3bcbe711a731f170314ee3256f074de87a66f9394329c2f768ee4910c12937c0

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/06/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.html
Size

20KB
MD5

c291aa838e5638401a330401286f18db
SHA1

631907a720780a413f9030968b65fa5bc1a56d12
SHA256

3bcbe711a731f170314ee3256f074de87a66f9394329c2f768ee4910c12937c0
SHA512

f347c7c1aed6da067ec46dc778b334b2683dd2d8aa120807bd5259128a391ba91f9cd518d1b4355a49ae6b6c781595227431f278895dbbe14650dc8003376e77
SSDEEP

384:xLIro5slm863zRYABxm4ej61G0aQHtQamHTB/VvRyEoe:xLmq99Bxm43/HtQ/zB/Vvie

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000f55ecfca4ea40e9a01a7249b9f3e4da3d26ff28ac05e7b88024b0054c4a0a861000000000e8000000002000020000000ad53d4a81f17608255e932bad80bb2fa42593215eba1e5e6cfa36bb660d6fd3e2000000055d9c3786efaf48788000271a6727488b72c039127bffc6f7a12b13e94526d0c4000000019a9e661dd9a6dfcfdc982814819cc17ae46660540ef3cd8b48f59a94816b276d48cb740a9b897a41fc95911c8b6b162c7ae6223349016d3025801109de0b916	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000ff1d9e1773bf9e1346e3f8cab07121b6b898bcb59ba6449208e4fa84db76c3ce000000000e8000000002000020000000526693e08b5945cad3744d001243ad1f10323fd525dc57f4159b81e5707069ec90000000148aba1ed1bf469e85665bf496a9a63e0434c3a5d129f58d263f085b3d97961b8626cc9a3e15d18c985ed230cd502eef28b713ece172d0827bc133f9534bb46aa288be98fc2ca79e5a63688b139d2c6c73658fdd8ef26d7e5748f8e14170c5c9adaf210e7741e958e648b63a3a91232258d712c8251a1994360a2fb41774b2c412d532d2aa2482f708687d1286f5627140000000a152e70b91219c4cf253ffe0b3cebf074b0fd219297d24c9db15c2626089152ffefc004514df8eed720992cee6b35b0610a916ed0fb653e0499c2cc693c23456	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424662801"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF3196F1-2B7E-11EF-B44D-5A451966104F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00eb77938bbfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2952	iexplore.exe
2648	msdt.exe
624	msdt.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2952	iexplore.exe
2952	iexplore.exe
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE
1144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1144	2952	iexplore.exe	28
PID 2952 wrote to memory of 1144	2952	iexplore.exe	28
PID 2952 wrote to memory of 1144	2952	iexplore.exe	28
PID 2952 wrote to memory of 1144	2952	iexplore.exe	28
PID 1144 wrote to memory of 2648	1144	IEXPLORE.EXE	29
PID 1144 wrote to memory of 2648	1144	IEXPLORE.EXE	29
PID 1144 wrote to memory of 2648	1144	IEXPLORE.EXE	29
PID 1144 wrote to memory of 2648	1144	IEXPLORE.EXE	29
PID 1144 wrote to memory of 624	1144	IEXPLORE.EXE	36
PID 1144 wrote to memory of 624	1144	IEXPLORE.EXE	36
PID 1144 wrote to memory of 624	1144	IEXPLORE.EXE	36
PID 1144 wrote to memory of 624	1144	IEXPLORE.EXE	36

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2952 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\msdt.exe
    -modal 393502 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF3BF7.tmp -ep NetworkDiagnosticsWeb
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2648
- - C:\Windows\SysWOW64\msdt.exe
    -modal 393502 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFDB33.tmp -ep NetworkDiagnosticsWeb
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:624

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:2552

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:780

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061601.000\NetworkDiagnostics.0.debugreport.xml

Filesize
64KB

MD5
d6287993154bb2d132f5df40c3e3eeeb

SHA1
f971c5cc22e9a4782809df6eab8cfb8afc7f2c12

SHA256
d5282a3e0021c10cd070ce61eabd8c566dec7c6947f0c38bca41b354a21842be

SHA512
9c1e028edb038c1a5c5e4cef864896aa6c3d9d20843f877d9748793e2394f080893f347be7fff11433d775c2843b6901e52e556284aef833558d59b5dd55945f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061601.001\NetworkDiagnostics.0.debugreport.xml

Filesize
65KB

MD5
f6bd006e1ec6cb28f746dc2f3dfaa2dd

SHA1
43807a4bff4ddc4da038cdc40faffa5619d427c1

SHA256
900cbb0bcbb434da8ed6526c09ab1f4b274e04456123f7feb136083dc499b57d

SHA512
64f9c49bb487f08e953c7e06bb432d7d922475471ac53cf38f85499a462f23adf55074f50ad924bbff6f776c87978c80a7a6b8a5e33af8f2183eef328f038805

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061601.001\NetworkDiagnostics.1.debugreport.xml

Filesize
7KB

MD5
97dd24ac25bba9947c5615f87573137c

SHA1
77911a8b702a1c60958f41f9962d7a5c72937771

SHA256
e9a5b68928c52c02d8cbefb46376ab3c57a1526ed4eefe8a00ae687468f3134a

SHA512
c5e82128bf081d8931052eb72b12a32928f461de4fb1f514440adeb8281955be60964635fcf767d7b20512eca8ca2c3593c7272671ba67ff6b57dc26fa12f0da

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024061601.001\results.xml

Filesize
253B

MD5
840b413cbf5e57a93deecff7e76cf260

SHA1
cdcb54b73ea2acbfaa16e9355b347c2548411026

SHA256
de5825ee63dd98ca86f86652ff81ac75380b3ac4d880ab44d8984b8bf531ffae

SHA512
2130c9f55a3b28492c698def50cf92d805ccee1334c95ca8f9f776f6ceeee91884e751fac42510088a262dd82de01dcd6aaac5186db4a97a221bd8289a72c3a1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\latest.cab

Filesize
15KB

MD5
b709b7477b0359a78756bd8a5fe63c08

SHA1
96e4707efe29ebf404bad1ff424868982174ae07

SHA256
985673b8b1a1ea9a60b56a9cdd2232eb179b5abe98c9a1d9fe7aa877683b7fdb

SHA512
6bc6f36abbcd9207498469e89e8bb4b6f64ef424be8cbe06b77e2f090ee41bde86ac09d450affb863066898c4c471ef4861b02d57497930f41ce84df86c435a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF3BF7.tmp

Filesize
3KB

MD5
e2667894d5899b0dd2a3552e3890a564

SHA1
58fdd46502e8e5bf4759ff20214927abcf5407a9

SHA256
3f8c1c5ea53d3ed5742b25fa95ed8f9eae6377d7122daa74f3e78dd6b8da15cb

SHA512
f7a17bea6a653961cd710eee8359a760ccbf852d1a0cc41b94dadbf50704d3b6cb445cff0597a58bce69d895bb058371a00174ed8f70236cd576f98f8581806a

Download Submit
C:\Windows\TEMP\SDIAG_5bd15eee-afcb-4002-848a-32e9555d6ef8\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_97a3814e-7222-4fbe-ab3c-3d5d297958cc\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_97a3814e-7222-4fbe-ab3c-3d5d297958cc\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_97a3814e-7222-4fbe-ab3c-3d5d297958cc\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_97a3814e-7222-4fbe-ab3c-3d5d297958cc\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_5bd15eee-afcb-4002-848a-32e9555d6ef8\DiagPackage.diagpkg

Filesize
152KB

MD5
c9fb87fa3460fae6d5d599236cfd77e2

SHA1
a5bf8241156e8a9d6f34d70d467a9b5055e087e7

SHA256
cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f

SHA512
f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3

Download Submit
C:\Windows\Temp\SDIAG_5bd15eee-afcb-4002-848a-32e9555d6ef8\result\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Windows\Temp\SDIAG_97a3814e-7222-4fbe-ab3c-3d5d297958cc\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_97a3814e-7222-4fbe-ab3c-3d5d297958cc\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
memory/2552-363-0x000000006F380000-0x000000006F92B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-411-0x000000006F380000-0x000000006F92B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-362-0x000000006F380000-0x000000006F92B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-361-0x000000006F381000-0x000000006F382000-memory.dmp

Filesize
4KB

Download
memory/2648-360-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download