563d0e670d8ff0fb4cdf870452b30e945ef34c01f9c4d41a52d44e0066d2ce6b

Analysis

max time kernel
136s
max time network
136s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Archivarius 3000/Help/Dutch/Features.htm
Size

7KB
MD5

e05085d6780ae3e672d69b5abf3acb17
SHA1

3bd19a10cdcd4d15dd54b9e6ff052b2c29fd22d6
SHA256

6aa8b72eaf511300853c89c8749005775fe7364eaf78207e477e6e08b11eaee7
SHA512

b6e0d77f62d362c2dcabf22720bc9dd3ddd4e03be36e1ae109afc8cdaf86e76d7c27960524b3e23890c0374eb66bd69a1f664d8ec330ad11cff4b8b71cf4d40d
SSDEEP

96:5d1JRkKBJRQKyvvMoaGwS88wbRwJ8wSwKMQw2GMzved9vEnGmUuCHw6weuA8wXfo:5L8KBKcos5G0zcUev5MvPSUPL8KB5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73EEE4C1-3310-11EF-9E55-E6415F422194} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000094d401f1465da3f28167f3f5c2150c5993fe01df8533552077334ae2eb1059a4000000000e8000000002000020000000feea43a3735bc73a4071dd44c0e2b98d09fee726297f1b7d5ebc2e9441e1da7a200000002935b6c7cf1b073e5ad23be04bff4c7d42bdd3191ef79e6a0a2db6cb3dd0829b40000000e4c4df206486ca26b213be93421f4bba4bb908af9e97ba6959830eb18e27059852325733390005f97e86c0dc1467da60683184d371b1024092574a5aab0508c4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425494992"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50aa82491dc7da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000a8cba1f24ebd387b3ee050da158df78ea751c56ecf08434d7d119acbe7b2b960000000000e8000000002000020000000bdd562112b3da918b75a35efab8a6985709124d65316f42f6448c5136b4a66da90000000ec4a9e89be9ceb033615080b1a8624ec1798a0fd5436ad17f3187362fb91836d9db38be3d6eed53305ceceb84a713224854d551f0c4794d7751755376c1aced5ec55b0aca3ed021ab46cf0214422c772ca3373bcdd230492c115f71154fa39d4dba417874f78e5e5f18cf3a343656ef423047b544033c912a6803fd6c45438ce8dc3402da72ccf49890d989950a3b38c40000000c5505802663bedf7a7ba828aa97e7476222eb1c640d8c598953ba685ef7cd3ee734992bc4cff9d0d681652906413547b911ecde9e5c49a74b68bdee52dff40f2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1440	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1440	iexplore.exe
1440	iexplore.exe
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 3004	1440	iexplore.exe	28
PID 1440 wrote to memory of 3004	1440	iexplore.exe	28
PID 1440 wrote to memory of 3004	1440	iexplore.exe	28
PID 1440 wrote to memory of 3004	1440	iexplore.exe	28

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Archivarius 3000\Help\Dutch\Features.htm"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1440 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f509d40ac745a891058b7a9179e799ed

SHA1
8b063343e1ccc725a8da47f71389dbd8d2b54790

SHA256
424866b0e7b8c211f9ee08e9c88975869c121b9e14524616b18fbaacac3aa52f

SHA512
1f902a777d8ba62f3d506c3f39fa402cf4a335f3dbda228e5e7260354aefa0b37e13a3a85d4bc51cec0ba800dcf352f565084bfe430fcab8d0e2b4d3cec1ae79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1e6b1ad9de48674a4a0071cdfbce22b

SHA1
f80f83349cd06b9c8b79f0afcea8aefc2e859a5b

SHA256
54f3bbcbc847f4a2eeaf7243bd40bb79c397bf787c12d119796102ce18ed302d

SHA512
57a602384738d556de7c58a5c13e07d2f82e77cccc5bd35734dbc270a296cf3aa203d7cd3b360d0381418e6ab782bddc7b6d13d2e0e7f41b221c08cdbe2ae81b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9169561db7350b4d096ec6a131ccc37a

SHA1
573774953d05ec6c9dab657eaa84b1268e86aa84

SHA256
c46c22ecc7e6d26a05f1aa6e9547ac4496222559befc61b6efeef66f14007272

SHA512
ee3d45a7b29350e8686c5260ecaf9260e00a6083ba09bc21f305cac3d52895b7fa3b0325a844f540cbbfef0413a6bb9eaa27a68a5a3779868d883860f1ad7020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c634f6ae3a16cf523ea08d4b7a2f4de6

SHA1
1f68414cb45e958b87df5aef74801c08afd81cff

SHA256
9f53a8ca68f33c20e57923789f48e89a9886d4f69c3a76ffbfdc13930b0f1662

SHA512
2fa2532c279fe8f14255ff35eb36704d7d16ead59d0373040ae54ce04211903560af3c758f30f4e6c6fef0e78051a59d9bfd1675b520504109fd54fc57c6bd2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
693462d25a069287803b6e659d123840

SHA1
daf8aceca2d0f2680e1089622630256987760595

SHA256
99689021aa1a5cc76f5db5f8490dadc75746a4cdd176290c8f9bbd5de56f3372

SHA512
102f9034e307fe36629510b593e7a14c017bf1d1cfef6a9ded6c515881ee565e60cd879174d964bdbe1bfeeceef92b71fcbd868bfe47ba15e8313221022eb1d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f69af0427a430f374d8aa34d3fada6c

SHA1
f56ea8c54afd0e06d61b5f81719f1f1ff5bb44a9

SHA256
3625578e250ac75c068d5e3710dda19647574f89053952a85b36f74238476a64

SHA512
4375271fc1f2e912453908d72402adf0d52a1b38b837733094a8fbfd3a59dda3b4689a1eee8bb83fba29885f1d8ffcba465051ce4b28ce07c6e66d5d91905d3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cf623dade1f94cc817bf75832b9276d

SHA1
68d2c4c01c5099198ff1174bbe07005411af2949

SHA256
40f33ca5519281c3840c61ab328a909f0a741c884bf3b5afb094a4e6a2792cd6

SHA512
a3dbcfec4064d78fd9e273100cfb21032ae58ec22b44341d8cfb5c4fef1997b1b1b9e8c9626a0d816ee59c5b3780791e4184ecadd3f60bd857caed634cff4399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2c5793a4dbcd3c457320fc2a6645429

SHA1
9b51114539f96c7dcaba32dbe7bacb4935019f52

SHA256
d6ec98b7b3d0f9830274914b8ce365eb924cc5a37ea765fa03a92aca8f57a145

SHA512
660d06bdc5b74d9827bae9e007fd790e600cfbeef709caca173022ffb96755980c932e86de19611a6e74ba5fdad6783f0a6649d434dc51f28d3a2b144e28fc09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ab91fe825ed8488a930de1f51bdcc6b

SHA1
77cede7839259ce98ed2f77640f4d57bdc380168

SHA256
5f86928f1a945afa6acec2abc36c8ec1b50fe6a5654acdf6b69e031892524844

SHA512
1dcd45d1edf6c1eb865379a036bc21cb93e3219e08e206657b2cc97094092d9398e08a97ea88c87cdf8da67ad3f02eb5f8edde2be7eaf103e5c0644699ad52e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e30b1fc86969bdd1925b4f4d3237f3cc

SHA1
ae5c7fc97be487888e0bf67e994abbfdca733b52

SHA256
aab999a1028ff0e31c25789f09d0811c18fbd05871b5b48d6b5f243e60312cf5

SHA512
a56cde824f39a92a7ce21bab5f039db1cd3f43a6ac1c5a5c99bb7ecea4070e5c9d13219ebb7e1babf490522cdb6415510fc35ead61921c428a200a518eacd18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
450165228fcbd4a53b1c15870ee56067

SHA1
c64b43620752212e08ec364987410204f0accc13

SHA256
66ffcc55eb5d3485e1dba224ad2998ef3b5591b07cd430b8a6534f858655cf86

SHA512
eab6e8afcebd244a6382a10ba8c9fbd1264c1f185aee29cad7fb9c9842d2e980040826e4fef079d16fffeea77084e4f9bbaf7e93d4910795c491fd7ec9f865e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab90CE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar916D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit