827544e381fe4215f58f26e14f6a44615799e1b89940f34c97a486f77bb05d03

Analysis

max time kernel
122s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v4free/Ads/c_2.html
Size

31B
MD5

c71108d64a400831ec79b21968e72d67
SHA1

ceea64109835a5d8a86dd1b8eda2b902b2defb8b
SHA256

4253053d7cf05ce8f54cf68f5e788d14f884c4fe5b5ea6557c8f55e7fa575ae5
SHA512

09d8e5f9d10022a7a5943121fe133d4c905d4a207e1f8affd3a73858d5a4cdd3353638c2bd45eb411aa799697a3586a2692aaa13d26cc0b9ee359a5d3aa780fb

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000e3d78bfcd81452572727aec66d31359afbe5cd576ec4fca0862979697ee1ac94000000000e8000000002000020000000657e41901bf98ba534017e857f2c08eebe84da14d9242be5410e17bbb9b0ec1290000000c32c6708e4cf54f5690c74ee428a21e709c52f323b44cf5244b8582ff4c8418b925675b70794fe16cf1ce8a5212c22c340e0b1fe0df86be49bac70c8254919139d97d54111a740138561c4599dd912061733aff369c9d675c6bb6619572c6d1dcf15d856d930e4fea94c114a09e3c14c1d265b142c79b888e40fcd294377b84e3ad11d3be3eac9db707de8f8bc7ab9674000000014897f158d3c6121ab9be61e6235f21de631faf4584605af880f0faa0440465bc7e0c426522d5f65ab93842d5193072b65832ea48b5d1b558b983548dc032e1f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429730451"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08e22bba2edda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000d989c960565793e3a9ec04486f9a8a55348dfeb4e80119cb8f5baf521ed6e8f6000000000e80000000020000200000008621b289cf4248511c82bc4dea8780225c707133ddf95487b01dec7abeb83b5d2000000011315687e90bafbdc8b6cdc4a0214c109cee748cf1c2e3a3d3f4f0ad5179662e40000000a8d5254d77400806ea57a93f60ad4c182a8aa7dd264dae796448aa1ff079731e6df49e7fa520c20b1650e4364a0cf215c98a9cc84cea2d9a96b34c5babb2f4fc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E461F1B1-5995-11EF-AB71-E6140BA5C80C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1916	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1916	iexplore.exe
1916	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2200	1916	iexplore.exe	31
PID 1916 wrote to memory of 2200	1916	iexplore.exe	31
PID 1916 wrote to memory of 2200	1916	iexplore.exe	31
PID 1916 wrote to memory of 2200	1916	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\v4free\Ads\c_2.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f7949520883edab537bb0b09a5c9f97

SHA1
dd19e47f744cc20f45166d1aa017cdb3faaf1022

SHA256
0bd985a798942d0be150e7b91983456d6f82e5c8b3c63e8ec0c7bb2cdaba74e2

SHA512
e1a2c416c07f0f0b020b124ce73d82197abcc46ea8400a4b28ed288754a8d3f1aee6a19828e0c8fb74f68f10c531dacc98a16619484adb9d94a09232c43ad394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bdfe794f155e6ae989d76296fd7b9fc

SHA1
f976e8f7b84d92e0ae5034badd467fc021466498

SHA256
94cfdc65f40f15a2551098fa9b8dbe6894992a3de48ac34d815868fcb5500dc0

SHA512
320411dcb2f134b5c0646357534a5b45c476c37a136fc7b6a78a61dc03be9dad051ed2a9a2f1f12dd1f8223cd7c0a4e6bed6e4b7e0cd327fa6322163341be4b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a2d5877628a06f9af20e89dd3760827

SHA1
ec14e0bd5c677ac297d6b12aa3215ecbc44904d7

SHA256
216c978c3c714a03f8c476a1a27f2930cb41e072b415caf143c727a1a8b5f660

SHA512
d5eb78797fede357bd41d0b524fe291e88f346ca10b6b160079250587788c2b98030e557abb3549fd059c2ee9096b643dc3c6d0f2bdfdc4b139d61acb311f6e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f26812dbd2bdb623ab9d586570770afa

SHA1
c22d63a0ed43f424d16a9e24f180ccd8dd2645df

SHA256
f0509974fe7483d6de7f397e793dc80e4698d37e9f84e8a8e2c0a8327cae7e23

SHA512
48f5123da4727621ccd46c608f5bc62f8e4fca276f1ba6f27cec72b636a9e93b0b0d651332ed3296681f55e921c118c71d09b3538eb03dc70a0756f5e8d9e35b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94b66343b56e1d16e77310743ed3c643

SHA1
b6047395fbcd9268b52a37c57adc53be657dc69c

SHA256
8370b44786d37bbe14f51b9304227c927743678d1d3f2f9b1c54ad35c82c292a

SHA512
9073bdf9b61b766eda945c2350e7868d35dd428cc3d349b77bad589afc840a48f4bada8998babf27cf7a58bec2f82bb189ffdb101e299aaa5536dd032d864e3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84671af474ba41b78142578b84f84c53

SHA1
95fa993a87ec329d534a9acd4d1cb412f39dfd73

SHA256
28263b98fe99c5cad50741fc6786cd080ce2cd4d074a8961ddf47ec762fe7c4c

SHA512
654614ca7d839bccd95fc608aee08580bff4f06cb6a27c997cfea72e0ce719d7cb7ad26acb426ce08a6461a4aeac9d39d7920efbe3afc4c5224255c4f4f5f360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd5e49b5a46b044528d25de928a0ace6

SHA1
c17d9d64965237645274f10a52c0ad6db8bbcea3

SHA256
25d74524bccbda5e913bd152e0c63d2fbf0a78104b3a82474ca687ec693a4a9c

SHA512
2442a2344fe61e19300faf94abd99e4518c0046aab34bb7d939688e1d9bf9c746938807598c3780a37051185c1b2ddcf3c4becd04c26b2ce928fc42022e2364e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6433e284ab76f50cd6b4d79026259337

SHA1
b3f450c93874529cffdf4732f8252afe3ba803c3

SHA256
950b40e0b55ec7016355b7ead0f328de5d3adbf361f78974f1b5addee6362e0e

SHA512
a7097ac78e2a317e92b0f83bcff67873b1347b0caf4a40355206a0cdcfe35d4d114e52ab1a6d3b984043047e9d67f2aa0d3fd06d18e4dbf81ca10feab83c0142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83af60224d3c121ab4b7475e351adc69

SHA1
072d492c643944a86c00fc185885761eeaad9367

SHA256
c5ca96de199ea7775686ab6ae0098bc4851d91b7f6e7b58b797efc1ddf585e48

SHA512
cc2cdc2725a6ad505c38476e6a5e420642201016a72ce618dff22bd924e1c547085365711224ff62fc432eb1dc195792f07e145b9f8eb41877c324b94554bc3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe0c1a8f33fb1b0554e55054b1233973

SHA1
6037392a56a46004ce057e6493e7eef5ba614f7c

SHA256
b9cbf3bb320e8313597457b7c5b26f942ebe265e61c7b9a35b3f1800f5d8076e

SHA512
aad87a219e9e3295b682e11df8ec6f4e72c8daa854a02be207a3bc64afd69fc963af7bc536df8286f33d4cf4196e6f79df318b5473629c2f3bc2751edda1fcb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffb81bfaa19087a246569adee1cd585a

SHA1
76fdcb6015492ea423ecc9ae14f1fab2f1d2cd98

SHA256
6cd734c5d2887ceead191451e0f4cb053f72b30ee1ed8f9d2e4aad15fd199be3

SHA512
4b327200d5f463591de1fdc67de11468eb640258f7676f1b50a9cbaf06de90b34e555c0f9efcd7f3d353755bec73ff0415ae7b409e6c3b0ac1e1b7861ef223a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
143ed0d6e3c99e8cf0e47c348eaecea6

SHA1
9808712e55e7847197c1fa11ad81f13406edede1

SHA256
0c008e9cb50c2a516a7a922e947cd303e93285d13cbbf155cfe681faf0fb1355

SHA512
a5e036ecdf9b483e43f23d82c2f0b1ae64fc558618cad2b67516013ef627067cc6ec7839531851ad6fd1c6f9c8f7df8ef5ff1ea0f9f1ec9b57f82691033e24ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
549247fb96d5c285d428874ef847b571

SHA1
2ea9048622b0a741be3d5a1c8a9a2e5d7287459d

SHA256
8102ae8a777d1db385307dcc0e6060a4051d4a90b99c218a09ea6e99c429e55e

SHA512
f8c6b6e3439f61c1f809cf32d8cb123ac4cc51acaf723abc271bdd6ad69fc57b304b931e2f8146a8e484acda023ba3c10635973de149c9e836c062a87bc60fd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
365dcb1b40c399a2e201523db7557682

SHA1
9c8cda9e19268b6bd84ff311f366fdda561209e2

SHA256
6437f6cb7978b1360e4c2d44f086041f38d7ad436b4bcabf337dd907cbca04ee

SHA512
da330470c44b7c8dc409d927c60e16b0883f741f416c4b3c92ecd24ddfa41ac78062bfb1081c090113a7df2c0c5d096e6371dbdaef5d6a2cd340d2f478f7d055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a339c88c940046234ea579aa7bcf6078

SHA1
45ed04142e9ddeee19dbdf966d0ffe7609570fdc

SHA256
d278f14eb0b17fb0a5c466ce11dcdac21e9df96e0154e9ced33680201c927630

SHA512
19ae327d92a8a0c5767714d09bbfd6cf39b65ff3af348a3b86677f2e999517732e2f3297391264c2d02dd26c5322b0af89cc3db2847d58a3b9bcb5dbfafbd1b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42cb9847c17f06282a47b31e9c76a39e

SHA1
98645a9833bdad7513ea0fe74b8bad9b25d618c5

SHA256
638ffb7c53773e58f84cc059219a85bb604221b414ed6216b854c2875ad22d74

SHA512
a5f03c34200edabdd68f287e9cc17bf6ed9b7d8fd4cecb36b0c4a9efa941d05a993d21f54c92b9a8f0d7ef373c48ba108e013aa331402d1cbe149e1b5bb73e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3EAC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit