57eb96364f74cb20a33552d768c13e0453487d0c96d2acab89171942aa0fd767

Analysis

max time kernel
138s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xiaof_toupiao/log/index.html
Size

132B
MD5

3f12ace2ae56bce9e8fd32dd80046e45
SHA1

4a50a0a702f2bc7b41ab9f066ca0a6fc43408fb4
SHA256

3a4910e3ed247925e4fb84f312ad1e1ec0a2e45196e75f13c59138ef6f11ade3
SHA512

654483399c2d263cbd6020b5ca73aa2e73d78e310fcb0b5abe21cadddfe5922af88e97f6743c9c4ce5d2f6e7a0e5344c0b94fa0019f5fe8c55aa09861439ffaf

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70C92C01-E5F0-11EE-A304-E60682B688C9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f05945fd79da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a96069000000000200000000001066000000010000200000002307e0c3920ae28f8b3cf2a2c4f869aa8f60a8aa29f23d4ee5b9a556ac2a1f1f000000000e8000000002000020000000380fe451c43fff2ff99eaa0375208b096e22cea15ee55167d2dd08a69c8a5d5490000000841d18ba3b90eec2d1d7b002b21e040adb1df2347e6d5e20e791fab8189ac72c4938e39b94e26e067146023bbf87fcf8cb440bb38c704421e7a3a5b8441799b5f99a200b23b54201c30d0fd1da106afe7db9de3947436a10906b3cdbd60988549a939d4a33e13852e9096d35cf86e44b5e3c01689b020edcf49ae97791bc852371cf5bd3aac344eb2897bb5c0f7e3d99400000002c8d7cf1175d6d3721d7d5d34001a56f9749169a8a7c6e24ce03b173a60189a719db65feeda275229578f39237349ddd8e3f7988964885c477f29e865a541d42	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417015006"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000ea59bd41d927937c7d263900d2dc884169989db5cee36db868e1030b94dcb8bd000000000e80000000020000200000002749930317ec1ccdd8a782caa519966d65a29948ef8e1570c9ff313455a3761d20000000ec532d2e98eaa9cad1f13cf98c0a6106f778283810d6cdefb99d34949106a2544000000061cfe3aec3f9205d6792d07fbc9decd4467eec197408940d3b763526a0da400f48e52cb82fd4b7b4a4d4d3ebfa36a50284e8360d8149801b017e93d731683e1c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2324 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2324 iexplore.exe
2324 iexplore.exe
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE
1700 IEXPLORE.EXE

pid	process
2324	iexplore.exe

pid	process
2324	iexplore.exe
2324	iexplore.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2324 wrote to memory of 1700	2324	iexplore.exe	IEXPLORE.EXE
PID 2324 wrote to memory of 1700	2324	iexplore.exe	IEXPLORE.EXE
PID 2324 wrote to memory of 1700	2324	iexplore.exe	IEXPLORE.EXE
PID 2324 wrote to memory of 1700	2324	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\xiaof_toupiao\log\index.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a16cbee47b2a7889bfc55e439f98e8e4

SHA1
8d381f8994cafc30c46a7ab56e892be0e1229412

SHA256
698240968d0efa502c8e4ae46ae90a85b3a04ef10eeda6dbf1cb82d6a906157d

SHA512
6bd496fdf636a3be24fce1551229452fa271568fefd21fec35c28cffaefc08bc983e41953be35b20b03a923fe137b63171c2f41614ac69bdcc8244c1cf22020d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
00b601503f6f0c203bf5996cf13795de

SHA1
8076de15316d26e97b19b089facc58780cbf23a8

SHA256
39d6b52bdf336c7b7ef119131abc4a541e1b8bbccbb6a7bbd8a01d8b78dad234

SHA512
5716ac28ddfd633c69ad8cc354eb1665bad5173f432e1f9ab4dcc5cb42c8e419fb525de433d7f5e91ffd7494a7adfa639f4b9c30543d27394b758830940abf7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
955098b7854c46349ce53929a7e8deb3

SHA1
4e5ef61ae7b9ca4abe0217ab832f2297253242b5

SHA256
c799a3c3c1864aa8a3bebbb7c7bcff8fbfd27ca93227daa0715867deadad070e

SHA512
c0513e8b1a9fe148fc6a6668586315c1ca82d523bccefb18ab66cfcd1eece06ada89a1beb09151b4ffe9f9b9cea113816e36ca00f269eb95dfacd502fc6ab97d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
912b7978ad8d13188278d417a832515c

SHA1
964fb2711d4edaeb51bffc2847171505a59fe3b0

SHA256
1516b0547e77cc1b3ddffaa42f393fc0e88d23da66ff77f07f10d120572aad12

SHA512
e48f48f914568d05127821cbe8c01142e2fbdae4919c1b4b18446f62e173f06ffd061ab104ba72498f49b826b369e9938b17ac14baf788fce22c645376ea7ef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a29faaf02308ae3543328d92cb4dfa79

SHA1
0afb84e95e3bbd89a3c6355bca750daa553a3a51

SHA256
daf99b4ea4c938e709b9d5b07525b980517123f18c88b73bac7fbf3c319d9d2c

SHA512
6d563c8236000b9e583e5230bef86732f1f8059f931731289bf0be18b009a926f5f2695fa3edc43befab29bd271996eded79c6f3576bf2859892ae07e5478ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3abcc31f6132710720b5a3d08bc6a1d0

SHA1
cc7f73e273f5286e90d9786b896ea7fcc8e11cb3

SHA256
2917c7b73ed173e53f50e1969585b7a05732b2ec409ec965c7b238bb05db099b

SHA512
f6266f38a94508699bb83640948e56015d544bc3f7d77f96c0dab89289bc96c54acf5c0b07ddf0d62e68707b340a0c494e3fe02786eb9de8413d4f73deb7c84d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
23341791fdbaf17fd3c018f4a9618c11

SHA1
4efeb1cc0446d8c2d11786a511376cf12d796ea9

SHA256
df85573cd0c782a229d0f13faf78d6bbc8efffc6ff6498b22f5f8d31e813e7b1

SHA512
f117b2518e5172e2442bced0135268e2408aa5813a915edabd28be35e7079c90370a1918c0fb1fe23ec67cdca56bd9255ad774b84adb27306d2b0667e3e37288

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ec0666cbc62e29f993666e2cdf27e9b6

SHA1
a8b929e708db5c43bd881987d5cf8a69aa612626

SHA256
4f9c8560660b685eaf9a40d62c0e2f0657001c0c97f91dd39ca3234b0025e5f4

SHA512
02f1e0112a303c9b5f4cdcd74b06853301160bb4af5b6f7115da5aa1503e491df877e3d277ad00095f84614020bf27f2d045b0fced78b7a22b040a4e621e5252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
896d84e93e4c16c192304c0c0c2d1054

SHA1
8cf1c97f9cab335429b6df1175847d2ca8d6dbd8

SHA256
ec1e365b8086dfcde08e07ec0698e51d859c30384bedb7ba4709eded6c1b89f7

SHA512
00bc731f0dedb9df0b0388df4aa4719eb4b8af521b1aaefd84210f8ec070e8ca1ba8107c3c96c6c913b63fb534e59eec0b054eecddfec569bf7bec02c451a08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3303.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40C2.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit