36541ba684f632171aeccb75ddb15bf5e31abf06b03b068eecf3c8818b972a32

Analysis

max time kernel
34s
max time network
35s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B6714BA457.html
Size

3KB
MD5

cdfa355f7ea4ca12848d3385ce40a35e
SHA1

dc55c9489e6e6c16a7a58a5c556bee276f162042
SHA256

36541ba684f632171aeccb75ddb15bf5e31abf06b03b068eecf3c8818b972a32
SHA512

c05508cf8a2466f938d483137d20090fa6a84de5d82fb1054b530bb365cf31847e0cc4f7b145db67f442be4af9c20e9d3fcd3ec022ee7119f12897f294636c7d

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903bd37255e4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D8FA171-5048-11EF-9E5F-7A7F57CBBBB1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb90000000002000000000010660000000100002000000034687b5b0aac3f1e407b06ebcdf80eccae31dec3509506f5e7e0fd3516e73bdd000000000e8000000002000020000000c0adb20085f0de034538aa40e28691f91ae355971d436f747b49761193e2a36f20000000add48abcde6b9cf97cad95071b179e5e70e1850ed56aeb3d987fe905854fdcf940000000c6ba30d41d28365079d05075fbec00bac196306f41014e1d83616712466bf51693efcb9dd0c802771598b822d6fdecd34c20872e284e71ca6301a365c6a415e1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000183f08e51fee25dbe7a3aa3d9dc9c827e8bf19b7516d4bd6a444ca5d88a1b6a2000000000e80000000020000200000003a9cebfefd556c72bfe8310290ae5e59323df3618565f76cc6f3a850313313ba90000000de9f0fc01526223f29e3a20ba1c4c14256b85463d4165d870554876d7ba6f251f1ef5f18fc516ce259f1dda32d65cc7cbdd5b7330e129a55565740d9908c34edfe25f9176030d5e9edcd8ef6622ee7305c0c27fa62239efc111fe664a8260fdc9d418c64f344c1961df4bae74540e85e29d0b839d83ddda3279af6300567afad530e71d348fcbf335c78d08604dddc00400000000d61f885189bb658c41548a6468eaee62bd340b4b4e549985706abe6c6de6a1d88dfdc18d285c39b7655d7c387bda9402f481f5722e68c12610d394da04c83d9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1792	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1792	iexplore.exe
1792	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2764	1792	iexplore.exe	30
PID 1792 wrote to memory of 2764	1792	iexplore.exe	30
PID 1792 wrote to memory of 2764	1792	iexplore.exe	30
PID 1792 wrote to memory of 2764	1792	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\B6714BA457.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6e20e4d430c2216afac53eb22e2ca2a

SHA1
1eaf0c3ef61ccf9243b75e98e350c5e52ca79dd8

SHA256
e6c9edc046c0b8ee086df44725c89a1330919c84345ea6453c2e574b22004373

SHA512
99365e0bc7ce6af62c2bf13273b6c3e1bcbd326948c3aca276252d4c9be848faa2ea04351d4afd605bcca7b72964d667c01c513065e5c3f870f75675e22fd937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed9b415cee4c04250c7e2d3fc49d1edc

SHA1
62b3214c5deea9747066a671ded2e6d81dec83fb

SHA256
eef046290c9ab9f26763a651917dfa83eab79bbee24b3efa011e2f9873a3fa21

SHA512
2d895bc2bf458546faa7beea1f65f623edb23b1537d68f709cd243168a3efe0057e832ec7cd00a90bbb97edf2f5e6a6e8c65e785f9c40c7953c74f1ca2def444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92c47762008f2133c542e3f0e85cf997

SHA1
bccf89b8793cfbffe27bba555813f10d6a9fe042

SHA256
71b0fe41ff65ca3320de60c93e5d591dd776966b15e8fd8ae53d4bbbc733f5cc

SHA512
a5e5b0d1d31d93077cca00ecb0ad74b7da9b385daf4bdb5e34e119bc41477e83522fcb4a77acb1164b6347602caf326c46d1c3a3e871e279f72d808646fa8a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0efcb6c0f832cad14d39fc6b58f6fe9

SHA1
5463a31c1ca8f985015ab9cafa3f44a78cf44168

SHA256
e4faf770c2e98758810b340613d419334634da653a4894412c5508283ba25aef

SHA512
abc97af695dadeb1c926225b5b79bacf181566987a7896462c60dc000a1e068210a032e979d85b82182dabda4bf4e25eae142d3a849198876c9342a1bc7144cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcbf86a7beaa2489dcffef4140a53da1

SHA1
0fc928fc537da12ecb3adc5ffca19743b70523a2

SHA256
f41a62d4ac9bae73acbebb5ec1f6735567c53aff4504825f655182042ac1236b

SHA512
dbdae44363df0922cd3fabecea28bfeea5b9766f505c83723acbe5f7a5ebb587d99cfa9f0547c185e5def9e3628508e07f3dde8e033ca76b454224e760a421bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fef2060bcb5b3d6f82ac9dfc8cc31718

SHA1
ea8c2041b9c9609ce45157c49616509e6cc3ef1b

SHA256
6168788f43f285bb5e937dee055fca4c271e05b7b967f356271a163c234df8b6

SHA512
501a478430ba19b6ad6e762809dec44aade87c9c4a9b74d4f3200ea25e6c29a9fb82a39de809dfdf2bc3cca81eff15d06bb9bff2200dcc958e39e60deede01b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf740ac132b1cf4d223fb6e9a1d1938d

SHA1
991a046982c8b80f0387ebc80185dbe56ef594a2

SHA256
0c7347131e876068d266e83d4a3487cd1ae69a3bcc614a62f1f45ea8729b802c

SHA512
2fee84b900f78708e33c5fb52b45eaf64ba3d424e3c3683d76a72da86d7a1e9a3b5443e167139c8c1eb57ee6e0e30369b6016c677e00b5f8afa1ab21f028b04e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb40d9da1415babaa4f03d7746986398

SHA1
db2883c308532d6e7d49693c572cb0f51429c3ee

SHA256
2695d6ca0ae5b90352610701a260cfb544071b7cb24eb7efad52afe725bd8756

SHA512
1ed0099a16148064be525ca432908c10c67bd5835c68929420c4f84813db1386547e0b1c1b6baeae5d9f47bbc47b4bcd63917d888fc44c7407392258f4f2898f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bd1b6a55f4f029e7f221290df1586e2

SHA1
744c505d32870bd867cd832e42006fc6c52d088c

SHA256
fcdc09fee024c7542b5227e727d0316176fa699a0551b04868ccdc0f1903166c

SHA512
83bed032cc1a418c22ad35f70d6ab22218d55d41fdb87c49fc69b97a95a89850080367c24e9c1c990af269054d63503bc588937cdbdce89c3fe189b715ebed8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f87efcde07479458e1103f6696d02a58

SHA1
831d2cabfe089debdd9ab7bdf437a19ba242f2ec

SHA256
f26ddb782112a3c4acc88f6264417293e1409e3c2091188a350cfca01bd8d69f

SHA512
daf73f65f5d8036ef4124b77504918e635ca0bdf891d05ecd29ee7a4ccb58dfcc33442c4e89ecc0933375996d5b4bf9689ecbd52a7536e8eee951fd83835c5ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
41dc5aa352e5a642f135a4bd9a382404

SHA1
952dce104dab4cf347471cd2b4d8e7e105cddbc1

SHA256
145f911a08f44e3ebfc997dab68fb6c1bbf85b7b5fb527daaed3cca5a68bf225

SHA512
f34c324ec04d36398e637693e622fea952a2543cba21f0b0dfd40ff2bb3821efcb4c139372fbd98188d5fa8b3196a49d907ea04be5bcc9f37f838257a11ac54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42AD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42B0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit