75ed41ee7c5fa0a3dede31802611d84c1d728f66837c5ed559980ed9b2e8490f

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

admin/eWe/ewebeditor.htm
Size

1KB
MD5

44ce64fd9fec43430857ba45c2205296
SHA1

b59f07e2e419bf6c09a88fbb706aa57a086deb2c
SHA256

831f4f0ae0bb12398d348b26274c1447c71da7873ab1718259927b320f1a1546
SHA512

4927b63aecfa5c7835f7d72ffe300fb7bd81ef44cc56956646cb5dac3fd6211069009af79b34e31f1e5a4c9e2832bfebe7f746beacc524fdfb5ed4534a6f4d7d

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{691BF181-3EE3-11EF-8912-C644C3EA32BD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000374d5b179a2e72dbf22e531331addab5e2ecfce9415d75edce9f1d32a5238865000000000e8000000002000020000000573feb66350c90be2b937b6e1fd22fe9440d5a61062c0cd270b304786cda05d290000000c6325851d0e11b64724f4ce4c447ba1421e17d4e0c0ea1dea6348989b35b1adc4e77f19043c0183db06e08aa16f196e53d3d439a192a73129fd249f953c43e053b5af9ffc7232e4cd996015c0a9dfcf1dbc7bb5895a33ce6e6bb9984a0d15f88dd4c6d714b50c2651f8ea027d8c7e65efe232467522b9407c5cd9efe5207f04e20a5c66dfdfd5c61a7f62ad2a28a1abe4000000031af362198aac9608edc1f13b6741666e975abbfb15cb0f1117f953cd30c07518ed353fca428c706c323cfda94d8a58011efcf32fba39c62057e242ce61fec05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000663892a68d25b63b3ec915a85467e4ff0d073ff4bb857d88d2461bf6420d5bf3000000000e8000000002000020000000a59a65496d03d305d1a4fc2e3b7b30824f2c037178721d39ec63925fdd96cd47200000007492bef10ef97f131d8fbec6b32e5ca6eef5264be88258ff06e95ec605575557400000009b52931b28fa66c42c237a0d90b933b11fd15ffb824233c55fde40577373e0994d3b6d8e8eac6fa9e0fe0d7de03b438dfd1b598e1b37e9b32996285ef4880fff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1017a63df0d2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426795059"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2296	iexplore.exe
2296	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2100	2296	iexplore.exe	30
PID 2296 wrote to memory of 2100	2296	iexplore.exe	30
PID 2296 wrote to memory of 2100	2296	iexplore.exe	30
PID 2296 wrote to memory of 2100	2296	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\admin\eWe\ewebeditor.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
795dbe023907af80826a36dc2fdc11e2

SHA1
635b0b80903b87b2743d7ffe505e82073f3e4790

SHA256
1db05bcf54f551e7d0abe1619b21e47b98b565b49e065006112d11564a2ff907

SHA512
c7b22dc6986e4290c1a20d88888d960c2117e3903d9e1babc89d071fa85aa3c3a4aa39784b8e62e37728593d9fe7dbda1c6c56a96537bb3196558cdf93f9a0c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9015da1bebb7b8f1168a17f04513c7bc

SHA1
87f68ad3804088df266419acbfb0bf1ef9e8b604

SHA256
905beb5d4d0b5d5af7e2e5ef9a72a05794134ed7bfb5a56147273e3564ca87b3

SHA512
7a63cc05852539eb4508b4ccf5b78ff6f245d021b022968c70e3b774bac1bb12356937768ffc65016fd0a0379bb0d6a327b566072ad18f8312a9806a66b55e17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
319881876385be6f5e6749fc4ed11497

SHA1
e822671f467e402cc6eb823062588f0bc69778cc

SHA256
05643a7b540f07a8cc3e17b7562c9a9589cc55c04f2b28b09c788c186edb2a43

SHA512
d5595dc31b05f1cb0423726f80c3928907ac9a1e5d54359f50698716c9258412b552be8c850f2e434d8a8888b5bebcb9f04645e307405e97a89af4f3287d89e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9d2aa3e898751ce0db1cd808fa8ffe6

SHA1
dc98af2b2e5e1a6a181de4dd938c3a7834b581bc

SHA256
6fb14ab34a37bae0cbecbc673280b075e6127522389dfb7a6d6a61b2ebd40fc6

SHA512
aef86581d0ad946f688e6a8bb548ef7e20b1447192df3897c658ae1909883f0ce5b2b0dbe0682016e2f53cc2787ddbdd909fe174bff13d7f333ff065e9b35c25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
490fcf485b2ae5440a88daf9fcda3035

SHA1
78490d3da45acfda76d0c29d695d666cc5fccd6c

SHA256
4a3ba5cf0b925905a62ef0cfc38c2b8130999e0b77ae8021a60e04b95d327c88

SHA512
7ebd819393362f8691028666b5f0e69ec6a1d57666294c2d8c80053bdde50321bbb64b00714d6d49522bbaf19100cc993b66e8fbc8ac5ed8460a3c5eb4d7d5ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69e38597d2e502a19e438d7bf009e2b1

SHA1
8402d296b37affebc3c3c8964b579476b7052eb7

SHA256
24d0ce6c63ef8e43d9fea07259c60a008bcdba806b9c04180ca8ab35700dd76c

SHA512
f32ab84515179def0c499469944d5de9915d28dddbba52ce0e880098ff4d9ece13f3bdd3029d9fc94357f9145d87171a0146cdfc62df839a953d41b292ede9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7105414b1eff1a1d88f1e70579ab92ae

SHA1
9ac8a2b1e7d2793a6e4ff1f999d7198daa1fb7a2

SHA256
6619943b26149c7c1135c4543d2a22294a4622c2f1dcb8546ee118c03b1114ee

SHA512
17bae5342a7b756a981e5d30f97e7322ea509797471c2ad5a382d639854f1078a7c4819eb4b3943a93cc2f639fad3b9a9153fa5126f7fa83de6c2c6d3c5d052b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8c5cc0e0ad401c302e168d3d58bd237

SHA1
a5eb3c14b10559bc265e49b976b4d86363834129

SHA256
7171ed824c32483f4e8041577a58352da3c76334c6263e9888b44c2f36747060

SHA512
425e203597bd7db826191319bc69ac8afef404f4d7080263e147ab7c9bf43810a708ea5220c37bee894f54e2a39f04bc4ae5cede37451e31daf02f2ba902a320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a687149b5cf7cbe65b89c0001d3bab1

SHA1
030425e43d3823b524d24893e14384376bb55206

SHA256
1ab4bae3bf6b37d88bcaf4e5563e8b5a9a5040635b19868103c1a0219d6f867f

SHA512
754f7a3a63d9b5a9b370bb0bef1c81ad4764b29dcd04bac6e8866bee39d4d5050f5d1a59756df4d462e45908ec29f377b3e48b37641276b666562e4a03cfa885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d62dd4053938c2e9ceb4c9d159aa563

SHA1
256fd83b3f017d65a7060c409e138d0524fd7c48

SHA256
b400a208eb05edbbdf38c287bfa6dc8b11b75cb9aa8ba04e5fa8c39d9d5fa6ff

SHA512
5ec7baf894edfa6964166d787f83a1acc643c76b34e6a9a9aa376c967f96aa8f886e89d2fab6e0e301c1d72505eada5c1195c7dc66eaab46cda98b900240b053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
123192139cb4889b14d6c006eed5e48d

SHA1
c87fb4dd74ee98462d4a3112bb83200c2f7647ab

SHA256
d1e183c517678c20f6be031dc60da58316bd0eceffc9c2a861a3b90944d1a82c

SHA512
ef70255396f675d7a4bd4e0e23014e6f60e049b2aab358a9f22ab721dc5972b2f5a4054e7264c2e47917987a936557257ca869569dbfe284d2e033d9d1ea6e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d957d91f32b9933b0745215bd7740502

SHA1
2449be9f0cf1d47b3a38adecd4081a5008053cf5

SHA256
6ec9a08e056969f06d2ca5e50f3f6879cf4fd36ea36196651efa593e33d02fd8

SHA512
c117d4c97b66e14e6cc464d45bfd109faa46d2c33791fd93479652544fec556b82cd281702a3a2bb91d27820d306e934ccd2979371c18e6cc8e5bc93fb689987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a21bdaac126d73834c28dd2a38c7a44

SHA1
447a90497beeb7645bb32944efb02bd55aba5a6f

SHA256
f0c96271915c84b38c6c38d10d58c470740bb58c0bdecd4a16f626f3e927355b

SHA512
baaf9383876eb761f475e2c47b931737b26d29b7392424e0d37fe241c736ce0115aced84303b643908aa7d864d777e9b492bf83bf579315ab4d154baf66570ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d7bb03336ece5264195bf317ea2e9fd

SHA1
e10f3cf1c93ebcd158e34a44165b3c7aa8ac2cde

SHA256
c1c49d5c2dbc2f06ee4c608fdc30d788d7f22e957c35a5fd8d3aa6c8a94c4696

SHA512
58ad948d35a121f9f53b0d6564c8c486ddc11869549b4aea68e83c5a5b1a1504dd076706a78add72ae10d29ee4abc99b41b30648234e8dced7c26dd041f938ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7802474a9153ba1858d7a537d87e1d72

SHA1
598b26f44a653142f1e6dc269d218af0f9311515

SHA256
3d302ad6f322c1d2ce05b6f54bad9759efe11485a4f0d4197d21b5014fc72488

SHA512
0ab1df04914a9d5ae589f699c54a050a161a55f2b9bdc5be4c0e41d094e449b019848cfbb1167aecd1e36982a14d6e53ed1c136b0e3b507db76d0b32c6793773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61f5aace7189ba0c7b739761bb43b0fa

SHA1
01c6bb22af17b8c3823b6454b19637935336077a

SHA256
32432c51bd16cde895a078cc75402a112926d723905eb4b8f1ad3d14866ec78a

SHA512
a2b743309ed0c6c70a13c8a00203656006814e2bd5fe4b225ca8175f0e79c4463307a575fa98eaa950c854120a43d23454d5c7b7bbb3c11190ad5df6c10e175c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1624761f7a0379a5474ec45b21fce3da

SHA1
e332937fb59118715061c08b263dda828cc22863

SHA256
c1c4ed49ba4a2062d62b73044736edda04acb406fc569e3943234c514bdc94fe

SHA512
71a835e9fb090d755e0832d6f189022f1c47acea30ab73a20e63bfe4aa2ed03a9c1318c7b27458798b043db73bc749e8ddb4e6716de2eccf639bc403679ff071

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF3B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDFDA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit