Analysis
-
max time kernel
16s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 23:36
Static task
static1
Behavioral task
behavioral1
Sample
dabJcg.html
Resource
win7-20240705-en
General
-
Target
dabJcg.html
-
Size
492B
-
MD5
f518ceafc916251539fa397ef42751c2
-
SHA1
72ff99ce50a7582f9791c52aae33e032b1196bba
-
SHA256
2424e7d02f79be94621e462336220b568f903323e9c5558521871787940693cf
-
SHA512
3037465c4e22488081c2fb7cd73a3bd1dc4b7ea8bcb3e392460d4de177fc7fc643ee6ff0dd99d6e86e1f49fff7850bc7efc7d40f4ec1e5a11cc5abc99a9f0c92
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{412655C1-4D3A-11EF-A432-EE88FE214989} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1636 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1636 iexplore.exe 1636 iexplore.exe 2156 IEXPLORE.EXE 2156 IEXPLORE.EXE 2156 IEXPLORE.EXE 2156 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid process target process PID 1636 wrote to memory of 2156 1636 iexplore.exe IEXPLORE.EXE PID 1636 wrote to memory of 2156 1636 iexplore.exe IEXPLORE.EXE PID 1636 wrote to memory of 2156 1636 iexplore.exe IEXPLORE.EXE PID 1636 wrote to memory of 2156 1636 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\dabJcg.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD546f0855bbc03ac897bb28b80cd01a78a
SHA11de7dca4e656091ab31fc9ade473408f91480283
SHA2568c128621937a4dfa675ea6f72d2851f4b41860f9a06cd32335f44d0ccb70ccdc
SHA5126f46fd75d1c7ad09a06346ac1b9cea032a4fc03b68fef9acb1b32d487bcacbd3c07eef2e6f3adf6cf5bcaf0b5ad4c49dcd29c6603ad578885cf17b9dfa3da3c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bb86ae1d2e2e3007d55200b9934512d6
SHA1ad70c1842b7d44c7e0929d6d370fa41bd2a848d5
SHA256c5e4ae18ee85040f13f7ff4fe64f17308d76f003db8c8ab59c722c02f82a679a
SHA51278fa7e00a92da75b85ef6c57327c6a980e2b866eca8791890a823246995700ff8a40fceacd50226333ecb17ea5ed2bb87b03a7af7db79174e32912df1df39902
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c92c6772401c958f8f041a7f5dec2ded
SHA13144f8dccf914b17b704bad85dbd4e8fcfadf6db
SHA256a2d165ec8e846d0421960018ce343e533c63ccaf2cd258c663da2b5818dde3f3
SHA51240a313aea0345fac222306b6cb554f14e6dd25066d7293e1ad66011e229c964fd4402c7b8b734ff2969af5345540903cf651dedb7de0ce5a0a64f8622ddc175c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e7d5c81891b29ae5b8f9437a65aa8f71
SHA14dcc40559d577a85e1b262b5031603d1bee91ac7
SHA25652c1165713694bd2ec3d1d13e779999f46693952d3956cec80b8dbc299dd7f00
SHA512dcc94542c6b10044f71d2a83882a65158dc434a89a6b96fd65181aa17cb589cadf780c61293b713bd368f09bcb333742d7a09f92cefe8f129ba336ad9c24b312
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ee53d046bf94ef470991c3b9a6d16c00
SHA11558fe0f9c9b67a496d3536a30099e45fc092744
SHA25681fb0e2f0acb3195ceb35135c6f08cb074f14922023cf8d68695bad4d31da384
SHA512e82e0e4437962af8f6080ab19cbc6ddcd1c073d30dbe441f3677df3cd052ebd4f8128b7accaaf9af4715f06ec5e20714be5c099177386b564751dcb83b6207b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD517a71653cbb3e7b03c179699830ca78d
SHA169488bc36289997c669b8d7519f1f436e568f5db
SHA256b40b4b2b29b02f1c41ba62f35fbb9caf0de69734d02ce3852d248d503bf34696
SHA512ce0c8ea92722e2ce95502c302461abcb670d0440d4405b4fafb7eca91c83c1ada9a06f8de7c5c8cb78d6cb8d46745c78e65acd7fc0a5230cc8f24c1cd7ac43bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD500fca493f5d3340d5868d97ae5fcf487
SHA175e1272233c48e530c00ab23d50b3d20d75bd050
SHA2563f11667c0b9161c050766c9bc3d4f140acbb2d6841d5a78ce967e63a174cff19
SHA512b9687b11bf20c202a4996ec5f69c4ae11e1226f8554c11d01e094c7eb7109fac66506c8dba0e636dd20df59029f173082e4640a3be19378e2f9e450a2fa30146
-
C:\Users\Admin\AppData\Local\Temp\Cab602D.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar60FB.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b