ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

open.gif
Size

42B
MD5

d89746888da2d9510b64a9f031eaecd5
SHA1

d5fceb6532643d0d84ffe09c40c481ecdf59e15a
SHA256

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
SHA512

d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7749F381-4841-11EF-8912-C644C3EA32BD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000c2c6dfa38f3ff13173af8ff048db5e45a9209869494858e81db68a5a026c3ae9000000000e80000000020000200000003a286ae0f5a8b49a9b40f7825dc861eef6976163a2453eef16a9c71d9e094c99200000007479334c4af5e9a55bb461446122c5997daf1fc3b14130573ad1596f089f354540000000b89d3ee52a6b84add672054fb5d936dce19502e204103226682482f949a6e134c0b4060bcba0780d4d6da8d8d824f7c4bacd867c4f321445c0f7c3bad094bc82	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000aa6fec35cfc9bc863286f7ac642729f9d881c72a8f40faecf4da2231bc984be7000000000e8000000002000020000000fb98ef1a7c8880d5db82b9cf50756f4ab814acf55c7296b1305a02f85c76fe159000000079c1189513b6e80a9294d3b45e7e384d4b31fe596505a5f7a31a572ff53b218d68c44e8d29b020f223c3d8790983711bd3b95ac63f681a63f60fe6c09eec662c08f99c8f7ac997c24e8ee7094157008f04081b55156ad8cf36389799ed15ad053c4ca8c849f278947435accbda67861c31b9688b50c004129365bbfbe70a516c542712b531eaed169f3bf27a367c05c44000000013573ab7c71da08133f0644ce53b19811453e7dd5a6247b51a214977c45a953fd5dd678c3ac36a70a1d4f8e547096064d207c78dccca69efef7683d15fbecc94	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427825016"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c4e54b4edcda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2548 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2548 iexplore.exe
2548 iexplore.exe
2136 IEXPLORE.EXE
2136 IEXPLORE.EXE
2136 IEXPLORE.EXE
2136 IEXPLORE.EXE

pid	process
2548	iexplore.exe

pid	process
2548	iexplore.exe
2548	iexplore.exe
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2548 wrote to memory of 2136	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2136	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2136	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2136	2548	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\open.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bed62b9f036cb244361044c50c5ab456

SHA1
b3d773555513f3e2df5c731ed3515d0c64cb4790

SHA256
0f15cf161fc23892187037cfbb82ea8d514d9fc9022c01a9947f03d8e1e2ef56

SHA512
26768c43adcfdc5e58d301713a0054a2fd56d510fde379bce4d6d5fd3775c1703f77be80497e6439c922946aefb3b888ff7475501f766dfe06ee05f45f9bb357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d326dd105fea0bd4100594251985dc05

SHA1
5399a7177251ad3d12505e640d24c066e108a3f3

SHA256
8b3b4589a6554dc61223077467be52d9620ef14933e9b56dfe115f6094df607a

SHA512
deb1fe58e2a7ec19471735639ea11773123cc819df482fa46e8a51d5861325d690c6ab0c395edcaa7fd8be7451e24e59781eb926e36fa49675c669cfbabca838

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e2b91a46523f6c74cc793f83ec1c36aa

SHA1
800663a83d1c1e99e147ef1d3ef51b949231e79b

SHA256
603d02c6c6baa98f71b2806e6a4cd61d04ec27c692445f6b2dce9ab6695138e4

SHA512
3ae96cd2ec1ebb2f25cc98c4c09d3e5879452f787e11e5ec8706b85d5fa59c70a7a5afb3eb199eb98f191d80242288714469fd150b88f37fa4e729301151200d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3e85207cfa832614d8662bc68aaf7b10

SHA1
3b4c07522762cacdc92736d8eeddd0819818c67e

SHA256
961ce7489d9b86c62b12d5b0ccf8d22ba71a19df36aeeb32b66b802006176da8

SHA512
57ad4e4f53ad02e47074fd9357a65e78e6fa9f5b0beadf6e1bcf4de57dc48aac4930e5b2589116f5eba41c00c503e29a33569c364b5e19255d1139aa7122a6e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0a31734baf740a2a7c9e7b2fc56cdaa1

SHA1
2f42e055287bb620e8775d8ba20851954d0fe08b

SHA256
350327c6404d61058b8e28f310f9c087ad28af7be9fac2475fb2403cfeea268f

SHA512
b386a1b480c3741483b9c923aec222a026006faf1120205b9ff36aaa87241553fe8919d94eae08a02ff8f3c1d6877ecadcb547c11823dc4aa84d15c020d16d0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
db21df7fca6f31193432f24f7541140f

SHA1
921c7625a78b6f8ba643dea75a037e095e50eeb6

SHA256
d46ec12a3130daa145e24f8d376e007670485372f8601a748a7e0a0b995f9dec

SHA512
917b97db29c0166c6bd83a40f9c428d2a6887a2424097b27c1f9581e664f186b0994427e32330ce8b6cfad2a642ecb205f3e7b929abc2f1b064c8ced999a4248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
10a3797af2ff362911e7f7aa140cb7bc

SHA1
c485e462fec20dffd9485d185349b2f7ca472223

SHA256
ad28aeb02417b6000eb1af014ff7173561402135b16cfcea39c08042839fbcea

SHA512
499d49be4ce0706fd60dc0d10cbcc30e1aea79ffc14339dffa366d7127ff490e39d58a1ef2d4032bf5e784e5dd82cc82f2552181e464e3b8f1f185450943b483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
79c7174842192f71d25facac1b610c9d

SHA1
73d4e6cb409e1a845665e7da77f34bc9228df382

SHA256
6f334a95262eda0720c7b35113894ff9740de7e8a0bd81543ee01c7c6cf83655

SHA512
6dcbc8e692a7dabd2cafe3d96c2fe05d47f85a49501826c5501046cd544820e0c9f68a391e2309964053809ae91229e7f04ea160c5ce82de99503a37498cd69f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9cf83096515acb434b87b87dcad61862

SHA1
2d35e5726dd4db3cbb0b2e9a00c964a2e3daf5fc

SHA256
5007de7743eb29b05cf50ec8f9dddc2e239f73093591e0705476b23db854f010

SHA512
56134fb04239b99637601de5629c7da0bf30114aff14917ecbccb89d1d926aa8170410c1e9f698e54462358d8d1872ac6491a02bba9bfd1afb94a95f875959af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bf1609d9daecef13afa7c8680556721b

SHA1
120a709c482e6b629973394598f9f8b9e9632eb4

SHA256
93583aa75de087b62662e2720b02784858b4ca25dd63b53a2b34b98a35518e87

SHA512
ef88bf92259983701ebc100f4da537a46b419b56c3875c84b8ee8178fefb7f8840b0a1be4082ee6d28eccca588818cb70fb161fa639291213a198213d4342a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e04d4ab66cb3495d416cb2a67768e544

SHA1
f24c4c5b6783fb7550771d66e8f4ac77e57b5eab

SHA256
17c5ad35f433feb4dacebc4da4d8e1d053f3de9a26544ac00d49f5a0ce0284df

SHA512
7705e3b0db40a0b75d45c68236f31308a90c42cee624b0cfbe704bb6d78ac060b745dc9b5d91c7a57600421596818aa612704b6a2391c2ac0c11f4331faebe19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
abd80b37667ad2744d4dfbec01a6c1c6

SHA1
41c17bc60aab48a43f3ceeaeb7e675b1136b2133

SHA256
27275968057ede3ad34edc901a851a491f568b102b475c56a27bbb2bd861b63b

SHA512
e1e8765ab30c6a05fb9b55ffef6525bf5b631c97dd5b1f67ac687efd4da1bd10e2798da8d99b941ba1b3f9e9f8563219cba8f8ef5c4d3afd38531d10fc486bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a9db5cf3c7ab87fafd4de3f27025bc7e

SHA1
1203eec1842883f4af1680305fe47ec8fb464fd9

SHA256
ad9612c54358fb473bb8adae080a64463736ba42827365fcb136e501f61e52d6

SHA512
9945477f177a732d05205f211d08f53d70f47bfb7a0065ff83f6a8df7b65ace1179f2d9334a19372e25d3e8009160438e623ac56316d419d805df97eea69ed9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d65de891cd0873a35016673474afd6ac

SHA1
ffe42a67142cdac15adbe92a06708fa54c15e734

SHA256
d59b4400470960194cbc337456af098034eed1315f828034aafca695d72f97b0

SHA512
073524c6064f9dcf2af6c1d00303a947537b54c2e21898ad5fcc72182621dee7afafbcdc92d0ce1fccc0a84b0eef6c872dc9754a664956c4275f005f047bae10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
599b768655707581dc046fea9562f86d

SHA1
f126b7b272eab91a4398f1837efc11663a34ea7a

SHA256
80cccacd0907d6810a2b0ca2001cc9fa06666c6b199d742d90ceee426228d22f

SHA512
d76b72694788f82e20bd1f16a425ac68e640410b08f850017092327a6b5c6f3963b6ae8aa111a979a4439e820d2225b9695f9446deec6e88d69e62e7ffb608df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
48ceda8e555afe905d72a74e51e1afd0

SHA1
fcf5e8bd8c5fa53f00639c8f29f8fee19068dc4b

SHA256
fa43bb2aff9add995569c711441eb8ae6ff19c802990d27df650a534f028cfca

SHA512
658cce03178d4dab0cb067d5f106ff5553e322e2693acc51958a6619e2b898a6b2411d7417ddb258fc2368abc14c764154ef3f729dc98131f7a0fecc6673743d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4e93d133e989da740d0d6249fe39b9c4

SHA1
1227ad4fae89d0c72171af83d719f07ab6472bb7

SHA256
ea0c7edfb37b9042b25ad40ed3e4092c94d6a493dfd67f3a485c128f70ac6c70

SHA512
be4b9547f5bce89a13c772ee59bce4c27bd746ad02f303b6a340b13ce22832eaeb6f8dbf2cea32c45619d59d0c44835dd8cf130ce533bcf68028edb59f8286d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA3A.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE54.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit