170740ce72172c7d607b46f58d391bff57ac1cb7090625fa53e73b2798437466

Resubmissions

02/08/2024, 18:55

240802-xkzn9a1bkg 3

Analysis

max time kernel
67s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/System.Threading.Tasks.Extensions.xml
Size

9KB
MD5

c89e735fcf37e76e4c3d7903d2111c04
SHA1

3c0f1f09c188d8c74b42041004ece59bbd6f0f56
SHA256

975a9555f561b363c3e02fd533f6bf7083aa11bbc7cbf2b46c31df3d3696b97b
SHA512

debdd8d0ed2ff6ad7b175acfeb1681b1a68eeedd6d717e20e6ac5e0d11c13a1219b4d60f9319939c63bf4b53456328531369f4a9fff5b201475858310e385007
SSDEEP

192:1/elWY3f207pbNcYDLna8MMOOXzHMfHuHoLob+OoMuJkfYSiffiWje0seJme0seM:1/2d207pbNc2na8MMOOXzHMfHQoLob+N

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf71000000000200000000001066000000010000200000003d3199f51c670deefbf2e290864ff3367918e4f14dfc93140476b60ceefeb6c5000000000e8000000002000020000000c30cb0770256079460f34312cc0fe1ddc5b9956a023a47f59cd379302d499e0590000000f05715e0229e2e45b251517421bf48e24c1ba3bdc3782178a6c6ff325e8d1f70d7da11b79ad306a5ddda6c2bedc9dbd9cf0a1c310f63253add801c709a01f3b90b8d4d094436895d4b4ab10dcaf38848d1c8133996daf5d6dc0ec0eea33c1ddbe4830f7d8db0ef781501899c8f72842127b013025484340c58e4c29f2a39d8abea67c856ecb896bf97f7061c52679fdd400000002fc6370a7a346c8d485979b9dff39c30f35ee4c707a902051b8b8d6a5daba492676ddf385d25f506672398ddb169577f15ce9efde2f0ef1138d3f5847167e0e7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428786817"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0830faa0de5da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000467da835c1e9e391bc7b5df64886a59c4fbb69542f44456dc6be6da6269ee7e1000000000e80000000020000200000006baf612538353f862938218820d593cd317791785c65d50ee8684b5205b89c5e200000009f8d098dccce022e409e82bd7941a527f0e9b54360e33e0c091454fe7deb74a240000000edf5d40c5b17fafd0498564f8192c987a7cc0c4d3e13330aee459b05e29ef3d30a091319c7a17321a04d03747902d76ae20fac545a077fdcb8ecb1de209d9913	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D597F411-5100-11EF-B82A-724B7A5D7CD6} = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
372	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
372	IEXPLORE.EXE
372	IEXPLORE.EXE
2360	IEXPLORE.EXE
2360	IEXPLORE.EXE
2360	IEXPLORE.EXE
2360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1912	2540	MSOXMLED.EXE	29
PID 2540 wrote to memory of 1912	2540	MSOXMLED.EXE	29
PID 2540 wrote to memory of 1912	2540	MSOXMLED.EXE	29
PID 2540 wrote to memory of 1912	2540	MSOXMLED.EXE	29
PID 1912 wrote to memory of 372	1912	iexplore.exe	30
PID 1912 wrote to memory of 372	1912	iexplore.exe	30
PID 1912 wrote to memory of 372	1912	iexplore.exe	30
PID 1912 wrote to memory of 372	1912	iexplore.exe	30
PID 372 wrote to memory of 2360	372	IEXPLORE.EXE	31
PID 372 wrote to memory of 2360	372	IEXPLORE.EXE	31
PID 372 wrote to memory of 2360	372	IEXPLORE.EXE	31
PID 372 wrote to memory of 2360	372	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\System.Threading.Tasks.Extensions.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:372 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3975ea580ca714d108f5bbe762964495

SHA1
3a36310d533259fdc91564ab9c014aac97ac3cc5

SHA256
b9acad100c77ae1f6bf9c2add023e4266ccf1743ed12e8eec393a1e879bf7e54

SHA512
ebb0681068da79113c3bdc402079b5d6d5fa7e064725a7d0579d36350deb61e2a859c7a4547c8417e4d7fc5ca2da7e9d7cec2c2177b239edccb4bcd5ee2c9ad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d9efb1d617bd74d1c58bb32d5e96fae

SHA1
20564e674717e5c820093f2625ee4541cf7c3a03

SHA256
3ece472f9a125a55c51040bd15d20e66cd04a1ebbc5cd224e91cf1db16814cdd

SHA512
d43f8dd2e83252a88fd845e1846c14ec7098f32a7874399d7cf1f0698f4f4c42b7aa875db20734e841173b2180f15a87de9d912206a9bc2bbc9253ca1e48a7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f47dece2f49a76c9d5dc3eb501f2c030

SHA1
5d79b1a6682bb0cdc049f6cdb660f0e4bf5c53cf

SHA256
5f38fbe11a8d012ccf03f8731bc8dc1a07ed415ffe5a504a346805518025de9b

SHA512
8289eb312304fa9a5d77206983563f4fba7bb2d7d9004b290719efb685c9984f07bb858fa11dbf8f73a8a19f0dab91cd5749cd994e4f069b4092e83b73a8cb29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf28216a815be1ab96f48d2e8b83587f

SHA1
6ae244d444150953d4d356680052dc625d2b24f3

SHA256
86abf920ee8e86fa38c3e8168cbdb5e8c56b55188d0407fe805da272ecaae6d2

SHA512
accf660abc520fc3ceea5f37cc6240558cbc5c8c47e83c9e3c84c004cb4c3e852c53c16dacd1e21ca4cf87b69289565c79ab0e338fca78e9432889a57515da1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdcbecd8799c2393194e23b912cafeb5

SHA1
cf248d4c42bc8867259b35ddda85a23cc08b228d

SHA256
7f1d164b04814968c397621c917646e4925ccefb5ccfcd152618855eecb967d8

SHA512
5fbc4b2fee98bda6fbabcdaf5598420c6c18c4c100db71e75db93838e7c23624bd35e7f5e32ef565567100277ba8182f0a785a59f30aab06d58003a631cb68d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ca88a29685d598a02316da24a41c1b0

SHA1
1d20469af3865774a723aa3ce1a1e8474cf34be6

SHA256
a6cf641796ee98cc32d5cc89ae40061a98f58c9f8aa4ffc1e90332d99e843be0

SHA512
792c30a328dcb53b222d5f86a74e7ded51ae5e2b668047120988d7d636f69efc016deeecd8586077d2ffde628b0d47a8ada2b4097941b0e875ccbb2c4d89d289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3f0aabba6fa30f64b628dd55b01f37b

SHA1
3823d26aaa526b0329c3d2e55d23a7cbac193c61

SHA256
ea9323edf8c7d4771d032026958b2e2f2451c8f8e8ca15dec948acff8435fb54

SHA512
cd2a2f3914eebcecfe9081365045490aa77fabb6f5122a2f795c965edc0f072fb0186ccf8d14351cbb646aa8db1186befac35f6796d0514e893c24966e90ee6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86ee98f753063704867eadac21de7ec2

SHA1
1e069c8953c677c622c6a314d013d5f8cdd4efd4

SHA256
27239aaaad1a1b3c5fa7a9af73215e68d2d3c7c1ba23644304dcd4c4147c5758

SHA512
e0edb11dfe2f935f5aaa53fc55a2928927b652e212426237b4b35ab6eb983a5378fb0c31b3dd8a1a234702c01d29c51016221a4d898f2df38e4af63dacbabbdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32824c979fbb978e0025ed54581d7cff

SHA1
4966c5e4926e5e7649fe8fffea79fa1c611d5ad5

SHA256
070a2a1ff1a754ff4d7b6871dddf8b11dbdc8abaa97360d48f44317f04af35a6

SHA512
967f18ae1e19c8e74740c8fa2597157fe1b4d6f2e39bbd87f1138920d3b7c6b1267e0eebf42b95192682e63c983da062b8097f050ea95835bc329068a450a6f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4bac9dde953e6bd09ce16ee52badfcd

SHA1
8a275b9b22b4800eb30c085e8821518b40cf3fed

SHA256
f9365723b64bb687f40318d69df311341087c57bc7a25cfefa442b88b4ff07c7

SHA512
a59d93b597e15e001169789679d2ef082505dc2163dc5a4b33711e1563bf8f50704d130156f63e3a9b0df304c34efb0111f875e50db4576a6ecffae8cc42cd95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
532d741493b8331fcf44b9edfd36bd7f

SHA1
0bc9cc2e28f58bb3be80738947c163708c573768

SHA256
3678646d9eeeb306517c7b18fca9f69a96e0ccc6e5469a393af4dede3c1e59df

SHA512
5db1dcae079ffa1b3c6106bd3c83df509aca628251b3b703e43108fddd34900a9e9799df8dc43e9b6ef31ff84e1ffcad6939336ace7f3ce9981ccf10d0ed38f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA0C5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA173.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit