Overview
overview
10Static
static
10Ultimate Tweaks.exe
windows7-x64
7Ultimate Tweaks.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3Ultimate Tweaks.exe
windows7-x64
1Ultimate Tweaks.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
3resources/elevate.exe
windows10-2004-x64
3vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3Analysis
-
max time kernel
31s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 00:01
Behavioral task
behavioral1
Sample
Ultimate Tweaks.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Ultimate Tweaks.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ultimate Tweaks.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Ultimate Tweaks.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240704-en
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240704-en
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240705-en
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral22
Sample
resources/elevate.exe
Resource
win7-20240708-en
Behavioral task
behavioral23
Sample
resources/elevate.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral24
Sample
vk_swiftshader.dll
Resource
win7-20240705-en
Behavioral task
behavioral25
Sample
vk_swiftshader.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral26
Sample
vulkan-1.dll
Resource
win7-20240704-en
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240729-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240704-en
General
-
Target
LICENSES.chromium.html
-
Size
8.7MB
-
MD5
bd0ced1bc275f592b03bafac4b301a93
-
SHA1
68776b7d9139588c71fbc51fe15243c9835acb67
-
SHA256
ad35e72893910d6f6ed20f4916457417af05b94ab5204c435c35f66a058d156b
-
SHA512
5052ae32dae0705cc29ea170bcc5210b48e4af91d4ecec380cb4a57ce1c56bc1d834fc2d96e2a0f5f640fcac8cafe4a4fdd0542f26ca430d76aa8b9212ba77aa
-
SSDEEP
24576:KPQQ/6MP6P5d1n+wRcXe1Lmfpm6k626D6b6+eGnkywBIpv:Cy8OeG8k
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04a905c14edda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000375e19e9e1ce468eba31d9e0aaafbd309f0dbb660bc8265d3a4f2288cf94f403000000000e8000000002000020000000ffafe09b77bd3226914e74b212c75e33696dd49d64dd63a711a5486ca650749d20000000ee2ba45a46fa46e3acc98d94ca58c0dd6218c7db04204ccc87a403b401f1849940000000cd6a2ebbc670f91db2cee4478d57834947d0e5b540458e2b4c8d48819ec87c8579dfdf4fc2a3f20f6d1f867c828f617f451ba8abbeccbdac886e99b54efcce97 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000d6669b62b4a53ce3cf88179e737858343acbd9ddcd4a167d76a7a5ffe36e8242000000000e8000000002000020000000c420e47d6aa2da93db156167c8d5fa6c2a45221cc6671c635b076d4ec4df031c90000000f118f72e5b4b370c3ecd72e2cb56e1819d87b9eac93ce3b3a22fa08bcc8644855e11c0ac2ecf77e3ab5c572ead8670745700cf52e3a8b56e232540116208997c285831b0504a6e1459a5b33f362d3c3b022a4aed99d0d738f91e9566c69277880749cfdfbae7969546c9b6242d8fde71225ab72e83a244fef3a4a13e35b6016dfd57c7e1d3cf1da1cbbc7d1230b29363400000007182b2a865e8e9114d64cda513028c29751411ad78cc09d4e7c6db1da176f3f2afc722616966d152fd51b3d18c760f02389f83f61caadec448b087a503e0c6fb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{878F7681-5907-11EF-A429-7A64CBF9805C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1520 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1520 iexplore.exe 1520 iexplore.exe 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE 2788 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2788 1520 iexplore.exe 30 PID 1520 wrote to memory of 2788 1520 iexplore.exe 30 PID 1520 wrote to memory of 2788 1520 iexplore.exe 30 PID 1520 wrote to memory of 2788 1520 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584fa48b160cd18dfc5100480ad1d11e7
SHA145bde462765432bca54f6213fdb35289b612eacf
SHA25603792bf0d21b483b0cd258ad4c40a0f0c4124835068e1a4ed1dca0123118f42d
SHA512bef33beb0e307030f2734b35d2e770ff3e004770055478e12c792685329aa89d5face55f4866b3b8032f538efb3623739d5603494af2c62aaff5abaa5d1c40cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD523393563c40aa6697f6c64c20ddb6455
SHA1b0b04c4dd63b955907477329deeb859d3571b1a3
SHA2562fc5dcee84e16a94dd40ec7f34a36ef1305824de6922e4ea38aed55f0511d107
SHA512dbaf6551235fab28d9d03d2684d8bfdd5c1e268f13b2000d173dfda25157322e639727f0b9364cbb0df5f89640c3126158e0f502cceb8d5b58f691aa1ebfe266
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a0819af2a436a9bec7f16295fda5658c
SHA1010ce524badd19400edd47572d80fe9aabf51972
SHA2569119580c0f0a4000b35156d68bb40461357248d2799e0836bb7a60925f7f2eaa
SHA512246a759ee0c0008f832d3856f133ad80b3033039a6e5e55f85228eaa326e320224cda9a370e8f475c03ea671e6ebe32e30835f0a64d1ee7836e6e0ba489d909e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad51a284d4e449be91dd4a1d495687d0
SHA190604c1cb0d71839c6647c40af3d8fd93df937c6
SHA2566373aacf995def3a25a7676e887adff0c5fab4fcc7c268b29b0907e95ca85eb0
SHA512642e857c22b2fa7f4432b7bcc5366dfd29f2cefca78ae6d2a00ce81b209fa138680106844a85974df2ac1a22acc614c419469151cbc5df00072b6f8ae19a898d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a76dd8678c314fd4b462c6ccb879e9b4
SHA11d2bf3d1647a8ae754d16f25e28732f2cb6c6cf4
SHA25617063ab96b18a7b788aefa1ac8466658fdbc42020a094cc0c9e71366bd852ee4
SHA512e6e0c6c7b21231f8da9004b30ce160a0e10a183113a73de618d4692c9c76819d3cdd7e38c9d57bf0195e45e9bdb62d7944fc433355fda14431b7f8fbadb5d4ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53eaeca2477900c52ebab2471670dc660
SHA1b62871786e24e1f4a0c515f075a8bad838507568
SHA25676daa219e54019d1a744419776b002857a8752d52a4ff72cd8544b8c99e1a47d
SHA5120d21b4f13c68e4de2d034fa9554f82e411cd295ca8f5d5a73431189c1b969019e7a33ea4176e44d25fd428c0ba9473f90faf80e36bfebd11a7ef628b7922b407
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b