7b2e7cb37eb150318f0e83d22290f1224bbff9e7864fb57021bdee4a68e9f4d7

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web/cn_acclistadmin.htm
Size

2KB
MD5

67b08a1b0e92363a412439733229ecbc
SHA1

3e67c4130adee36b865583764787750aa740a544
SHA256

a0053b14ffe300ba8376e84979f001a3a379208f89452d789435c33ed76972a0
SHA512

6749af185cad05b1dd62b0b0bdbd5e7dd3ba5621ac85e8daa38dfe08cd731420afb3a50e72d355b7b2ec474dd8780b20a4e596de29a9fad507d566e7bf5e9ec4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000003966e7892fa62e3a8a6058db770c424ed03c71c3b49238e8f4f2ce1069e0cb91000000000e80000000020000200000006b60d528aaa6178df89bfcd1e5728b00acb7bba8fbc8a1c8fac3dfb95bb6264490000000c3b6631b21390fe0831da378816a21d9df6330e086ddb5f5fc76a627e3b1fd424c2f6a3c034f16dcdd43bd78d2fa608dba8e5699345f280b7f33c051d4495a726203e06fa7b8aca3bac9076713194513e8ff3fa28dcc9076196d43ac62e6360f532f62ac4f5e19e4ac124e484183be3e083313805b3c53386da8abbf8e02b54c133be5f21b53d563fc1fafb554b9bc5540000000c695be950da0716295e042147c3890ec90d4e4980100cc97e02f017e7bda8204b0d185ba7fb4e41fc8538376fb9cbbc3916b0e0f39b5d9477e88dc90ee2f8d4a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d0c00eabdfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000003d874e816816bbf11b8aac85359ef7be3c6d412ae8753c0389d29b5a3c111379000000000e80000000020000200000008f34d67005ab78af110512eaccb9f59dc6e77a03a9f65bedd7e8bd0d4b40fcdf20000000d93f3b35e46b732fb72d786d8168469d4c03c61bd2243c80ea26c7b07da9bada40000000de289eaaf40eb008c65b4f59ab03d6e88b19dac4a369116297e946b4778cf56e5d15a9054eec0b40df2342abb0437efb0bff16f5d34f855f73c438cc33464324	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A234A51-4B9E-11EF-853E-4605CC5911A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428194710"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2400	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2400	iexplore.exe
2400	iexplore.exe
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3004	2400	iexplore.exe	30
PID 2400 wrote to memory of 3004	2400	iexplore.exe	30
PID 2400 wrote to memory of 3004	2400	iexplore.exe	30
PID 2400 wrote to memory of 3004	2400	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\web\cn_acclistadmin.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
892900d2a502b1c31c5a97ee8585ca76

SHA1
d6c8df19ecc81bfe608a9f972ff923504bd9c2c3

SHA256
4386961e4c94e2ec35059e36eb61e25dc39ad265e0c9a5bdea6c163bb70d0ccd

SHA512
bb1fe6b9f5856fb8c3ee109309372073a8b94be27f4e597bc4619b441dd7316dd61cb3b8c56af6d9f1583ec8d7060213c8457a0d248396c057a6327e1a81a1d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38cf98bbcca70207e90d613f192b9813

SHA1
5897c4f88a8be9a8677036ea339b5ac6e8388b76

SHA256
b38e3761b90ea99920588d42f0662bdca87bb1f2f37738fd62db452cfb00235f

SHA512
79107ea8edb77355d61876361c97ce9ba26f7e391af529b75552109d98aaa91f7fce5c4e70a6d3f0d9e61f19168cd6eaaf647fb3270257eae7dee83fd1a4d3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98da16669fe0049b1bae1423c86d82bc

SHA1
88493bfa8ecea78bc0d4594d01ab5817079af3c9

SHA256
d6f5f898fe454aa163bd86e9d9fcc9369c188d7be4fb6a617c0431d3e26423ce

SHA512
2953d81207c537788db7bc261922cd28e8d323727683b506b0c1eeeb835617d53ca82700723e1ce87c6c7a49c912b95fceadf9e0aab7beed83d5ace625f0f9f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea3c10cb76759e012e5bda6d1d32ddaa

SHA1
710dfdd1a7be9887ab17f7262bd4d4b3a75155ea

SHA256
31eddabcf717381101b87cdd53fb992f8cf5d36afe5498281c651160d6a0416f

SHA512
168bcefc54ee71ec85fb7b1b423c3e2eb27b926b07c38564ba5c0ae6f6c380a8fff48b241195850d9260208e2a55c18eeebe3062071953f4ddc71651b5652ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c701d16769dda5a33e56154483d520a5

SHA1
8b0655ba4d8357e9f2114f2a2e4db92fc9f80a8f

SHA256
8dcdcf0903499a84beb76b6e8916abf4964f93bfb752270da9d5c85487a95878

SHA512
6a356c9d6d5f818557fd79be6ce0cfb363c686ae52a5675baf59b9e966a6ea8d413454402bf960b4b4880672d5a2ca4c9059b335b8570dbd3e7b07733e0fa58f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1113f77501b79a6337920f9b36a28b99

SHA1
bad1ddd8f3150d7068266ebb4e7eefbcb46ae27b

SHA256
e60eab7853a6fbc9639776b0bd0b692ca6adffa6bbce02dcdee49cf5ea886f23

SHA512
4f6232e693a0b0de4ff930aa729123b3276a6842b8456f322ea9c8131373b8f033d0f194e1bc54055a68e7ac5dd44e6ae760c82f57f8d1428c94c5e86dd16551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6821544b0a2e1a89c069e11d62c5735d

SHA1
f2c86338e34cbf7d511ecb118b7eb14bdf7fa924

SHA256
0f367a079ba8a3ea618c87fad92455ad94e25e406a9c9145db3b870dedf112f0

SHA512
2e507a5fcb7dfdad26c89cfc6068c48ffa21e269e57ba156d7ff54833e8cf8d00f082a9f635e6ea07f60aa2099353532b841ea4d18fc2286fad2e9deb2071adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30d88d2afbb56aec8418c75cc91e7b60

SHA1
ee65f712d9952219f8fc1c74511a576b3845e326

SHA256
adadc9d3729dda8254285add5c2062e3bb05023e4732c35e611851ccf2a2fbd4

SHA512
cabe4452df96d86c4dcf9892af17717e88d85a1c3b70b049b3bfb760332b589f4729a691d2c36d82176eb99b149f768e866f6c10a3ebe83e8338824f5bb0ff38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b90383c701a91869db2aa35a4edc964

SHA1
8e46c26dfbd7774811176b65ac32b168dddecea7

SHA256
4c010e0ed03dc51fdb79301252e37a76c8dd1a44a8d2179ca43236516ee11a6c

SHA512
4cb57245548ce408b6edd86ee3269f2c4fd66ca709e514031c24ae4de779be808b248c9c420ca806787f42ae8898594617eb7a1ab0b1c1c1d9ebe7bdc0fca648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d88a80b8e61193041e73ced6790f7db

SHA1
3198564ad78cec18ed6a463154e20d4ef23a2726

SHA256
162802a1631249f2e449f7aeba0f31ba93a934b543c6e94c13c2acbe0cbc9f8b

SHA512
dca48913cbbeee1ba2746bafb65d4edff9f054a8ce62f5b918ae042a82685059e84a932a87eeb25d6ee732530a26fc3b3e71b276d16b0ddcc97ba66e8b530e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c48680c7cd7bedfe00f4f8041c16f744

SHA1
2abab04ddbc427959a20996b4c7bcfe75355b231

SHA256
ae12eaabb130996ccf86bbafb4d7c20eb68204e23778eb9707d553b8120f962f

SHA512
5020dca60beb3279c3ff8c1ef717e1953eee5879c10c16cc648cc43a8794050ad3627f72eb0c42590edf85a6a3149176dc46e2da946bc0077ec71380e79d2ffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33445f56eee8c7b52a5fc50dd0b41553

SHA1
be7709bf7e80e0ac22eb08615ae1a0ac2b8639de

SHA256
ac071e4640b25b75d7061223ff34b426f497f76a9a3e52d851059fd0cdd9c61c

SHA512
dbe400f1c5aaa33e6a07758922e01507d9ae2515e119bc2e5b1529e9d8e516c4615aad30b722f748a97baeb455f1d40ea58e22897044257a935dfba02c671975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbb73cb50dc93a56604d48181786d6e5

SHA1
b69f38f6b8de8b77a7e8db8feedf788f79038774

SHA256
9e8f3f1e96ce984fc2a3f048229de5eae7f29816cffed9a5aad9937858991fdd

SHA512
aedfb67e6387cc6d16a6a755fa5ccd344005288299befd1e7ce161ffc7297cdec5c978dffb5f83928050b6abf62345e87d79b4716f90698116af575cb158940b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7c4508bd64766088e0f3e8188785073

SHA1
e5cf79ca85984a9e2f42911e643464e889ab199c

SHA256
eb4495d0ce0a1a0847819bf270b3d8fe2f5e637121cb4393db87ee2dfcd7fed1

SHA512
593288af18d4139faade04cbeff7d1fb5c9285148bc001d41c747876202e1291ed905eb1a455a06a59488387e8a89df29ff59d9415b76127098af321a64aab4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
701c61bf79cfdfc5c40d727ae0fc2545

SHA1
e15648d62c1ba78ff7579a5a286d2ffa2c1eeac0

SHA256
710b06d85552d17d98b896a50f3da280e09464b8280aaab3162bda3b4dd3ea95

SHA512
f7f4173f6ac17e07462b4e3a7a3f0168a03d958f15a7f4ef18ca8fe10d6ac8ce2fa71acb78faccff826e1e8c33e059a317bafb63d9d68110dbc9b1313da36660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab44aa78d969a3e63171e45c5338877f

SHA1
3fdabe7bc14431908489ee96a71d15f0710b3f5d

SHA256
cf690c2349bf13899696d7b439dfff88303d748c266168f0cb0c99cd9a9faa9e

SHA512
2e5515842df6583c0578b774c482639e636a381555f284ac6b4475041201dc3f476f223d362c40a2f1415376636218c826b1119375743140da399aaf716997f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCAC1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB7F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit