0b25dc9906d1268beff19723e00b354122385059138c8e303d1aa112559fb2c1

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$LOCALAPPDATA/t7x/data/launcher/main.html
Size

3KB
MD5

e7e0ab080d5ad004eb055f2c845aadf9
SHA1

d259e512834c43d743394456f1f891b42fbca0a9
SHA256

4539b58a87ca86398ddb24bacc9be1195c5166cbfeecb3aeefeef360165ba6c7
SHA512

2625af7c3828e5cf0f36dbaa7dcee3badf03debf63c07f0a7076d713a2de2bad46dadb8a2e3df43636065a5acced3726c9cb77bc5f0fa9da3e9d1bb52b54c3d5

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B75D67E1-505C-11EF-B88D-EAA2AC88CDB5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428716331"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000fbd1da98aabdaaee04a945c56104a66b8ad508b16ef44454226ce35169d850a4000000000e8000000002000020000000337eaf643f9ff09685118dcc2b076350a44f993f431c4cf2d98a0a692f14b3bd90000000a35eadca3c4db459834542f7ad30a8f28efe6e88cbc28f76484b710806fda2b5606bd7fef4ed73c708a49b0de2e3dc60d9380290d2a10770b7bb99af5c1119f26c74e4daf7f7043a43eea88657c8571bab984e29ae8602779f83b1ce3648443782caa5af8dbec8c941d21795f5565ff7dfe66e8299aca378bbb7a3849790a1f503048cf2e263d9eb8974c5fadfae79b54000000010354d1efaed94ca97bfb96c7431dd2dce82f5a87634d296f866f8e6db665f7281ca64b12ab4706a97ed9f518142bfdb410e93107aa51b516cfc7b28148e2f5e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c92000000000200000000001066000000010000200000008bd4b253a1165406e12fab855629a03158a5e5fc79e437ea02b2c97a348178d2000000000e8000000002000020000000b9b8be5a97a57fa90c399f00df7e9c2bda95f38ce71fb3c63962a0155fe53f5d20000000eb1f3031d58643e43c36be1ee125d888ada27d3140a9611c044f3f64df1fbcaa400000008b5bc9acf830071eaa0c759e357afd82a831442a1429eba63a51ff215edb1b5de7a4cd10929b92f11a62431c97ec0181071114f100b505e867f8ef58a4dfe318	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301be08b69e4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2244	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2244	iexplore.exe
2244	iexplore.exe
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2692	2244	iexplore.exe	30
PID 2244 wrote to memory of 2692	2244	iexplore.exe	30
PID 2244 wrote to memory of 2692	2244	iexplore.exe	30
PID 2244 wrote to memory of 2692	2244	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\t7x\data\launcher\main.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ee99eda098e9ec4a982846744bcd680

SHA1
17a1e884f2457ba6bedec9beb4b2a7c9b19887e5

SHA256
ee73d00aecbfb8a01ab0f7fbfa87b87f1bc89f752e97987a4bfdea82cef23608

SHA512
009fa3ca3e8bcb7797750a7f94b5f8ad784d351754eab7842cff9e853d86c11cb546ce61362212089a9ba9b99dc149a76c3b22091b1df31751a1a7f4a7afaf62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d76206db471b6b25a215cddfbed73f34

SHA1
f4ea94c673d011dec3e0d18590f291bc2a23291f

SHA256
cf64d47dc85e524abd27b3fa96b679a00bb0d21c94d91c8cf2987157d4304545

SHA512
e8bb35371c4304c8381791120d3ce944c814fea64f886c6038cae0490dffe23b4885893e8cb49cdd0ab7ccc65c89f3554c05a514e19e79b43d8387798d72a0db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6e2b7bc5de9ac743e64c27af2242449

SHA1
1d798d74531fdc707e6a5139124a6dfa76eed12a

SHA256
df4b518ee782f0143e98205dcd1ba4b655a0b7f5a0c6438be51c44cc4d2e5a72

SHA512
5dc82c9b4028bce2c442081e2f90bd1007ed7ea6568d68628080fbae51139d8718c0da7edca0a1ad790cecf9d50718f747ae700bd176c44f338bcf85892b3942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
434c11764505ad083510a907076a5d49

SHA1
d2c1ca9fd6b98084bee6dd19bc2484d1a88ba9fe

SHA256
1d5fdea0ce44fa88ad81a8d921c7b5a09a0324c352c9f594c1c9a2c3be994e08

SHA512
941b1c0d751a0891266df9d9ad41eeed6cd4c48865b3f998aec04a64ebb6d33350e4ae0db31e77621b8943b42e5cd78a66ac5f51d109498e90788d150b0de028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
626ecdfc02b628e95467f03e7bf729d2

SHA1
b9637f1e9d2f8295f40895c97ff369fb81eda345

SHA256
d3ca320605017cffff3e99aa1c39bd4d34c17b1e2098609b83b1959789786f42

SHA512
692ec2cc562feaee561d121c1aa851a588bd6942e75cdfd87c603255621915d9cb06772a090ec6ec8dd5f9d751eee3a7d496463179a465f231ea56c026066dce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b510e464b333914773b468d02be91f8d

SHA1
1445c9423b0d2c96be2880fed58d77e043cad76d

SHA256
66c216a2525922734d67cb2e429d136435c994a8525173e7a1d43c5ad9e8fa04

SHA512
2005ba99a90394d0d815ff5689e4d1c6dd765a1ee7e7f169753c9db879d4bb41a895a9818e0478beaff1bafe579cf425a21d4df6bc208a6e7b92ae777c469dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fef306c3309a357ba645b3f5fc8187c

SHA1
e577c31e11b55e527017f8595704f8af2700477c

SHA256
8d0bb3837cfd2ad1e4a76803ead760f22a66517881a9257f5e6b97f1278b9a19

SHA512
adf9b03281be8ff68468168bb988749274f581e27ca0bef654849c461a13e081eda3754075ad84bb999086e95a1e1cdd7ae6d69d4b1aa85237f5a223e963e3dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2d442ecd5ed742076f9dcbdafb8d8cd

SHA1
c8ae032ad1188124b88653052aed5e7f6daa1fbe

SHA256
e538e1a7894037774e4ce70ed24922dbebcab8e6d625a4809df96fca8640948a

SHA512
af206c5364e8850e9757b8d61e0b02303925ce1a4c09a9a5e3fd2e1e9660bb06d7e6bdfc14d76219671473e20af89a295911c39f7c2487814c2adba22466f170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea89bddc839c158be7fcd8a2de0c079

SHA1
2dbf862d5ec99daa704af69dd5083310cb34a58d

SHA256
eebe2bc2240970ca974a5a30a556ab3585d3a9289be2dc909b2f8ab13c7476d7

SHA512
8d914a9136d16c54ef43c219201b35bfc90f45ba83ae1f6ae2022373f4cb8fb0a71fe1c9526817b5c2bddf5cfbd092977fc4368cca3c622f75f33497e10c8f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73ec6da0c0a59b2384681df36c59b3c7

SHA1
06d7b59f1377472d9f71c32496322402b33dbbf4

SHA256
ba5cf17572890b9affee3aa3dbc96864b9b2cbb13e94ac135485e90f3d74f2bc

SHA512
607c22cf6e66d52f494adf401154bad47efc69ebd0fd26e487396364a2c394327ac6777958e87bc09f46f279540d49f8e025490f1cf18a19acdc04089291a036

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a86154233d87b0d8d741c23380bac12

SHA1
07d56eb15f4dfa30b5ad432a2ee7c5f5d1ce9161

SHA256
c33e8e836267080d60b8069ea3fc30529fad0e8e0b0f41eed9d5fd58dae11f9b

SHA512
d99c42f52c8d22c65d6013cabacd69e3be8d6a5540c9ce8b4699199374d60310680fe72430461b9d0ba655834e496a3ced6ceda14160b98fe776345a81a08c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8FD4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9054.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit