e20bbd3e44d366c63c6351458dd12c5da56b26e188f911728aca23727f517d6b

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/ipdata/index.htm
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000007656f08117740218a55b773e94e1f8a7387454622d529ee6ec97efe120b3195f000000000e8000000002000020000000ee6e7742b11ed7805df229c0c8799f9f4e307dbb1583f92f3a81e7a108668e6720000000e413f38b72092e864690ebee8082597d7b08f82d84e6898dec9f044c78b8d94940000000ec9ff811422ca53f4629ae7406f604623b83ad4c9e94552a515dc7a860c4b60d1ca12e04a70d04ee6b11d90c2cb44510cccc62c1525c0a754ba4bef39973bbe2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d0809930edda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429681431"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C519BB21-5923-11EF-B33F-CE9644F3BBBD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000d5e7c4ea6678f5ba41d691794e7f058bb4fd5dc0525c36ec9df57847a34ee0c4000000000e80000000020000200000002fe51426bf1e2723b9602af6f3bf692f6948e10f7b14678f33105c45832e3cc2900000005fa87d3285d850cd29ff398a96320b1d55f457b9d713ac6d5fc5dd982674de1acd40bea121a77aa75bfab0fdebabfb9197294e1d5b25b1af8de6b2d4ed14b04a0915857f0efa76b2f3179eaece6d664e0236593b1a2b568969504a8a946cd441333ac90d661eb61a1b6fb601b22d30d9b9d2ad26f0bf3d1e31a4c3e8aec1e399015e5f9e178a009ecc460e2d3491ffd740000000bf71f6a97a999ca6247088738d431a7c1aaf36baeaaf70ca5c88fb71f9d45d3f74288e35fb4fc665a293e225f8100e13a79bfb5129670242da5fd95026cb0b57	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1976 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1976 iexplore.exe
1976 iexplore.exe
2300 IEXPLORE.EXE
2300 IEXPLORE.EXE
2300 IEXPLORE.EXE
2300 IEXPLORE.EXE

pid	process
1976	iexplore.exe

pid	process
1976	iexplore.exe
1976	iexplore.exe
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1976 wrote to memory of 2300	1976	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 2300	1976	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 2300	1976	iexplore.exe	IEXPLORE.EXE
PID 1976 wrote to memory of 2300	1976	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\data\ipdata\index.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ae7b16b028f80ebef7a83f82586a6cb8

SHA1
83d0d7905df12b412a5dbe2d79bd0b147533639e

SHA256
28b2e12006a1effd35b435bd71b538af7dfe0a585aa1eb3426178a0c90c0d3dd

SHA512
e3a8a5390b1e657de08465e5dcf8634b1714ada730ed830e6c19edc950c0c43479a000578706487029ffdf468d14aff9690e819cfb04f6ef6427e047075c799a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
af2f908c67c6fb75c88e43e542738620

SHA1
ebecf805839e63fb5796f7ce456500825ada95bb

SHA256
6105eab626c2f8dd1d6d5724b3afeca6ca6df3174481ba446c2a6e1383b6bad2

SHA512
efd6ea68764e8fc0767b4d619ffd820a7b672acfa74b51106d84a222705e1da019065321433b22606d7a8683e03c1bcf2e76ab8753c5bdc1cf5d5781a6206f28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8f9f953ca8e32b6a160cd6dd567673fa

SHA1
449536d2ef7dba39cd6e70181e86d292a9125384

SHA256
47045eabaee3c9054ba2c12ac7bd15941c0abedd7385c69562b65064444574fd

SHA512
f3ff1815cdc05b38cba28696ce4951086e978bd6592182f884933bf40212a7d43b4b2b5e941e462b9c88114da319bb7c4e85ee956112d285ff2d9f3604a87272

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
956427c4e39cf3f28329bcaca5edbc62

SHA1
9c9adfc0c61c9f255cf9982459bb1c3f55e9deba

SHA256
57b6e4a33647e83678281e8f55f4e4e0f9969b5ead4e7d74682f83b9c190bea3

SHA512
4f04559894b4fb257d30f8c87a049fc0b2469bc9fd88f469b60aea1e50b96bd8cea28d4fb8012b765b44268d941f777302c8a181f815ef04a0a05aeca1ad8425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a592bbc371dc0f66a511348a5ac72d44

SHA1
83b081c2dd0e6c3e5bc5c1c4fe63871de631dc92

SHA256
d5c6c1b623d83cb41a8bd6e32c0fe146c60d1438cd874677f05fbc73b58ac94d

SHA512
a1eda7fdae8bfa238cc08ae6911d42816e1f0a00c869fa974a012d8597e86576675d5b32bf1f74eac53c314eadb020744ef2baa3a32549e627541fbaa910bc37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
51d39d3640b41e75dd589490d65fb8ae

SHA1
f959cb6fe0bd5922b43b6981f5fb0326dfb1fa89

SHA256
f276259a50a5aa3eba23d718a3bbf1d4d15fe81f1682f03b0c3c094411424bd7

SHA512
f69d8f2cf891442c2d0ff7bc3443bf3ff9bb13023ff1148e4cae5132e6eabdb56bee02b17a5cc23715bf31160acb408c857983a868f31b0a2b63c942e74060ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fc45236c4e962533e03c8031ba44d814

SHA1
4a9a8c0317f5afe060800421e280412623548529

SHA256
4abe65eb8256f3c6cc6aa7196e43201bca79e0dca379979fba2df3fc6a56835f

SHA512
9b0a010f41c4e9967516b73393fbf02de881d07876a276ed59dfa92d9902cac5f5d5ffc9cd54e348f62144c79200d39eb5d6e5e21989b1f2b454d826e74fe233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
92edb77298f7685330e78ba2de1c4b25

SHA1
8f20569c64cbc36e6528aa811bc7b87cc92c23c7

SHA256
133083398bb75e7fabd753261a1d1ed20f1651a5a478f2cba90c2cac5c6962c9

SHA512
e193fca98f98fb6c443c4cbc8f7b51b44e7c0c48144a9e5d51543f4572bf6812c53d77aa9e14e228d57f51b9745d13083fa903a222d08bdf0b13c9c4b0b6969f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
7df55ffa7f9276f517ce4da456902ce6

SHA1
a9627d6b4f9ff9772908837a11f915790263bab5

SHA256
d73ebf798e2c6a4c1e82f0cc3126790bc28c14332971476c58eb9f0ceb3bba79

SHA512
6d127df13318757e75a89960da1b999d9237cd689472c4371ec06d675690c3a4d77bc3706eb5d83274e6f3ccff84f3b14e50ac9dd9ce8c10270f95051a5fb90c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1a6d39918ec0332300fb8fb043a438d3

SHA1
83cf59c5acc848c572ae381d3dfa8334ec5091c1

SHA256
3a055abf761867b741a054c8e7f9ce242fe7298f4a0cf7fd7c100160bbbd654e

SHA512
3ffb3297d647c94383fe65de6dea4b9090430b799e5d3ac9b1933c9f6450a650d0ca089f88e29af113d0addb34558708e99cfb521e57d357a995349d5c5115bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f2dd8bab734e771be75c03e8a4208be9

SHA1
1742acb7fb24d422402a975184da030d2b19cd73

SHA256
567bc70d83e1a4ed4c2fa7c33cbc6cc80633cb85481471690650414a4cb03dda

SHA512
cde9f74fa8bc081ac7ab2fdf1e6039fd08fb7e8211d960bd2d4ae553a8b347134406d9fb363f542cd9c92e7aed322f8f12b6017a942017e40705c5cc07528bd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
16315b5b719c173b79e0b909f8f99f81

SHA1
3e1a330a814ecd1ddc22431e18aaa6da882c0df3

SHA256
1193a7da5b90a9cf8a98e2c4ab9cd6b507d3e66be69feea4c0d2627aee9d6eb2

SHA512
8f20c513aa363406973c22855e52de14d1d0c535d0d8d5a16928f13b2e62ccb8a35658e56fe3085197e66e4f600fd87b177298e2b48142fe3caf131b644a91a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fd149caf0fb2135c9d3f85dcb8e17d94

SHA1
6efc3f2ff6c545a60bf5f3f183b40710e426613c

SHA256
ebc9aca94afcc45a63703a325ea65d75b5b2e86a7e085f04feb4aaecd96ac034

SHA512
93e6642ac9aff209ad067c4486dee774a9f77cfe70ce94b072fbc5824b132a1bb1d0ae59df231685f194907ac76f43dca5af883619f54a0bcecce1d342e080c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7D8.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF888.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit