43cff6abc2bd3abed6c3e604daf21efb28ea312a87684e0a2d5f590a44086494

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpp/Setup.exe
Size

529KB
MD5

99b8d7e1f2d992ff45f7e953227e4da0
SHA1

501dbb3f200ee7cbeb176e639c1329cbcbbace77
SHA256

cbce497616214c0067141f0a5af344e1c97b16a7f3fa463cd1fae5f26c09ed61
SHA512

d1fffe687c37db9a485fcde937591a7cd53377339a0f6ada799f797ea60541d53adade33bd6a14bc281ad1901762be9d02d5a39a73a5164895b04f5ed5538032
SSDEEP

12288:I1DYrSKxCTxLTP5aVx6aGxtXMaAd/VZS6y:IdYZClMVxaQZS6y

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428263439"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F048981-4C3E-11EF-A74E-76B5B9884319} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2868	iexplore.exe
2868	iexplore.exe
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2868	2924	Setup.exe	29
PID 2924 wrote to memory of 2868	2924	Setup.exe	29
PID 2924 wrote to memory of 2868	2924	Setup.exe	29
PID 2924 wrote to memory of 2868	2924	Setup.exe	29
PID 2868 wrote to memory of 3004	2868	iexplore.exe	30
PID 2868 wrote to memory of 3004	2868	iexplore.exe	30
PID 2868 wrote to memory of 3004	2868	iexplore.exe	30
PID 2868 wrote to memory of 3004	2868	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\wpp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\wpp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.crsky.com/soft/4818.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fc5180408a1338c6d7e24bf03e2f520

SHA1
9347e972623cad9241273ca61d835b7e57684bcf

SHA256
bca8efc0e5d076d0fba7241d1a543b53d8c09c5d806258a19ed258b62bf2c687

SHA512
01522f66e904e458af5266ec1838b0c6f5945fe17caff1129e8e0dc4a5eb02790f08d84190dd90b6d57e3781e658b2e379e20a503dc50221b2ab7dbf36fc8fc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65473da4bff16a12906cf9d79aa6e2cf

SHA1
188852bd2d31d4cd0e0c60e0c08a2605dc536123

SHA256
68e91937c8a26432ec3fd50755d3cd26dad78cc676158bebed2aa24dd1b3e19a

SHA512
46141ac76a25202e427317c4066af3869c08de9775f682fc4c7d790774a475f5c7b80e9846e5b1b267c1a072679dec634d3319de7595696ed66b37f383561b2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75775e274f51c8e87ef4977d4572850b

SHA1
7ed5b64e719abdfb095bb2714f22b0a83576c347

SHA256
ba68fc8e741bb413b53a8948c276c86a3e650ea761d66485e8f38795880af6fe

SHA512
cc5600367b553a04af3e437e1cc7be7e6deb5543bed548778f1a712243f9f5993dcc72e0f5d380f00a8cdb44ea6782aa5189a88ff0d8539d8beec43c371037cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f39f54d4681621ba8391b9aeb61cd8fb

SHA1
19556135fd4ae42641b79d8950c95edab7fdc4ef

SHA256
ad1cbdc9cd348c4c909bd9706ab57ac276ddb0c535f13026913b660cb8ace7eb

SHA512
6d379769d918318674843152b2671109335f6139dbbf9d4ece26339deed69363f057a118773c0586e74d09bddc0e476e7480f7ddd412ee4b109c44b96e9ec6c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35d24a5c0439267843fdfcd31f4f8451

SHA1
6cbd3d3195b467e1522895c99ef5c84f684f5ff8

SHA256
f8e1c6ed4eff7112cebf48e19a44af722b540ecadb2bc4482d9ce3287b0f2a59

SHA512
fa34a11a7758b6667ec5a8793395e8fbf78bb9fbd38c58cdadfda5a2a02576e52ca6f4b09ffa4f2ca84e2d1a56ad5bb3d57703010c2221039752864219170502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b50a257848745fbe513de81e5928346f

SHA1
c8d06d2ae54499138b3955553ac8f1b4b27d395f

SHA256
b544dd11eec9078c27eee83f203f6713d8d2c2bd4d35bc13d2abaebdf3987ed9

SHA512
9d5aef2fff568ab6b1a6498aa1b0c6668e57a610035ba6a728e5439177024bf70fd538cab17947b5c81335d2d907c239cc7fea797e5129b832bc42bb56425407

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9f4da0fdcd68143da61efa174a4f6be

SHA1
7607ee83c2635a178c5520096a920ccf145a5fbf

SHA256
1dc1c5861f800b40484523afdff6a5b34bf6e77c2d5262b43d9533700d1b31eb

SHA512
29aeff103aeccb0ffa5278bbb9cbb6adb87944bff6650f84c929a92088577c0e4d59637efde5d53530a499bea70250a2aa27689c000f8dd52863a8610c1aaed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a8cc52295ceff3f5237e1d97cc20286

SHA1
5556bd0023e76aefc312041386fba6f4a9dc48af

SHA256
f50f9ff5e3d4ae32531fb52d58f73a1fe6d4a3a8c2dab48aaecdb11814657878

SHA512
a3b61bed417f8e40ad62ec3f4df0274cb148481a2f23bcfd69f551889814829653c6129d1be11bd71bd4fbe843b0af08b3bc0d78a8523a7e46cf2b0a80adbf18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e001acab111e65a8eb7a9e045a71712a

SHA1
acb19b8a2ba6d29dfb18dab39920f424bcecf3a3

SHA256
3a796e45227ac469aa254d3c5a8be7a1c708d6469b262016126e7c3fea61f42a

SHA512
0e8b2f5c92b8d93204b444b425baa6773a32248d1b7593da9e7266d45f25ad94df607fed67e2091d5e277ec75ccf7be8c2930d8cefe86d04aff1eadf6ed4684f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0c01542152315515660651179d210d5

SHA1
93c3a7c31cca2c70d2424e3913bd9b4c5fefa9be

SHA256
a420503593779af293c29823abfb87cdc4e545a2b8d7b8209da788c317c4a73d

SHA512
ab91fdb11ee3648a8900ae6c8f3a8761fe76d61932419e5f778972b129c05fd6ce6db758f02f8c6c9e60d4aa0998c71430107a9aaba44a3bb3422c179d0f0745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dc43bd108e786bd08f16e0819775acd

SHA1
3a144196f0cbdf241e573d2c42253c13ebd6997e

SHA256
1f2854f36e715ce296b26d683fa8d6754500d405707112b165fb4ad67dbe5a40

SHA512
22c42bf02d618349d7e9723c4bb473ba8a027bf656b88969965997a5fa33c3d8d6f59f637020de3f378c49c1fbf7d91acadd8b04a8118aaeaa10f2c44d766f9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
632f3a6f924c24b2728afb8e2c6c0e6e

SHA1
cfe7532979d7e350257fb0a7e3fb2d0a78fd234e

SHA256
78e37d8d406dfc35e964e8e32a472e65862f842cf8482d36bbe9c00d9e77a9f8

SHA512
70dc36c6116cbea8308d5894e8b73ada2540708abb599f9e2517c71eb8a2c1b9ef39a0de0285119a9b2e2b5d971c292fe69f63b47437b5022e67cddaf9ee7ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCBE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCCF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2924-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download