08acc5ce34c9eb144b0e7b1b039a34f4dc950fd891042778eb295df93d517f93

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libes_plugin.dll.svn-base?id=e3b43bd36fd50840467669364014ee53553872c1.html
Size

243KB
MD5

30b07bc8280734be0a49896fb4d9ca8a
SHA1

46612d40402f820a9e5333b1a7f323258c59d449
SHA256

08acc5ce34c9eb144b0e7b1b039a34f4dc950fd891042778eb295df93d517f93
SHA512

ffd5522e767d6140953f2be78d7d509b7853163edb3d335d80113fdf422fb78075c0c99f952d09f041074a620ab70c1e1cbd683484c1d308e208051904e40502
SSDEEP

1536:ch/AtYY9KuZCZBjXm4rjz7SdVJpJYPtjlWlkwLU+mPMxgIFPdOKLq+oV7E8B:ch/AtYnyU6GIpL5mkxgDKLHoV5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000428f41cc93ca50795136c9503dda3797d7dcab0a5f6e156966c5d030c40abd1f000000000e800000000200002000000011c49da72a2c9e03ad46f1daf847d11e0dc19d628267a74c9e5b956dc86a5d00900000000833e949c916485f7f964f281f8011a164b11dcb6c0a89462232af032593667c7b04dca3bace69eee60febc7a3c8fc91e18080b45bdb98e774cda8d2cd4783d1b733c401768fdf8a0356857253179500bddb7f8e538825f89ed508449a54b3e7fc0096c6691bbc004ac9050a39c02f7bec75c51790b58d8a7920cebcbe4cfe9b0aecdab8355296d86185ed773e1bb04f40000000c8767a191383dafed31a6e60e35731d350ad51a70de4235ced230f018f222d1b87b0d6dc7dba659b4eb05bd293d8a396da4f47a577869f6f21b7d35f70a955cb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c4f9f34292da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000fda5b780c1eed110d3ef6bfc03e5c6ff6fd159e0ca051d90606cf6b51cf20e35000000000e80000000020000200000009940b68d92aeefd002adcf4aa4ba79bd878399b445b1518948d5acd7bf4005db20000000639575f660b8c9eeeb9b09f3d165f96747a0c60e02b7fb28c8b4689b4c2fe6b1400000004c3c14f7f2e1933a63c0b151f10d55f9926e0081c2164dfca0897bd5fbf04788bf4889784f59264a8859c5e74806677985761cb7bab29a446ed0f1678831d11f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F5B7A91-FE36-11EE-B804-569FD5A164C1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419683758"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2844	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2844	iexplore.exe
2844	iexplore.exe
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1728	2844	iexplore.exe	28
PID 2844 wrote to memory of 1728	2844	iexplore.exe	28
PID 2844 wrote to memory of 1728	2844	iexplore.exe	28
PID 2844 wrote to memory of 1728	2844	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\libes_plugin.dll.svn-base_id=e3b43bd36fd50840467669364014ee53553872c1.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1819d6e16cac351754f52c069a78605d

SHA1
67a03e49c96d1c01827903d346b25f48c7f55a48

SHA256
1703727ccc71ebf4fd933f96ad2da0ebcfe8cdb9dc786b0f8de1864792875340

SHA512
ebd6bf3c9ffda4aa9c12d5db55d0e43928afce9011e1465c2a15ffccabf7bbeb799450b616cbbef723db8f1c4fdb31f7a5eb63d5c4dae70d2f3cb600cb084a1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8aa31526d421da4134f1275a15e6bb1

SHA1
dd4b82cea8ae267aa7ec5fbc459252990a4a441e

SHA256
86885aede7f1ca160dc2a5808f88450d4a86b35f8c911abd9f1e9a814de9b9ee

SHA512
5c09fd82a7568a892bed924793e82f59cbb990df18a1c2d9ea00f5346d0785687625b95252b7d1bf067cbd28b8fa4c3ccc7918d174adb907c85b537f16ec7e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
509a62176c61180b1259235dc0255d24

SHA1
43d71eb770163c6965837a6fb6e1bf9b5bac99c2

SHA256
a82cf683ef20ee558d9bb7eaa8a0bf761c97450a121905a3d01c375d35468948

SHA512
70e84c4614ba090f9c191fab137297450d562361689c501bdc87d16766359feeef8e826548201e357b85d4e22811bc4c2eb92a66459920b564f2a39780d55c57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
203e286a39e55c6585048884ef471653

SHA1
4e4bfd4a0d2832be9b1541e2d821f175348cea57

SHA256
6417016b27f37901d2fe845e64162cc7dff08bb2c0d67cc98fc70fe2c9524f6b

SHA512
0b037fec2d6fee69c07c5d51fe96dd998429628c3537b9face24db8e84a4c31ba01339d147a93af6566a4934cecc3c57af32b828ccef961eadbe8ce8e1982e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80e7dcedda6dd78ce63ec72c5bf5020a

SHA1
e7d7044b8b4551c508581fae9ceff98d6f68b306

SHA256
0c8ca6f09180ddbfa654a83970deaf9150240ef13acd0a2cddbc93dfed015290

SHA512
4ddfa782d2cac4c48003b94e96c5ff6f56c4bd8c4a2e2d4da87d89505eee4cd3aeba8a49c863929c39d9fb6f1cd8904109b64a93dc16935e1edae17ce7fc551f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c12663c71bee1841ff34e39e9b6674c

SHA1
fcc164032185c6cf3b6acbf28f98cdd26d98ee0e

SHA256
bc8fd958303edaf8d90b7648562a99e78fb36d97d2d6cc86356fe722105d6f2e

SHA512
a0d51b9a55b9cb5806641f7eded1f692a78e25337382afbc34c7194bf04e43b53d693ad0bb1e1d4e545c106746a888765c28f432ed54193c25f2a59432d3c4d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
113fee37179e1cf223aa45f1e8f39746

SHA1
b2c75320c8192977cd4b0020c7843f46b79ab459

SHA256
2b4569266e1a3d23834b96646eae9472aec60014e3d5cb897c4343bea26956bc

SHA512
5d4e6089f6bd977e0d0c220bbc4fe95823634e4f345323d0b03e7cdd6e3999bf7aabee26ff507c76a89fb40e626fc18d033d3da47857e8801097e30fdb36e40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efc0ea088697ce5f4116e4e46b0e1483

SHA1
6be5b4fb2ce0c043ccc53c4f9a066303e63674eb

SHA256
d149a8ad3f4827689ce639e861d6173b9af5a00d1ded9c2934f38fc4c1de6d17

SHA512
a6190e0f1735290eb4ccc2af611e48065d4c6932fba4797b118ac823681ae57c2d62043779d84b36d20d1df24b39e3bf7e86e826f2350bd0cba63859c4def04b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db299b102c200b36731909988416570d

SHA1
cb4c11b24dd6fb0da1b5a89a84e4f93c0d138ab6

SHA256
90025d353d11c6218785023f642f21c57ab06f96e4d7a96c222c6b0e6c2ea4be

SHA512
fb60b51d980d1d4c41d5293759168e1588c7e7d9730cd7e8ae29df097d779ca558b05624fb4c02d2a0615a1c13ee0bcf007a3b4a84a3746d2e500d7bae812dfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd275c6bf3d87d3e018c9808dec2e11f

SHA1
badc41b3aa8c75ad0786a16fdf746cd5a7c1cf7b

SHA256
60f91fd9c834ece542eaba8af6dc9a0e98fcda64cc78e5b08c29a038f236d474

SHA512
45e2f015f0883705b9687df236c22b3c2afc5fe22e3c7715685c4b05e9d337ebdfd340c858b1a8339da82c81f143aeead0480b0390b5eda884c6ec0b6e1a7118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86f33d718b6ab515491a372d28d2c21f

SHA1
eca4042523337eed7770d4403f24fa4e72cfd47b

SHA256
23fd3a79ca6a07f4b0ccdff34214dd52b604ecbf9ade3765e951769314be899d

SHA512
32aabed31a966867015595af1f46ddd62626a0412771f3a82f18294df29799e7d0e0f89046392ddd3e2fb9cbecc9efad8b74c8f71d5a22e60bd6b6ee98d41602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f60c99221f4c7d216cab1f21cc900823

SHA1
20d6ca8d5576956b162fb4165c8752b839697728

SHA256
f4cc65a680526da67eea827c8ad045e6f6b4297eb8913e89b82d718e6b2fe75e

SHA512
564dd590f94af44410c3b3801d5221ea67ed88c3b3c402dfa52e6f108d2af9219ac6b6f4c597e889a0fe7def91fd1704611419f5f09860725b1ef523876c626c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed2ee835b02d94a55587de41f183c179

SHA1
2100dcf3758d422cf796c3404bf688da01ddcd55

SHA256
2371e4371600c6e40de19e8e585542897d6ab22bb3b8d19113f603c9a86cd2be

SHA512
59d5ceb9d6f5238d7554f2285788554e318c2e2e13c6841223f1786442f63673d9476f058d5d9886af54a5ded10ca85d8f01904e01d5fdafd173248273374581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1b191aeebc243e346c79b7be6250838

SHA1
e9cd983652d3d20d1cc3847525fa0c30309ee1bc

SHA256
e7e8037ae97e44434347232d79f88abcf9fb4f7430650c41a182883e3121fa82

SHA512
764861641a929ad699a44aa1b7064c335246f2453a24b63a9edb9cfa15b2bd010699dfa1f1f932c7cc44eae9fc63ecc4ce545358a108ad23437f82a0d8b64081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6859a38c1b20db15b0fa1a6d83ec172

SHA1
48fcf2f0c99d65b593b1d86eed385d2792ede10a

SHA256
f8a09b3773225e799f24f1554042825c3a7d231715247501df1299977a0f8efe

SHA512
2d93258c44029d61c732aa8a47d55710b6e90249a493ef21013d5a48c330acc4a271ed924aff9811e5b8ae288b01a4b38386fe8b24aebd30692078bbc49f4bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50a80e0a85578fc835cbff34eb32d81e

SHA1
7ee728e00d57e75251a00d092fbad4c2f44d6d0f

SHA256
bbcd83f4f21eed9c7b0d11218682fe46a98d33a51727476902ac81eb72ee285b

SHA512
5e76324637f55c3cffdef23686931f55915134c9103a3ed9927a2f539e5d4c27d2189fad9e99561b8441f8aa4af7aa746c9041f29887d4f63a8e90ff701bff2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34D9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35BA.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit