57eb96364f74cb20a33552d768c13e0453487d0c96d2acab89171942aa0fd767

Analysis

max time kernel
143s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xiaof_toupiao/data/index.html
Size

132B
MD5

3f12ace2ae56bce9e8fd32dd80046e45
SHA1

4a50a0a702f2bc7b41ab9f066ca0a6fc43408fb4
SHA256

3a4910e3ed247925e4fb84f312ad1e1ec0a2e45196e75f13c59138ef6f11ade3
SHA512

654483399c2d263cbd6020b5ca73aa2e73d78e310fcb0b5abe21cadddfe5922af88e97f6743c9c4ce5d2f6e7a0e5344c0b94fa0019f5fe8c55aa09861439ffaf

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6006c945fd79da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000e26111bb8ef07334b4b2adb16cce1701d92943dd28ebcd523f74e337c7d45800000000000e8000000002000020000000a64537a72d5b44ebc2d9ef1032b0e3dea7527eb0bdfb60c7ede8f51522cd630590000000c6a641a19cd4d1554c53f00a53c88b4a13804933b78e57660e7a92fa625d9a9a754f5cd0c66ee61ae04c99fafbe0b569feb5429958d3f23088f69a0de4f0eb7e730dfe0dd99bf40b042bb27f61c09ccb954ddb24f0c0721dfc5c0a973b8098de282f84f1159ed90d9c4a98ea5c155fa92d79d48ca1362213fa3792c4072edebd32c46199a5963cb5f34dea2afac8d0bb4000000028d0db08bbae8982de15fa3a796e851f42b70dea62b94664ceda342b881d21e7037bf4e6a25df50160968d1fea175cdb30e315e94961c9d7ebf3578790742fbd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000042efbb46ee7635c85934076203ef8e6bc2d2ad503755fa907912db70dd889a7d000000000e80000000020000200000000643331573eff9437bbc25d68c67f1959b9b0b1a11007dcf0ddde658e021c8cc20000000274af1b929c1efcb9e8fa795c0ed5edf5460a6d96c3b96dd2cc34699af026551400000006a10d5ee1b0dc549074ca1c629c9086fe7c42aa964dd1055cfeff2d9c3a12ddd78ba772803abba64e4e371bc4ddadbceb197b8368a206132cecbfbeb67d6bef0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417015011"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71523221-E5F0-11EE-972F-E61A8C993A67} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2112 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2112 iexplore.exe
2112 iexplore.exe
2628 IEXPLORE.EXE
2628 IEXPLORE.EXE
2628 IEXPLORE.EXE
2628 IEXPLORE.EXE

pid	process
2112	iexplore.exe

pid	process
2112	iexplore.exe
2112	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2112 wrote to memory of 2628	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2628	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2628	2112	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2628	2112	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\xiaof_toupiao\data\index.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
55f323676865eb029ae07ad0d725d1ec

SHA1
744ae9111c2357f42d30a3de30e6484ad1aaec49

SHA256
c45bce40cf7b4b9fdac4f582813eea2537da1e3418fe1ae3976ba78307686efb

SHA512
f42dbcb5f53d0274410fb5d5b78c6ef46d51d45f5ae1c8c5ab79d4c73ad36bee6eff04ed139edc8af5b471b6570f08376d478b6eca9a3ab93084c1c1da19fc4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
329a113440172f1550bfc6e0c9a482be

SHA1
7d8c4016516c0d740e37c3230e67e3667378def4

SHA256
2c10e953bdc13ae33feec404157d8aacab71af9c325e7580ea009c22c721dd3b

SHA512
a11366abb6261be25b56a29a8e6ab36c3c809a344d8ff586e5a0e281dc6926386b4c810a59535b3a91e392ee4112c78e418d9d5d33ac17278254b34ebb22e4ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b72f862d9a03c543ce686ebb66df69b4

SHA1
736593ca6d7c18ac71e6de4b37e20ba22da8045e

SHA256
3ca192a3a301c6c31ea460691cdb9e9ce3613d68ab695d033849adaaf28eb40f

SHA512
cdcc77a164d379ed432a1c3ef94aaa40a4aff6a645273729dc39eaf0fb5e9d120b4aa17714e2bd1d43dfba011e1dc64ed528b67dae243de205dee96ae8fb0115

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dab25b1ad29d1a6579e19867cbeff7bb

SHA1
1689ab541007d0d72b4fd96210f8673413e1f10c

SHA256
5f6e63997414a9591ba8051a3f32130c008e1a6f59e5dadc45aea0e33793891f

SHA512
fda23c8c663b3ae43475031299fbe044e54c20dad4be5f2ddcf95ea1f16dd89eca22ab3ceee74cf03478b0943ff61aab08cf6976d3fb2803dfbc303588eb5f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c9ec2fbd98bbff4adfccb444d565e788

SHA1
2b2a2c20f5b19aeb98cd6aa23b6c096eb3b0f28a

SHA256
79e419c85b0770ad6651c1814f24b2b571c6be3bf46767ba02af2e544370702c

SHA512
939397fca199e64abbc209adfa7b01701c9c00b58a6a5ec4dd566bf022993e66eea6899a5b9d0c6cb62eed32ca59dd598bfbd281534ec1f4e562dc9dd940286b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
43967d01c805e604047c65dfd1d9945d

SHA1
f2cbf6711709ca0c6ce5c02dc19a04890a49932b

SHA256
d9558b10b6d437bdbdec8cebbfb7d3e22048bdb38fb7b83d1f8cd2792f4ec18a

SHA512
f5814398f652173e96082d06f443a823b4009d8ea876dca7e64eb0f00b36360fccd3cb3884ae0aa0a58d0df6874922b827113ff82b5585fd423c00437780d30e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c6a2f21624a41d513dc1ee8b4476bc84

SHA1
2921dcf849fc59f880a08706ce9439a32334dbdc

SHA256
6615e21c2f8a0db4de7b509a304ccef23989fb482871a4d2d78e47df2399bf04

SHA512
6bb0b9ab103f958f337e0af05811e07786af0545c0142f3057d1bf130b93b9842dcfe70c1af737b4eb24c25e5a7bd0dbefcbe3b216e1372072fc4e35b1250f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2f1567a5cff97ebf7af2889e48c2ebe3

SHA1
5cb18bfd696351e82234112d31a632f4a54b14b6

SHA256
11ecbb5dbe81f017ba24d9c4d8a9b5a7c2e632c0a9a02832390072a703de0b61

SHA512
a0aee8c8f6d8685005f671965318cdb5c96872b399ac411f7ee6b481e523aff0667452d72e92afc7663b1a4decae19f61423897125aa838954d8dd53b656f1c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e5a8e181006d388b8db460868035efc0

SHA1
5fce11fb0c4fa56c5c57f96da163309322f3689f

SHA256
46d10a895aec50547da17847c1c51f261b12906f998aa24a10cf172827e2ab84

SHA512
0cbbe227ee82e6875b8ac51d0f86fa2a13682a69fc27c2021ed98af0f29c841a614de8d6b4783eb6d489c3f49c494b3ca10d3b452c2912e6533941979ccd707d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0f20ae8a827f90b567768ff70d2876d7

SHA1
9b80b67ae58e60f84c7faeede3b349b864ded72b

SHA256
a8dab6b563bf4ea43ff8f54ff0aadfb7bab02a848656872bf69469bf341a580e

SHA512
c88b912033b0a487853662b015e9b7c815147a347982a683ca3538903d63ce8910c51b2ae0604a0729319190dba635b3fa04b4d5022b21317fc8a940c6a85a0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ca514dfe32b83fa9cd8926f2a154c8e

SHA1
b1b2f2f0e8eec5e54695d4b44b9aa782a80e4ece

SHA256
ffccc1119f4df310aedf9fde31cb0bbe598c5ff17d3537f7bb02c205cb082f7b

SHA512
5e679332205e92936aa2257b91dd9dbe61932a5c3c813e0cc73bfedb0e259f8d435f70c2499b5e3b3262c21c6d0b09398db2175398000f4203b5770617cf64f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a9c4c210264659d2b069ebc593445702

SHA1
aa416e40cb34abc70a0ba0ae2b349c77f3b34bdb

SHA256
8627c2f3dbf68d3c0d251ff3025472433fad377a3ac0f6ab0ccf64b47363e540

SHA512
74ac3645d90790bed522072b9d22674869d36e5e20ea30a005b9bd5f25ad83b856875f2f3264eb38874dee84e6b49735d811c697bbbba525637e7696fd1526f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d9582c154b81da6ad236614f3d8a795

SHA1
3c41ad52cece7b5533832699d8c52d4e063fe534

SHA256
97ff809c3431573601e76e1296c87f96b42b0bc30f35f7ebd50da218dd09ebc5

SHA512
a9b2fe32bfdf4c5390c2bcf993aafcc0f86725636a2a75620e760620e9d9602a76f7066b3e4f56613987dd6b49ef04c5d5559b8c70ae783e32682321442f6105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8d7be61436c852d1ec87b0ed2c46f6b7

SHA1
f992db59ae06d2e1ed882e994aa61071941c4bf4

SHA256
2da128214de03d5761e92fd69e516a90c8471a7e163fc2cb6cf8948e2063e6a7

SHA512
2105935992476e0a2dd8a0ba6aba16122128a159e49f65a37f44af5289cd42a1b57d778c23f2c87041712fd3b1da36258c52febcd97e8f1c752fb24afbc51a12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2f5a188f68e92153f790bcd695cac67d

SHA1
4c04c39361a2a44b32f032b4995d33e43c018275

SHA256
508c42b034fb88c46e3989be5a107b6b71036dbe433c7a6ed665e54c808d32bd

SHA512
4804cb40d0eea8ca50ef1adca5d0de3b3ff160bc2e033e20adae675ea3af3217d84e0f28ba62e34660905442cd8356731d82dd106c7596902283e2ab0c470db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab320B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar336A.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit