002ece81bf68f6773cc57a65c7313080b3d44827adb00e2bc16d6488b945293a53000000000e8000000002000020000000b31ef16ff4bad760fc00a32c23c3abfcd71501bfd37090717eb12bc52e23473e2000000061a3ca18f83d0fbec1980d934af05757e4d0eeb79daf944daf71947b808398d640000000c78696cc56d139ff594601157a428735f2bc5c2c60f820cd3e629bfa8c7ebd4474d9ea32bcb2ee6e023089e0e1eaa9cee64a1ca4a13f83ddc0dd9e8b8acbe335	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8037cf529979da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D0882E1-E58C-11EE-8768-EEF45767FDFF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\ = "_DDownloaderActiveXEvents"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\ProgID\ = "DOWNLOADERACTIVEX.DownloaderActiveXCtrl.1"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\TypeLib	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\DownloaderActiveX.ocx"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\TypeLib	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\Version	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\ = "_DDownloaderActiveX"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\InprocServer32	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\MiscStatus\1	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\FLAGS\ = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\ProgID	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWNLOADERACTIVEX.DownloaderActiveXCtrl.1\CLSID	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\MiscStatus	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1ACFFD6-514E-49DA-B4FF-30D02FEEED14}\ = "DownloaderActiveX Property Page"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\0	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\ProxyStubClsid32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\ = "DownloaderActiveX Control"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\ = "DownloaderActiveX ActiveX Control module"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\TypeLib\ = "{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\ProxyStubClsid32	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\ToolboxBitmap32	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\FLAGS	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\HELPDIR\ = "C:\\Windows\\Downloaded Program Files"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\Control\	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\InprocServer32\ThreadingModel = "Apartment"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\ProxyStubClsid32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\ = "_DDownloaderActiveXEvents"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\InprocServer32\ = "C:\\Windows\\DOWNLO~1\\DOWNLO~1.OCX"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\0\win32	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1ACFFD6-514E-49DA-B4FF-30D02FEEED14}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWNLOADERACTIVEX.DownloaderActiveXCtrl.1\CLSID\ = "{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\TypeLib\ = "{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\MiscStatus\1\ = "131473"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\Control	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\Version\ = "1.0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}\1.0\HELPDIR	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1ACFFD6-514E-49DA-B4FF-30D02FEEED14}\InprocServer32	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\MiscStatus\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\TypeLib\ = "{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\TypeLib\ = "{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\ = "_DDownloaderActiveX"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1ACFFD6-514E-49DA-B4FF-30D02FEEED14}\InprocServer32\ = "C:\\Windows\\DOWNLO~1\\DOWNLO~1.OCX"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWNLOADERACTIVEX.DownloaderActiveXCtrl.1\ = "DownloaderActiveX Control"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61}\ToolboxBitmap32\ = "C:\\Windows\\DOWNLO~1\\DOWNLO~1.OCX, 1"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\TypeLib	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\TypeLib\ = "{4BB1C10E-D349-4C48-A979-1C0E4704A7C5}"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F74CB6C6-F83A-439F-AF93-8115376E587C}\TypeLib\Version = "1.0"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\TypeLib	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\TypeLib	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4355BF2-0E20-4F5D-916F-A4903A883A48}\ProxyStubClsid32	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2088	iexplore.exe
2088	iexplore.exe
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE
2124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2124	2088	iexplore.exe	28
PID 2088 wrote to memory of 2124	2088	iexplore.exe	28
PID 2088 wrote to memory of 2124	2088	iexplore.exe	28
PID 2088 wrote to memory of 2124	2088	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index2.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2088 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec8a4a7c6a45846a3d9aec2b705c1bfe

SHA1
ec51ac5876081811b097a3cf807c378e1dd42bec

SHA256
643550fc2cd11258d6732fd6ebb540d07f694b95876ffdf125a9e9d92499669e

SHA512
f2fd7218c9d1bb0eac1b13ed7a6ab0c698d31149f2287ce63e4dc316f4d4e3b8ffdbf630d1cd0feb20a94ae0ffafa076d775ccd02fe7aeb2f71fc325b43138c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0004f7ee20ab72ad97add757fd4784b

SHA1
269f810266184370ca1096eccc7535530060ee54

SHA256
5249d71a60e1ad1d8ca029598d7087d0f7f37d328e3ef8ef85c80ed4f5d545bd

SHA512
6be7a62f3773315b799c051fee69e197389e07177852ef03e4a8676b64563e9f61a4fa8ad8f8ab87b97e97797de54c9ad4c4d34306dc005c35fbf4e4fb7e36c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0a15c844c76df9d6e3a63d9b8f026f8

SHA1
a6ccc78a96b0a4e637e6abb833339e575087b272

SHA256
27894fef859a825c4babe199d19b235d06d00d41b033aa35c35f3118f8daa90a

SHA512
5d2855a9c22a06c9ee431dc04081717bd4cc002a187bfa08e86478f5154e397d2d2b0f3d4bba0609e456bbf57589c6bdd72fd69960af6a13cfd248dc93dea6ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f81bbee7e5a15f81d4e073a3c2636103

SHA1
17f96c5db4b4db7fcbe08022adc5e8fdf44e5a37

SHA256
dbadb012d290d8da365ab150bcb2e4c01bcf0cc00946b33c810ddd91b8273b6d

SHA512
a46c49efbc1f55f49221a4b79299003d9e1abeceb2f96eca9e842f6e78233e75e886ad3dba86dba50e24e3604b016e646d78d895060a1e8ae035db442dddd4b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae8b735564c0dcbd8ef8f3275e5d4afd

SHA1
946acd56ba0ac1b506584631073b06741c0ecfc4

SHA256
87c1e4576e3bb6543240d4f56119d839d777d9f434b02c27fe14d526e6a1b43a

SHA512
79b3de413c5c27c6479736fd8231271ddd51ab6a2e1509234ea3b6b3aaca826295a0a5886e3c120365a24729c429c32025eed1e3a7b43d032ff16aad0e78d59d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90d421ad889a8ef93d15c72ad6f00ea0

SHA1
ee105847f31c4eab5d09c57267ba36fd2632ca1a

SHA256
9cbaeebb4db58331a428f3721a8b3d09a36c82355237d021aaa50f4f54ee3733

SHA512
c3ad7bdb16945fd69521f064e614a05c329c19e2692074477232525254d705806d3f18ff673983b2dc2e8fba6e83f66ef715d2980247598710dda64ff691756a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85ee2127f1eb666c9abb8b039bad943e

SHA1
a35938a4f81d02c29a4595e864d4fdae2b43d78f

SHA256
b1e38b018b68fea85ce69ec3289dd36e1c777e7f04dcbcac181ddab01dcded46

SHA512
ed0edfa7ce1d571fcb511b279411cb35927fa15bc97cab83743ab14a0c4ac41fd31c891222be1f074458167c74f4f173b2b29a1817619984977ec01c88a46ed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1379ad156f978a602a1f0e70d73ea4ac

SHA1
a1f9684e9596a2fa896b4ce0bea5e51f2b4a8dcb

SHA256
eae6d2d69ad78b8e8092f600fdb744b59d981a905d83ff784bb50b0b35c6b0f1

SHA512
0c0de7218133aff9c31773103af74e6c84fe52284fcf6f0ee6f2bc4717a8689dddf211ba47b6831d271279de0cc4231b4c87265964b6849c754ed769c2958cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d23e42a030b8e7c0e22e82476a52978

SHA1
69340341255419c6f47bd9149eb167daeeed7ae5

SHA256
628a9d58a9e2508ee0d8fbb259a453b53eed0c1b229f180b3e2bda5acc02c088

SHA512
da5e406d11032832b916297ddd2084da3bce5cc1d11e7c436fea0a2ad00b0043a11022a944a825f3edde2ca40abcb9404120b11be24a12a2b83ba1480b58da1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50eecfcd9eab94f6ce4324a29a04a253

SHA1
485efa65610bd7d70cbab0a00d48825bdccf6012

SHA256
0422df01332be2fa11e3c1d007566b1c40eb95c3bcc7b9a86f747647add51f94

SHA512
c44aa0492b8c329abf9bdf56405e0994ab9a4c114a38fe8c01b895dceb39ec2f21b460c7d61d23c75d642e18743488dc4ac8a6221347a8e156c1f96910d3256e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
71f05468909a6a6118478ab0edb1d541

SHA1
e299cb0323bf4453bce64b26012e6e43be0918c8

SHA256
fa8bb950b5813af0a3264584511730dee43844fc267a2c5d92581ab5b06291f6

SHA512
a0f2c5c00b92e881770b0a175a220d23ddb52040579f235ca91ddea9f3eabf9f353354ef13e46d9d44ef9140f42b9d0609a4185dfc105612ed9bfcb7d045ec24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73b57cc3ef7dd7e8ee9dc769e710a134

SHA1
6ecca1d3584b3b3d75e0e6c9ec9a5653a3623cc9

SHA256
6891634ef83c753ce686515f063eb18d3c49740bb92e215c6f5337aa95e8c96e

SHA512
e20bc8a6d304bc18e648e59c716f69c6cdbbd6037de631c6a73e9e4df7124e39d2207dac78274bc28e44376b44582ab685c619f46366bc784675bf6f0727afaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab823B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\DownloaderActiveX.INF

Filesize
274B

MD5
e75872263fc5341af578332f519548dd

SHA1
9a28de332515eb852f07dc8896020af700c0e804

SHA256
df1b6db59140e4cc40ee22f97ad8c6d562d49f589f5875855eec8d066a6286c4

SHA512
704f1db638c63852c481b9783bf5136e6d7d0e1f78ce43ece9abf1908599d4b469dd97933cd99698f93055534d7f470dd9f67de537426fc8ba3244a74a696aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\DownloaderActiveX.ocx

Filesize
79KB

MD5
e2b5926c917182788b6bb8f2cbbfc287

SHA1
121d15bee70dfb435e14f0b60fc6d97af314df8d

SHA256
0efa625aa3e66c7881e114eb4c2c7447080c0e508e3c7bb43d292a442fabe880

SHA512
6813d5bab2a134926f722ca9a33b803560e3cc295dd3a9bbecc433a620722263e94fd5bfa33d4c5ea106cd0bc61718e36d95aaae168bd910c8d7261dec6d53b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar824E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8476.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit