14901b9821d4b33d3f6205108cc88ddb5886da1e78b250dc6994e7587e847e6e

Resubmissions

31/05/2024, 19:12

240531-xww3haah36 10

31/05/2024, 19:08

240531-xtpkmsag46 7

Analysis

max time kernel
117s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HellPr0ject.4.36ver/About/shily/tuner/rephaelGoxesBrasses/knubDatapacAbet.xml
Size

14KB
MD5

b7a01bbe7da2a27de490da40a380181d
SHA1

0d171986010da31949474f74911686cfeb048cff
SHA256

b73b7ee63f897af8ca480d27a5d856fff7174508cc501acf539b9c1a2cacb94b
SHA512

8bd96b87de2710522d59844543268d4cd75b3462901bce89b271f227c1d566329c6457fe6917b70a45b64da48f52ea9708dac0e096280392951e3e10f332ab85
SSDEEP

384:PeMnz0Fe+xptBiUqMFSzZ84BqhHYp9fkNy1Ef:PeMnz0UubYqhHY78Ny1o

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4de7d1e30b0bf488aa7fa8ae418a6bd00000000020000000000106600000001000020000000e6dbf36f87a488734e733d62a1f2f747ea24484bd9998daaa4a317be5ba79422000000000e80000000020000200000000864324f84db2543a903a4b6f40ad130ab6a925993e3997bb6f52f11e4a442a3900000006186e1be940daaecab5bed09854cc1e85c627a2072a78d785997614df094d3a39514efca60bea89a74bf58bf7c9bef3fb9db66f955ae824902df2e633fd2b89533d53c0de39f716d55718488662018f2eefbb9e3fb7434fbef2f0149da573e79e261052f6fb72c6abc6d8a01e6f3cc68624e2480047f654b58f085d48c864831188bd1f105db4a3dc760b6633c433b9b400000002cdaeb079d42be66d522161121590f7ca1829d0dfcfa7a0d1fc4e7aa9d6cd35973666ccb9bdbe2953989a5f38369db14df5045aa20a108344be4ceb808676ca4	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4de7d1e30b0bf488aa7fa8ae418a6bd0000000002000000000010660000000100002000000041877fcbcf2568463961bbd9bbe3ee789c8876037d12b27e0f72a60ed40e0a48000000000e800000000200002000000022add3909da75cd14eaa236f762e452d052882b9d20c5b3c9a5552d72a747aa820000000377bcfff131add7d5f758be24aaed9c40fdc53e67d75d738e33fac832ec5f6e540000000e04cf561b71582ae4a179f036c666138b1a0673eb276012fce5c918d99dfcfabc07c7b952bea14eeae05d2211a63fddee422ddd9eca503daa08516a926ba6c27	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f065b72e8eb3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A103AB1-1F81-11EF-87AA-FA8378BF1C4A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423344462"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2660	2212	MSOXMLED.EXE	28
PID 2212 wrote to memory of 2660	2212	MSOXMLED.EXE	28
PID 2212 wrote to memory of 2660	2212	MSOXMLED.EXE	28
PID 2212 wrote to memory of 2660	2212	MSOXMLED.EXE	28
PID 2660 wrote to memory of 2172	2660	iexplore.exe	29
PID 2660 wrote to memory of 2172	2660	iexplore.exe	29
PID 2660 wrote to memory of 2172	2660	iexplore.exe	29
PID 2660 wrote to memory of 2172	2660	iexplore.exe	29
PID 2172 wrote to memory of 2456	2172	IEXPLORE.EXE	30
PID 2172 wrote to memory of 2456	2172	IEXPLORE.EXE	30
PID 2172 wrote to memory of 2456	2172	IEXPLORE.EXE	30
PID 2172 wrote to memory of 2456	2172	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\HellPr0ject.4.36ver\About\shily\tuner\rephaelGoxesBrasses\knubDatapacAbet.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00a6c9b36511069798e5262b5c909a14

SHA1
6c35e826ac36db2ae001815b381c7398e04fac7b

SHA256
ac8e64584c21e8b25254111580ebb4f49f7dfb225f2cd865aa4967b808b00a34

SHA512
b28e480b67d7d12c0cd14bf31fc6515421961ceb845998370c55d1200c9961f50f028595689252d554f0693a50315b8ef167bb14919511f172157632744948ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb0d20cb62b7b8373948306a5ca1da03

SHA1
0f825aa00531fb9bd8ce360cece1135bf092176c

SHA256
7cf945b03e5ce1e6a8ef1b009141ab34a088698a0a8785f312814785e4eb5aeb

SHA512
1efa3d7fe9e0a15d5937ad2bb886a2c67f27e99cd7072b572bfa270f82864df844c15035da77e9c663be1107968ddab4d4908ddbb5c64df7929f6ff48a4bad86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31c64b2fb6b6b38b46f0c682718f692e

SHA1
06b2dd50150c6813636936553cffb52e33b80aa1

SHA256
6b1cb5ebe89bc68295f63d37737d947cbb79df95119512aa3f47c95f3c971629

SHA512
453c3b7ebe5e990b825d64470da5fb4f46d8c4437b4f337a834f71bfc66485707fee16c2e5260158efa74817c95d8c01453504d279a787337891a7abbbc72cf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7c5bc081b992c97b3efa5cb7df0c06c

SHA1
f5548f30a9342a674df0276176bc21cc473dc915

SHA256
07a80be59922d42fcfaf3daab04f0d06f7a7e043bc78799bedea0c1a42a25809

SHA512
19ade3351ba78b8c7944cdbb97b7e3b3281fc4c24038ce8e14045ded5d810bae65276cb1da171012ebb58bd627f8cdf4fc4829140ae88666754e13e71d25ca5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e351964cb832f4095b6765bde8e65665

SHA1
a1707fff0f638fadc81ed43c5c5f682c6d18841d

SHA256
8d1fa9eafe36dac214f0851a7cc4ade70c4e76ae06760e7b413fca7764831cd4

SHA512
93432da102d25c6fe4193eed590cdfc961e77cf2674c9ccca3a65b589f87aee2726c7c576e290c0f23afc57eebc2feed647c4891cb3155f05a8eded681fed068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d461c2dec9eaf55062767d98e9125e

SHA1
0c534f6db278ee166d16bff361f6a879ae56bd08

SHA256
4f11364137e394ae7d61de5052c962abc0dfabcbaa50df1f2ba95838bda7e3b8

SHA512
8f0106052d217097dfce10fcb34deabc775f6dade608c0be4b961779049d8b1d3961bfb184ee2311e4a1b6d68541fe9802ebc07792f54b07c16387c4309b60a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2de9768c6deb78c258420f6b9b1a65fd

SHA1
d2e5983ecc63a939f09c672467ae3fefedd79bb0

SHA256
88f92b52ae2e9a80253aa30becd2afa472e993241718cebd00219babdafac3b7

SHA512
fa1854e7144f379510c67f4cc82c78c2e9f4e2abe67df40eb8724f138554e3c0d6c170d2483634137935bc0485f0d396c8afa0517c2e7521e1ebe162ed42765f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0574801338803a8df097adf41cdee138

SHA1
c9d1018071fbd04fb25f63186f0f01074f5a2eee

SHA256
555a476ae65210265fa789fa724352abd6c4d4713ea06c08d5138183ed8159ed

SHA512
08963c7b2ec8b51c07e9699bfd2c6ccb2c19bf333aeddf110e11140c6668fb7593e3630798e9fd8edc3d47b2574148ac4b5b513a54a511e889ea8830fc2e4419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b893f083e50a55e0491665a7a9ab80a5

SHA1
9924ab15bbe6b0b2d674d66f56717bdb7b6c77b8

SHA256
c795517729110db38a574cc26cee7817199cd2abc3518caba8628d3f0107369a

SHA512
8245c799ff0aaff672a3a214c1b0567fb39a6c237b555461006c19fa68ce10a3a92e8dd0ef77bbd4b05c62cec650fcc1222eba2256a18b17535007b2760983ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A06.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B27.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit