9eb2c3960897cdc96644d079ca4d49a57a4026c64fc16212667d54b2e9439998

Analysis

max time kernel
120s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

12KB
MD5

1900c123a037a780f14bee508b9e2bc3
SHA1

1e16b411ecf456ad4f04b3c7b8dc567efe54b780
SHA256

9eb2c3960897cdc96644d079ca4d49a57a4026c64fc16212667d54b2e9439998
SHA512

3787ea7f7279db7e4930eac0baff008ad37f488959cb0e007abedfd6ac9c70f720a0ae321dc6bd8bcca507aa34c7620e9e3ff7dd08f202cdfdf2871781f73682
SSDEEP

192:GaqQz0i6s/ilhd8yMujUwnc3FZ4McBU/6PL+uxhOr1DHL7yFtE/5Wb8ILKWbldrN:Gaqu0aOxUw21rynArtvysf7GAk

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D11B2181-490F-11EF-937B-6ED41388558A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40553ca81cddda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427913647"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000080918f8d0beb6467c7f6054ba15758f583464e4d4b5dfb79896a37134cfe4908000000000e8000000002000020000000863147e34d4be04d4ee986b805197ce08242818c72aaf63e8424cde849072eb190000000b4f7fb8d73f5e723889a709d2b5543c24d76b8c807c57a466d47d18f73a92d155822e19d1a84123ee4508baacad43630013d70e4122fc3ee77f38865e93e19fb78233c77537bb04a07a30800865bf68afeb445dc94a46a531e2092c39979932021e976fbb844921fd586c6329f1347e5259b90f7193a64989a7f764169f9c0b6dd57e05998c586b1671053c791e3791c400000005b14347f461bf0b20583256791034088c1304d6c678ad7c3c20c7ad37e0c1e0caf2147a7af239b61b002da04aabd6db920d5e90b8e991b8dcaa1a6bff792b766	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000008f67c7505af5639379d37858b348d1314db625670d239ab4ccb85656a26056d0000000000e8000000002000020000000e7ba134bd15c07b81af08497a6bd623d95419fc26231b62f79830d583790db9320000000c681c2f7640eaa12e63e751d3cb08bf26ddbc278a276e947e51078be86a3fd2b40000000dd155ed6670a31617109fe93706d1e0442dfd833ce010d54663343ea2ff711a13c82c6ab1bffd0de2fd9dc266d36ea98e878520637f760e02c0ae7c40a6aa72b	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2732	iexplore.exe
2732	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2712	2732	iexplore.exe	30
PID 2732 wrote to memory of 2712	2732	iexplore.exe	30
PID 2732 wrote to memory of 2712	2732	iexplore.exe	30
PID 2732 wrote to memory of 2712	2732	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\[email protected]
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2712

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c0956ae1264994431451ba9f84970ed

SHA1
ec8922b0ac5234cfe1c1a88570a2a8d20a8f2c6f

SHA256
f93052c4fc9f2e5961ac38b19c2ff2f84f5556b3e864430664cab68ba1df931b

SHA512
4421a038ca6b07d2f23284d4be7d49cab0738538eba5a45e794232df291c5ab3ebf5a8ce4fd2f2820a1bdf724b9ee0daaa6a8b91da73959e4926dd5acbb993f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b2e7f09e8b28c4ba65211f98128d7bd

SHA1
ebe8d22f3278f1e129130fec410d3f66993dba9c

SHA256
e97e93aba217271690bc6ecc68c200371647f856eb0636e1fd237207ea276b89

SHA512
bad98e6f367b1f550f79922c3be9fcee73114ab18a00272a6752cb49dffd3df46c14bd27b2bcba56a0a3dde4fa33918c0233c3633e55dd9a15f8e0237697bed8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f0702bc382cb803fd1f9c7f9daf1d5d

SHA1
2a3fffeda1a5013d0fe0de64a25c715b446f4b72

SHA256
a69680ca411e920af56abba28668a8df39e8a37f173bf999226efedb50e46406

SHA512
7808b78fbde0b1fe90fa10ebbbbc7ae372cfff31c82c57340efab855261a7b45d1a80c1c009032aa903fee4c1779f57e0bc762d7051e2d8dcde692ddd171cfd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e3c41fe04ae15e213f9506e6ee95972

SHA1
be1ac73f7749663f807ff9e954a088660dc33465

SHA256
475275ce8684ffb7339549481d65bf90a1fccbaf3158b471cabd05f03054dde5

SHA512
8e1500ae172e5d216497616c85947b33c409361327c0a4aa3c820292861b2c27c44c871544fdc3332f9d822ca3df0454fb1773b38fee61f97abe99722ca3035e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5e501c3d21aa3b96bf9a4ddfbbb3cc6

SHA1
0616e4bcbd0a4b31d7ef117713edf171cea6b17c

SHA256
b7e91fcc16c142ffe211764a67c013d0a4ed45898c7c0c33e0b7b327a35841b8

SHA512
ef0361a13b9c571d27fd6b09ac94fd4a6baa9023c8bc8b6152f802ac8a8496e90c2bad58d20d91afc6afd60b9243466d0c3f9cf6c315a56893314b689cbd4980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6140b75582c3a7ee481e9d2ee9211d20

SHA1
77aae725b711cf45d5de128c5ce649576e3952ac

SHA256
26b2855a204723154e99000a753d7a8d341ffefe0239a9724303d211aac1bcc9

SHA512
87f9d6453682613b3b92de658527a0b15556bad6cc4a804ccf4f97d31d1878fc101ed16a63ec9d5493e2c78450015975ed2bfe58a6460fff612527bdd3507e8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04314032773cfa43e0d46e535e943d6b

SHA1
0e946cc172d1bd3e7ec335bba58458d8f1d3746d

SHA256
98d250d5fc142bd4967ec6a34f87391c7534296e01220951d49c526d48b89af2

SHA512
83bc6ef069a65786e91da74f201d1755ba8be60b4996dc03004685f2680a8ae833a807bd41ab8e7d2d91ad1bcf6530cf8eb32a87f0e28a659a37444f2ca6c610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
197ff379d037571de631692682da4450

SHA1
fe09b9564f84db16db71cae2f238a0167c03b0d9

SHA256
c591b4176575e9aeef17b799db8cf53671c68e089df60b808698f6be887fb8d8

SHA512
591ec63c300626608e6572abeddf60ee46a75d33311a8d716e8432edf8a74b7824f0d7e418b8b5b05fc9f70a5cb1f3af4e1d82962d43fbeee56a06dc90c8eadc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a46bc9801f587e49b7b60c383850a990

SHA1
425c2e57d871feae2d5939bf62eff1093982e5ad

SHA256
d3c1446f7a903c64adbbd63361a579f4b74025dcfd15c2de3bffb959f9b34881

SHA512
c43bebd3f0af21e9df6cfa8e6a4d87a7da73af72241b83040468881418d4c5a2a43b4180b5b0027a2ce46a55e4c8ff35d46d34505769e81bd1c66882d3a59d02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
069b96a4c013bbb3989d4dc0e724bca1

SHA1
484a281ab77f4e82ac341e12210b32350657c7bb

SHA256
045f2b94f5f4e1594051813562b263787959769082aa34dc7af53b481ab1cd84

SHA512
aeb3beff81a5bac3f255313ed0b4bfca5e743d375b5bc88eebc395794e3ec212ce6a43c56be9ea395d3ad5cac3b22ff17a1e7f6d235dc14da0076f57aec10eaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2efa5f201e705f464010779c9cac702c

SHA1
5c3c1f35f1e72090e350177c5cf45e15b30be6d4

SHA256
1ad0ca3083a9e706fb2c8a877711cdff0f63ac22751e60acdeaaf8018b6c9ebe

SHA512
23701c193170f01b754bb5c382450d11facc5705f3a3915068aba426d58c9f66b6a9b8e3683399723334f39d11ccd39601bab205fc4eac5e1d8efc9909f9f7e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c74a98d038e73416760f49c9d8678d40

SHA1
ae37f3ab3399a2477762e93de149b528a4149d4c

SHA256
30be7def9fd3fb1e298c80210a1d334380e661eb5c7f5be67d5dc68919ef9d43

SHA512
b92636c81393c041fe93866d6b2fa38e03eeaa39e84b7e76f8536d01cb6a7e271cf43ee057d9453716213324c7384a4ad904397149d5c2be6c052f2c30e32c09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb02bb408f63e08ae986e4d3e114bdc4

SHA1
aa6dbbe57eed51f179c3211d9bc5d0183dfbfa28

SHA256
fe06cf428e404b411b653320596b1d4df162adbff5db56a4243d8ffa2bdc0dd0

SHA512
49161b02444811d2fca1345c4020f7f8a9433f671e7b9e780c05caa4cfb9b317738dacaab7017c6178c30da1f2f20d7160461ad59858c9e4952225fd3d4dd939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22d8dc6b1eddedf71c585eca50e4f43c

SHA1
14998ba0853f930ea49f8c1ea8b32a127bedf81a

SHA256
bc80ce16b2d7621bcffbbf7b2ff2187544924a964c8c3b330ee569b38fb871ff

SHA512
b010298c546b3d065e6a8ae60876c443030b56bc0ebcf116dbdf09346283af7eccae65e27fe64807b39df5fc0fc5ef3d3cdfdb76e2142fb9b0888021b0e8a6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

Filesize
3KB

MD5
4adab207cb4403458c32d9f8861b4992

SHA1
b2b6974d343625a4a9bdb4da0713eb00b7620122

SHA256
9a2350faaf21fc9eb2e8af6e0a49115a0b5269dc6a1a7c263f02a31ac4a7c958

SHA512
75d67d4b010394d030d9b637f4590fde9fdbc5d7d479dc672aaf8c2e9ee2cafe4a5c2e33a128939fd6c73ebfc0754e7e48c55e671b38551581b31783edc71271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\wikipedia[1].ico

Filesize
2KB

MD5
904ce6bd2ef5e1eaa6de1eb02164436b

SHA1
b37ac89616b9e4c01a35991af59fe6b63e41a48e

SHA256
3638de61226857e62cf5187d7d59cf902111ad4f792b5bdff1bfed3f5ed5e608

SHA512
05044e298742b1520585ae3c029938036ebed50337608a600c4924a29e3624ce704f3b13fbe348d9e1b1e93b1e0abff9f53bbc9fd31929199f9a374f154f74c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80B7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar80B8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit