Analysis
-
max time kernel
13s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
ZDQMkW3WnC9D0htao8zsLh8kq5sDRwFIYycCMMC7.html
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ZDQMkW3WnC9D0htao8zsLh8kq5sDRwFIYycCMMC7.html
Resource
win10v2004-20240802-en
General
-
Target
ZDQMkW3WnC9D0htao8zsLh8kq5sDRwFIYycCMMC7.html
-
Size
146B
-
MD5
9fe3cb2b7313dc79bb477bc8fde184a7
-
SHA1
4d7b3cb41e90618358d0ee066c45c76227a13747
-
SHA256
32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
-
SHA512
c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D8D5E11-52C7-11EF-9D33-D6FE44FD4752} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2364 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2364 iexplore.exe 2364 iexplore.exe 2756 IEXPLORE.EXE 2756 IEXPLORE.EXE 2756 IEXPLORE.EXE 2756 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid process target process PID 2364 wrote to memory of 2756 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 2756 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 2756 2364 iexplore.exe IEXPLORE.EXE PID 2364 wrote to memory of 2756 2364 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ZDQMkW3WnC9D0htao8zsLh8kq5sDRwFIYycCMMC7.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50ed5d3d9a2d822855887fb5c3f3ba3c2
SHA126a336a759fdfc8ddeb43f5f8274d7a14bc68c32
SHA256d8cdff05e2ef5f1283b89713f76609439230e2b4bc408b963a0019b8c2dd9ba5
SHA5129b88aa1ea65df3142a4e11cc85b49b571c98480069e79dbd123ee7d0eb7ee939b7b74b1640cf9b55e3d649d153bfe50716ed4f972b0406fb7f085e34bfa32f6f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bed7adfce5f94c91c6ef5f184401e3fa
SHA1e417b9d92165cd06ffc1447e5ca0469f0a441c5a
SHA2563e8f6d697467eeb7937c072697f19d41be9b1ab62c452d095d8430c3c4f8e477
SHA51212e8b303818fd07127cc6e7333e41e1f1b834b0aff6625d284004c2ffc4e7212495b22cc638fdbb4de95aa841c7848be60db6f2b9be65ddc0f77f84d0a262e1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58f0e0c2e1f324ece598d897550395dfd
SHA180861863f860d51c5c3f31b45abad16fd214fc07
SHA256d5b0656d73c9d1811f187c18e714dd945949d0f3b96e5c02ed3445266390d756
SHA5120b0281cf183289ac1af78e7a5d250847c73898343ec6017461fbd7f7ce72b4679b5a184e9efdd73322863e4fd832c641d6358baca4e320b8b60f4215eefbf41c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b076a4e5df6b791647233a422f11c491
SHA16119ae967c4580820b76910ef8788a7bfbb2c80b
SHA2564169ed3cc8c8b25a7925507ec50db18eddc29fb886253a52eeebc3b71cb2a2a5
SHA5126f408653d4404f7a93711a4923bb1d4a4cb8de77e3a8d683d2740dc6429577416621fc5bac3cb8f550a6bd1bebfb65db66e64129cf13120e7bba1fa4450e1faf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e481d68718bf37026144ffa431dc5ea8
SHA15728b8713e730184d943796d019985f7a1a7dd2e
SHA2561082822d8719cc7a1f7aea50805071d8f45c02e62b64daaa5102dcd0a5e6c1f6
SHA5121cbd61b59e83f5f50ce6858daaaf42b2d876509fde583d996f0931a477e3c8d9a2156464c91facc4ce567ca68198b1304b6c7c8dfa21ee5c84dafaa78e42f6ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ecfcf631c193d4e4d493a0e868bbc525
SHA1f13130b35de02e2fec9640a46e9a20976827f8e8
SHA256cf09a576805d6b02f3698439bb978ac637e99de43f6f0b3f17cce02c5a688871
SHA5124b9bc16b79813569a80a89d09db7463769c8d2e0a83fcbefdfa4c102f44d66c60e70f7ac0f17cfa33cef231a06656e84eb6fe38974e45c4d51f670456df91415
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50c8bda7664a5dc423e1ea66f5586054f
SHA1c44975dcdfa2b5882b854cdd91034711ceb84673
SHA256ea9acd52bd40e4516d4514e869c3344ce665f2bdaaf97207e76019a0f40d64f8
SHA512f516a75233002ea67eae86c03cc6167162adb9794d403eb078bde01d7d102d7f5ea1f4eaa45dc5103176aba8b101eb5eb6a0010c71db723ab2aa4df9a5b17feb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55bfb2d7f87fdeb5f8453ed3a5bb66e07
SHA1d4fcad3da6ffc4f9602ae733d6b54ebe38d57b78
SHA2567259837be2b4dbe9e1631a88b8b7c860d7acb0ad634e229ae4e0bd189f68da63
SHA51246d06cac037f406f8bdbac1f4e114834570ddaeca99f68f37505cc9543a00c197a0939d97d3f29d359b2acdc7ef22ed499b4cd48f94f2146347cdefc5acfc113
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5373f3f4e5be5f455fecbc830ce4c7d60
SHA199db8108b47d45cf37e14441342a8bf7905aacab
SHA256af6ecffc2242ca968b1f70c3c68049611f94ceebf6be6b17b480274e17d80e25
SHA5123fa27d7e3ec37113636953803807a1324deb4f087e474c5a8b27f8fb4f1976544612c4528187a6e7d42bd49d92749354f7564c93072b6cd8c0699b2163be722b
-
C:\Users\Admin\AppData\Local\Temp\Cab8568.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar8607.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b