7b2e7cb37eb150318f0e83d22290f1224bbff9e7864fb57021bdee4a68e9f4d7

Analysis

max time kernel
136s
max time network
134s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web/en_acclistuser.htm
Size

2KB
MD5

23fa3c5bb5d627b025507326f9ff478b
SHA1

003445a287aa1eb876717ba69f94b19030398b8e
SHA256

9ccce33fcaa7051d383f27c4d230c9f74607432b674fe4caaf2ef9566356db57
SHA512

d61d19aafb33e82cab46676239d172548f55dd3d847e70afcd01432e444afa89197138b69946d7ec6720296f5a27ee1bb4e5a5166608c9896adccabe4ad7d44f

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000009ecc91e6a29521d0dda18093a6da0c5d50b52f3a8ef63a1aab4266ddf23cb049000000000e800000000200002000000053c89fad70db7bb0600575b4ead64fe084ccb1b5041f1a0405374e8b648f157790000000d0460306a00496ab31e6ef8d145319ef22522173b82e7157b88f8ffb663600b7167f93ba0cfd01fd051a1451dc01d0b4a4afadfa6b48217714225b17f81b5a03e9f0a9de6ac707c25dbbbb77bb98d2aa8f66a2207187b0bbfc57a40f72ae9ebb2c4c27d74e17c9d822a4c9a9a9f2f4492ac7f6eee3b9cf3b3d00dc0ec723cf3f34498edbdaeb2f88e3139a87d89ab3384000000008c2765c4173836fcd28b743f18d9e41f9d7ca457cda1fb6bbe18d179887c6785f7cfe6214f7a9afc82d4eb9e2554768bb678bd196af41e1e6bec94fbe3cdeda	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1979B7D1-4B9E-11EF-920C-D692ACB8436A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000fa87acf91b44d15b1480998bb0b2f265d843c1b617d626746081ef0cd7d1d435000000000e800000000200002000000026a1153acc927f7fbf2842b1596066b4f6dbc00fe83aac9b9f11b1bceb3db3202000000006d64c7d8bce6a0a9b0fe28a46da0b2bf8ebe159ccc392456379558b620e4f7240000000130c6870942b0fcef91f683dd750447ccd1cfab3c2d69e1dd538f2655c7d25993fb18c7646cd63b5f389b92ed601513d1282bde141eeb1b64227ebc85e424cf1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428194657"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508d72eeaadfda01	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2540	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2540	iexplore.exe
2540	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2700	2540	iexplore.exe	29
PID 2540 wrote to memory of 2700	2540	iexplore.exe	29
PID 2540 wrote to memory of 2700	2540	iexplore.exe	29
PID 2540 wrote to memory of 2700	2540	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\web\en_acclistuser.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8705e562de0c869abff498deece30842

SHA1
e29da19152759a231347a7814e32dce88216df9c

SHA256
bff53fa4f32d1ac4a16eb812acc62567e45de4ae8518b4b98edd0f1aa453993d

SHA512
af3b20c87332374fec86c19de908d94aefaa0dc3d8c1b52407741c634b106f8074778111d87919b9b951e261340775a8aacd21412f2bd8a7c15045f20fa2b880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40983ecbc19a26912ed92826b682d50d

SHA1
fce5b226227f88d6b1ddb194c3406b98ba95ed5f

SHA256
ee876e7b2cf57d9d51ea18771083c0fc2c8ca94b34db740274f0b04db9ad3453

SHA512
cdc3a4591cd1c7fe498c6437fce48152ad6387931ec7ed5ca8664f7dc8fb00f4bcf0ddb119fd4936240fec96283f56ec3b47796009a694e24ce0784699603466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2c17a1c3d117797d24f2a2c1a094fb7

SHA1
b72dfcd50b1eff260a15b3fede366f1f3c66701c

SHA256
4ec2e8e70b15648365c4f5031cc79b3304a063efe2100ace4998c29aaf7c1414

SHA512
13b071c9e952153237269928a117f8239c16b8489ce04d454f5e20d4605d3f37085f151f19fdd238a955437fe2509d2f25a5e9f5aea20c74dc6c39aded913247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
930a0620eee6c18a2c4d53179807e36f

SHA1
26b682ef4a407ffc4c40331a78351a8cb63cffed

SHA256
63c49ce0ec4bb3994764d66925f02ee52c6ab595d5d8731779c5fcfe87e08a81

SHA512
8b6d0762e1f2c68c1589b2789ff677e405c2a3262b79bf28dc6b62f5657021eca54cedcf1566730d8f2cfdf05236fb0706eec5ffd9ddddca3acc2f39c3f859c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40c3f247202c8c6960e68999bdb0961

SHA1
6719bac8c6e5ed07542edd02241d13dbc4f7d6d3

SHA256
9b061f0523fcbc3711002c221b8a57ad7a52adc8bafc3919a9adb3b3ded96923

SHA512
0de3baf86f20428914d1c6cb7d59cd37f8b8c205fa2efd1a22d27f3d886b7c9fb6fee23e6566fdf94f60968cfe777d5a58d68a011feb8c181cf4e12471464f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4cdd328c229594c402662b61d6b6340

SHA1
b777d9467ed70abb4e7ba4430ed5c8ac6db17b77

SHA256
eff2739b87077e9901a6a368e07e17211c1ad91457f4096d7d680e5cc595a3a9

SHA512
287bb7db6001b748484de11d3b5460a507871e18494a38681462405e45000de93150bc59784d2e056190ad1d716bc517dfe265277cd3ebde2c5ed1fb92ea7152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56feffabd2eaaeedfa6b018c26b7b299

SHA1
3a770d9191f8278d60e03541dcc4ab34b5931a54

SHA256
475562922732f268c4a7e4c0030db16beef768cb1b6548bec2ced0c702eea0e5

SHA512
ea0e8371fd060754355694390552e7380b5f5e5e949d7e3b7ddf585dc88a4c1dada4367e7295df2e918c7ef4382e546e31dd0f2726a1546b53312bd8a1722ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
270561f823b26e6d34458eef33c0cb56

SHA1
d181aa01b031a547ac53876961ef638a469a2619

SHA256
4f110846f255dc4466ebe4f8bf37f580b42c34471249e6eb2f7715b16ed00b5d

SHA512
f0f31e656a526eaeaae50221dc4c9d14cb798707066b1005c17358a8e27692837f37b08e7238ad84acbdd7ea61d078e43c4759359ab08567db6cb7c231830711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddce43be5131047380e76e644a31027e

SHA1
3b6bd0f2adf3e163b4732bd38d6b152fe1cf43cb

SHA256
3ab5be4262c26d3e25ea17c4c326a01b3c94991e86d11bc7607e81a5f45161fc

SHA512
41d96fbbeae02480a81e4992ae108411b2ab3b3541948765c6ff96ae695eab33e2d20b265455eaa2288df6d7cee5f8274710ee0415abd2aadc406aa2bf8496ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80887527b8ffcbc4af38fbc7d96d02cc

SHA1
a1c9956a4ca4025d4b6a927e527a8bc86e598523

SHA256
36d7d53bf6deb9b5a6bed3a6e79613684ee58d3ab351a765329ac37156ea3a97

SHA512
d31818b14537a21e0657963f527a05db4cb03a284033080a86264e8981c1cb8265394edc334a760f5c1b9d982d659154013202ada0ce139770ddc4c6de7369f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5983f38baa98f4b0b32810d33622613

SHA1
f169816979e762612fcbce90aae58c219daf60f6

SHA256
8383932fa3fe0dcc6fe72863f8dbf8059e07f9fc4d62eff10f6dd32bcd500023

SHA512
3ea69c2a149d3a94d95ed2ee585657441fe61e62ad677485f0c72deae7d87f4fe8f8e0ff2fd9987856b9c21c600bd5b228b0f0f50eae9ff2ab73540e7b827252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc49bf65d75991a5eedbd15d526a6d2

SHA1
b366cdad12e6b433c62106607b41279c80f43fe9

SHA256
ab77724f933433b539f12526fd670676c2016cce734febfb10069ff29c815d2f

SHA512
807dc63f80fa479cc8df26ee492a080ee3adb9eb368a3a4daf9c705810d1e796611a2ba33b5e82b72aacd763f7eff5c9d9e83a04215c483267ad9174ce26411a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
897762c08fd88e52d654510408cab28b

SHA1
775d956bca7f9dbeb063a809affbaa276d372ef2

SHA256
9e1b883adb9465e3d03cab103046fe0bbfb5dbd8185909a5407b28e834f9bd74

SHA512
081b4c9be05515265c715b7ae08fa0a4b41a38106c61b031866110a1b99504fa61bd02b3c8fd4624883161fb45648d78ce687510b4ae26c55aeb26255bbfb36b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd27c926a23d32c48694b4816e9e31c5

SHA1
a6de911c481e6d80c5358b769a4fffd21ee5aa5f

SHA256
105da4786850c9b15abb94748ca9f9dfc5c5e6e5d1271e817ad252ab6860d78e

SHA512
ac4c93b33aacbd8fb3ae508c974a385ac36d9822896f56b40e6d128d08529ddaa3c389d8b5ff335780e23bfc5c3e387e91207144120602330db7fa63cb6501bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d54b39d8cee9a59b82fba7ca9d7c4351

SHA1
99b1911f5937f97f62a8bc63365aa95e423730b1

SHA256
baf7acdb86335de6022fdd162d8ac0d9b57a2128136bad49e52848ef6aa8e580

SHA512
1b0aaefc5d971e6cb55d950d2cc39ef2aa33fbeada2a2bb36ef9f9d3c96be5ba8c85f70b02b295d2fd9f17d369bcc8c4c874f0531715b9edfc8d6ade848843c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6132dca6e7369de93f8ff917365c115a

SHA1
3465b5db4633cc3c0d14311559d373f2149b2fc2

SHA256
83172e7c10862bb5c82e02a24e19cc081a8dbaee8a5f94891a4953ba1d64da9f

SHA512
4614e121d050c5096cdefd684444f0c6f576528ed2bf5fef0d6ccb1c6d00bf30eb7800d88df56fc9f0a43cfe2570d680896ad2f1c1004d83f50e49079e18335b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2761.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar283F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit