1b3176772278d4304af6b59c991f8fa4cd590059c7792b2527632e71ff1af9c0

Analysis

max time kernel
66s
max time network
130s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDERI~1.html
Size

2KB
MD5

51120fed79f8d56aaf142133c1d0d9ba
SHA1

9687383d6d8a5f412318f9ea06b7398dfa02981e
SHA256

5adb5ab0f668e5bca03d94672b1f104b78b681cd497be45c56b145467a24c93d
SHA512

b04f40b3c4f79e8766194cb914c289a0ca7ae8560e3baf1a279fdbbca3ee3618b3aa65e15a0120b69505bcadb3f7e6806cf6ff0204c81f2daf7ba6d8c13d0ccd

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002eb43cffebda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429550278"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68333801-57F2-11EF-A17A-428A07572FD0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c920000000002000000000010660000000100002000000070f35903a2f459ca3a8e8bd1a967e6d252ae696d8e272076722d7fc6b6a95135000000000e8000000002000020000000c91688dfbefc685d3f6ae8b101223452db82b76537d0ddfe172ae0494bb724ca20000000b547e4e3ea9101539809bf0a47d15292ddf65b0ad16039598f69674c57d133ab400000002d175a458fee2ff5f50919c825f41f056ba3723280fa22b37bb235d9473a12099ae9cbb1d6d375ff80ba0cde76278ebc7ce6030dc3b70507a8d34bb5d78cc0df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000b48ff9a8d939d56b066a0a7ab590d6d338becfab2ff94371802638980be739c8000000000e80000000020000200000008a24519da70e2a381fbd7793fc83ad4b5f55175dc15805d95110de55e7110dd490000000bbd1c268a7b97746a19aa5f3508059bcac789828d7201ce0daf2269d6d1d545286b769a459dfe505fd2eeed0d77cff59c27fcde89e99abdf5bf86ec7fe869d2ab8fc7048bbeac464fefa77ded04fcff5c360150ce34a1e2311ee4a01eb90b3f977e79e337fd9785aa3a0d8fb23d335bf7a40d5ae940b81292d84cffd23db9349e09676f2bb2b5ff548582c67ece9d4b9400000004d0850e59ee14e29b3b2c4c7cf2339007a1c5a0db94b3664c18dab985a5a8d2af26e216c783f2228198e6aad98ef93192f5ef0be750fe9bc9ed7e72c6910f49a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2716	iexplore.exe
2716	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2680	2716	iexplore.exe	30
PID 2716 wrote to memory of 2680	2716	iexplore.exe	30
PID 2716 wrote to memory of 2680	2716	iexplore.exe	30
PID 2716 wrote to memory of 2680	2716	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ORDERI~1.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
778436ccd2975f37033a00f4e3905906

SHA1
4161932fa0f052932f3b2a8868fca3c34ceaa81c

SHA256
7adcbab660b6b1312a271808664645c950df982efdd91411363841976c6bac5d

SHA512
10806f0991c1cfc4b03ab008074a21d530992877f7e9a7789af68a12014ba8823bdb845138d5b73685bf7c75518cef4c91e99916733c5318e451f8d1279676e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f519070539298fec348d369ac96482bc

SHA1
72e0ca4fd08376f7079bfa0aa402837b6d7aa8ba

SHA256
81294372ede3342cf6fc35ea161aa1aa6599bc2c6b789e7a5fe7023b347670ac

SHA512
c6b3c47b97f6a85ca75620022236ded1ea0acae9666a1283a6d7cb260ff8b0c3f2ea61923fbce5baeb3b91e3feb62abf6d6e9d5997ea53eef5dd6b1651973b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7a84e613cfa61f661f85ecf23cb6c90

SHA1
38ebf942b24873ad64778997cff2133facc21e57

SHA256
433ca90f21386886485be95745332e5d856232f08a5fe2932333cf633ac6747b

SHA512
b9659ac0e177eb9e961d0bccca8b4958f0b555682045034d736fe44424b645549f4d7f811b35d5c5aadf1be6527616bc3235b80c8f8ef978ec587a7890335d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7cab7c4a93ccc72d3da7b1ca81fb67a

SHA1
84d44b1414afa7ee7eb57203aa871442183e9c88

SHA256
8b361ccff280df70d073bad515e4d69b41486e46eb261e35ebfb09e7799ced5b

SHA512
de47afa42944f6053173c5fd1e46930a3c367d2dcd8c60903905f71426381b9eb02ecb1cb0dccb8cff024b9b44743b36fbf3d074746052711c808da5da332653

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
601f7bb661ad8f19a9ea1d67a6c5cd3e

SHA1
c5ac057ba1ca2eb753b29f1ddb067c96190854cc

SHA256
7e85968a7157202a84c23e9f67b400916cf56a3b437900e193d4c4d627661ae1

SHA512
281edd1ab07f358b65a034544a98879beea97acf2349ab2d04df0510331d655f63b3458002bc45fded52a9ea701df236e792cec63a06ad0f1a40457564ab7f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86e284816bb014f5c14c59dfaaa02f13

SHA1
fb1ee432a94b921ecd5f9897dbd1b59b85f31559

SHA256
c846e14d9cf62617b413a052edbe3ed1e9eb17277b4df7e361ba2646f30cf91c

SHA512
d757f351795b1eb2c8a725c90b9937d2d3773cdabf40c9c00c0ea723dfd95fc59e5ff250e543b5751bb689474db875fadddb90d17f92547aef2a0398db84e888

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d65d79e2d5589e2af546c22b4bd4b8a

SHA1
99007028cd63e0192745f45038ee9c83f78a7b27

SHA256
ff2bcd0c61535392c574177f8c0136897795abc27ba8fbac9324842b2e655f87

SHA512
2134ecc012f45398af8ea491753c57830a07ab3bced62c6ddf8b22e0c4c2543eb34691407ff56006a38bb3cc999aab25d63d954a7adf50a59d07c27240ee0ae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e19cf985a2f001dab6c55c4cced5ee43

SHA1
5d68c77c835c92dcba4927a76ee9536254de3164

SHA256
06459cccb9eb65d389e185bd99f917e5a330e86dd02abce3bcfe8605bc6f030c

SHA512
0c07008753b84e0ec2b74d0cf31e42bccd9d549bbcfe41ff85fc4956c1acef9ea207e084175604008830ffefc359333df634d9f4527dc4db5a7aefc769972c57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36703d7167b3b27f7507aa955414d6c5

SHA1
80b5d649b2bdd321205ac094b0a7a10f8b2ec4d3

SHA256
044ca5f37827381a61be26a62f13c1c46037cd4f524267faf34164e96d9f62fe

SHA512
244db8160844397622ecac5ac4052228269bd9647cb0bc4bf59c6ebdbaa0d78c2f14cc1d5c4a67e7629181f0070f2538ead10e17121af2aa5a4ecdac1706b1d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4980e9cde184d384a7c5a7ae4bf9b86b

SHA1
49f5b15e5080397b9b601b65469e8ac8f9126fcb

SHA256
96690f2f970208e3cca6af3ec63aae50cea9ef05693b4a74f869351d74feb579

SHA512
913caeb560ddf69c0e45a6bae6602ea31d29a71384d4b2bddc59b08cff5708613e3dd94f2d7a0183943f9301c415fdc42fa2dad61632c97fda20b79026a3384f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a778eb51cb7542b17b8d088bf4cef66

SHA1
15c7302b69474a8b43dffdf7d471836884af717d

SHA256
dc64d3085838e0e2f546df83c9dd182883d1ba7d13aa0afeeecbe2f606c8467a

SHA512
fe3816039d57c997e300311f8e85d2680c33626c8d605abbb85de43710eebce130d17cabbfc09532abefda3edc4bb74acad9ea5e68e2d58ff74ae51909878a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf8ed8eadc79174e7dd37ff7784cfba3

SHA1
516216dd2d0dc9d691baa66eb3a86d705b608055

SHA256
95323cf82cb049e25b15c657a818d7938f41cf3b19a9c322af58f73f63a07d56

SHA512
19c2cec63ee109ac0dd0acb9ab412022b4f378cdf95d47400227f9a8b8703bc2a8db041db7152226a2e868d13a5e28831f53e00a93aa8ca67d5a02659aa06da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3d485219cab065ab5258140503aa9f7

SHA1
b780bad012d5dbf671cc07b35c6e9e981e4220fc

SHA256
e2f5f4a2cc3a39749afb7c96fef08ec2bfdbbc38769d83e7195e7de7684fbc49

SHA512
66100a4b40d156edf87b6e227a90ae878026ae4c6f0941dc3b746c2d5d70a155ce882487248b06ca805c3a26da7ad02ea7ce7a4d9de5fa46a85a0d1e42850a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c7dfbea343c24b32d66537e794bbc8a

SHA1
3a2709068e887fb7cb63743af58244cdb8e254f2

SHA256
e68745871f11f1fcc8f39e6217e8e874f55aac0e132567eb7a910bb6f2880824

SHA512
7c361d012223efa02ba6bcf7e9b3eac85e345403776c04a8cec1dd77ba66cd9172ffc56f022bb613937cd9b57274fce676cb2f497d1dfe8fb3f27c091461e166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9def56c16a8ce2a714b721daa4fac7b9

SHA1
a1d0bb48f6e025aac1f01773c57764cba80e96e7

SHA256
512bc73672f145d73cb33be255c6f1b428ab211362a0f4f5fdd4a83d15e2dad7

SHA512
c0500b5c0f5bedc58d1ca8396e3c05a945cbaaa3ae69ef7c93f112383fda25405a300c86ad168ad527e012c02da7ed10d962e0c3fa62dea7a34b2b00d01422ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
699960ce118c910b4064d3d760eaad98

SHA1
bfa168f2e671b3a17d3c469eca3344165657fadc

SHA256
a1315ef97783496443d4eb68d83c97860b50a129a47ca2636c4d9e605ce65d2c

SHA512
a693e1697c08a6dfd78e3a6e9a1bc6fbc0e11e05e7c65fb61bee7381716f679074aca77d92a95efba539e898ea79531dff96ec3451dce056ea4aac93eeba9cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69f3286f0242cc21e246028daa05fa58

SHA1
3c504a4429bb5901e3ceb70d371457f4e8fb095a

SHA256
c538209aad01a7c67ee3c13303b41ae6dfca6c91cbe29fc2b3cd5764c8c60765

SHA512
62a1f4154ec27d28907a855e4b29c38c578657892ad8473df096382f3693f6bf53d4b98d9dd69fbc7a37b63213faeab8169a22890cc276f9b07ae6ea08322e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5A43.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5AD3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit