08b11c3897eb38d1e6566a17cec5cdf2b3c620444e160e3db200a7e223aabbd8

Analysis

max time kernel
101s
max time network
211s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DISCOVER/COMPATBL/DEFAULT.htm
Size

6KB
MD5

ec99f6ebbac3ae9cacb2895bca9a95ae
SHA1

c0d5d4a8a4f430afb2863ad4cee6d852d724d3b7
SHA256

ae21dc262a7e97d01ce2b2de3bdafd8292361c0652e0b64e459f999a4480e917
SHA512

655f5910c276855a0bdfb87551f60a0861855d6e2dc794ce15412e8c8db87e8794b7d794d17e667511a47a4f1e03be86f56f3022b23556a73b797fcd3c390358
SSDEEP

96:RNVACQ6CQoS4mJAc082vo8UUMl8Mhl8pAZJdYbY1Ir1EWvdQSHvadB:n2+t4ncuvwUMphlWai1Qv

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	IEXPLORE.EXE
File opened (read-only)	\??\M:	IEXPLORE.EXE
File opened (read-only)	\??\N:	IEXPLORE.EXE
File opened (read-only)	\??\P:	IEXPLORE.EXE
File opened (read-only)	\??\S:	IEXPLORE.EXE
File opened (read-only)	\??\T:	IEXPLORE.EXE
File opened (read-only)	\??\V:	IEXPLORE.EXE
File opened (read-only)	\??\Z:	IEXPLORE.EXE
File opened (read-only)	\??\B:	IEXPLORE.EXE
File opened (read-only)	\??\E:	IEXPLORE.EXE
File opened (read-only)	\??\W:	IEXPLORE.EXE
File opened (read-only)	\??\X:	IEXPLORE.EXE
File opened (read-only)	\??\Y:	IEXPLORE.EXE
File opened (read-only)	\??\G:	IEXPLORE.EXE
File opened (read-only)	\??\J:	IEXPLORE.EXE
File opened (read-only)	\??\L:	IEXPLORE.EXE
File opened (read-only)	\??\O:	IEXPLORE.EXE
File opened (read-only)	\??\Q:	IEXPLORE.EXE
File opened (read-only)	\??\R:	IEXPLORE.EXE
File opened (read-only)	\??\A:	IEXPLORE.EXE
File opened (read-only)	\??\H:	IEXPLORE.EXE
File opened (read-only)	\??\I:	IEXPLORE.EXE
File opened (read-only)	\??\U:	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000c50e5754c85f4c668d4cf04e41d42d35466a0f8a53fb465ac3d0a31a5763c54f000000000e80000000020000200000000f57cd19e52cc3b4690f5da55cb4b19112cc92fb4aa7ebd0b9cbe027d01b937020000000f0dfb1580b7ba0cc3d0d723b92541457d1fd84bae48ac4eb37f3099fec9d5cb940000000e72e0c5d6eb0b4050f4cdb2a8875d9d7b26bd9a6410d1babffb6fa2691e416abea0643ae064873320c91c12ec85a00536a70b41b32f03dd4ed4c38c4fa501d03	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427870989"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8041D6E1-48AC-11EF-B29C-DA2B18D38280} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000bc3dbeedd51ab347a733afb3d7d0cac6926f0422ed89cfa4fb1c8357d0ecd2e0000000000e8000000002000020000000dae7d9e6708bec0fbbb25e378ed48689951d7fce7bead1cda7fc3849b365dbce90000000559ef452cd40fe596c759026caef616e0a50793a4ae03e49778fda2ea747e8db78ffca98b661b8acef227bdf2f11bcbe2af6eb81c7de6a048ebaa783f27982a7db0e81c484abbb1113d71ed50ca2bee559b1a9b9b7e2dae235cc01c2e0d41b99d9eedad8c32fe79b21ca4ef9de50fcaa07f244cfa2c37c18cf657eea787612135e60f0b05eb7c567c6c3358269b7e5a0400000007f0abc09248732c7023314eec4e28b507b9a9a1c74fd60631fc2d9d568496ee6972f62e0ff94d095ead50bcd0b04e768b7ef312e1cc2ed730fe98581f9106e17	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9061b95ab9dcda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2952	2760	iexplore.exe	29
PID 2760 wrote to memory of 2952	2760	iexplore.exe	29
PID 2760 wrote to memory of 2952	2760	iexplore.exe	29
PID 2760 wrote to memory of 2952	2760	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\DISCOVER\COMPATBL\DEFAULT.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
  2⤵
  - Enumerates connected drives
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9faf5efb4956d1226b62cef56ba6ce88

SHA1
2c1750837ebf4e984b9ac71f6e71ebc8fe99f187

SHA256
c337dc53ab8e426f7b373cfd215698cef67d33a2f0ece10c2c51a57582412a39

SHA512
437ccaaa287a9c3b8756268d68f0015652194a58582fa7019d3f43f209f8edc62513ebafa7ed3278f4d9b2d830a5e5acaaac52daf332a6ca0be4e6920cceadd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
625253d496fe8a9c8a732fd355dfe661

SHA1
ea34c77274e603a0d10ba61b180f9618f6b1a61b

SHA256
20b393ebdefd6f2857651d527a56bfde390ad3998110905780e8be02b5abafab

SHA512
22ce7178804edd125ec85c3d16fbec24ea6c14a130c9c235be0763cb15569a9775ef5d394aa4a50b8d885e418fd1b3432201b2cc4ada0aec4e52969fa37f1179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cde2b342be38749fa88b188a41897ea9

SHA1
d77131d8e0288b0bcf8834820aa461a4718f22f1

SHA256
658f3ab69870fc520bb6d0aff143bdcbd7dff01be99acfcb46a7d94ba4cf0a86

SHA512
3151feedca465ad958837a7734da9127e63f564c4692e07cef45871ee065729d7bcb997996a13d691946bf8c3c30183dbbab9172350841ea4072d60b21a2c4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef294b396babd13662a6a7ec71d212fc

SHA1
34a726273316d694253928bc01576e6b7e6dff4a

SHA256
ded517baf711dfc991b83e5544c02d687701623a1d49abc55545d2c0044b18c6

SHA512
28a4cdfb123fba9544056437930f438a2f93c04613759adb333afa7d81253d5f89044a7a9181bffbd73669c4fe5f1bb87d1a33a7b3d006057446960294fcd0c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5aa83f1aa6ce33763bad7a4956ab8022

SHA1
e5fd4f6f5f1ea8588042d0f457efa269ad03bc7b

SHA256
29a5d19ed19a1c2d10a8ff2e6a7f497cfc6d8428509e82a51acb8cf570aea9e1

SHA512
3feda117e1b7a91c9e8656c04bc559d555ae9f2a2f0dd624f07bb72f1a3da45a7270bf0a55d395fae2a65ce1fce757f108a7eac2c072786c25333de9cdc860af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06c86af4e7001de034257c7ac653997b

SHA1
5836a67a1167da4cf725391e50a2f842baf3cce5

SHA256
dda47d483f2a136dad4b96dc076a7cb27b9ee8f320f617eabf90ac9857bf4d99

SHA512
051e2a9954a61ab2f54db040c593b0037a182cbdd652731cd85829b62ee7c8f0e75e4b38516182105558cdfcd39eaef9d82b16ce7d7d29e2d19ab51fc8f1874e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ea7a9b263153f3e45671b3193bd2bbe

SHA1
c23ad606d7686e81ed6495431abe1dd907dfea57

SHA256
7ef1479897507673c67f6c04660b314964426cfe60ef722583747e1bf2ffaa6a

SHA512
d647c06d9ff6a59954b44412f3f6c60cccccda0e351fe81caacc92dbbed14c113e564ef7e0134291eb7c6b70ceeab856b07213c33814beebddd35e29093c2ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9659.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar967B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit