23ef4926e0d3e77b38fd3cdc0e7c24d95ae29b1bb296d24e18d5650fc0e27386

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 11:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$SMPROGRAMS/Ա.lnk
Size

1KB
MD5

62d588bdb74e4e2e5d1689fa9272ce39
SHA1

9d0db515d8f65e57353381d707060f7343a74da7
SHA256

248402dd02a096f9721d61fe867fac5cacf4dc9001fa2aa6a50a59f7405606ef
SHA512

cbb47f7e4227177ad39a1c914e00e0ca13209fe0839d13819299ad203572b69026c541d71c5101e4cdddbcf7786c6adf339af3e4b0aab65cb188614f646a893e

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000e2dfd1db50cfeea7b2355eb3205138ced8324427191c17647bead75eab8f605a000000000e80000000020000200000006e6ba7c7eb7a1cae7a431f5c3bb674f126017b366e632f5fdf3602fa0526146d20000000720dd1c52610b848b61ba9ea301b1d4adbc47ab48779a6395583ba2c1f499a62400000008790b6b10edbfea9f56f1752cc4546474aa6e9629935ce2329c45ddde90814afd80601d4a1b76297947ee8fb59a065e3b1a8a87f66266afb486089c66bb38cce	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000004876ba7b3e5ebb2a6992cce47667c0cc1e18c05d3bd4ad926fc3392f1b5ac8a3000000000e8000000002000020000000e858ea1c33655935fc6926d00d4560712c7b5733fe3adfdc1ea58e93d0440a6e9000000073146301ceb5595a705e482b88a3888a3b7f623304350f77ee9ad534453eddbf7b18c497b91e8af883186c76812f8d1888f3066ce103bde77fe2fbcb27d2fae320c5d49c8bdb8d1dab4fb375d030ef3e8843c04da92170e855a7aa37f1ef5e13c87528cb66b83e96e8c7c4b695849d98197f8563bca2878dfba666d0a9b888d6e05e0e36c91ffa4d74e9d281f5bebc65400000000ae510096ab9eaa0021ee486c8815a9f316009c3c37ccb5973460633ab31b192cc17bbc1d7b3389f0f862758e216c16becdaf8f3489cef6762a59e63ff876f8c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429795448"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CF68601-5A2D-11EF-ABC7-72E825B5BD5B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102e272c3aeeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2836	iexplore.exe
2836	iexplore.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2836	2260	cmd.exe	31
PID 2260 wrote to memory of 2836	2260	cmd.exe	31
PID 2260 wrote to memory of 2836	2260	cmd.exe	31
PID 2836 wrote to memory of 2432	2836	iexplore.exe	32
PID 2836 wrote to memory of 2432	2836	iexplore.exe	32
PID 2836 wrote to memory of 2432	2836	iexplore.exe	32
PID 2836 wrote to memory of 2432	2836	iexplore.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$SMPROGRAMS\Ա.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.mai520.com/?taobao
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75944ff8f4f678f86eb5e1136eb07dcf

SHA1
04dba95d0b77e64a43283aa02982fc4191d7025a

SHA256
f2b742bd394304dff43a3739a1b69c21647651d33ad21d9e80d4d239c39f79c7

SHA512
0e2716779aa4e1ec996f250cb5f1153edf6e4bd9aa546da76f28709b1fde2b4e0490746266ace9a0fc1140d230b6df73e2f70c5f5b45da63482ad8e0483b056f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
045d1ca4ecd1b624c185b78ab0e338ff

SHA1
076089f478dfb71eeacc4699e50286050ade425c

SHA256
a4945e37c43fafafd8afc6f57ddc0a97d3d8a2761e64b6890122e72156d3c351

SHA512
234bb539bfd01f42707e54feb4e0186fbab9c5725f1b9689056f59e5d5d71916ca96459b65f63e27e1bca2b52f9a54e86e8ecca0d7f61aacf4397a113a037006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e456df0c627ca4e84d3a663629b0cf4

SHA1
4f1882ae59f9a724866088eb76e516547705ba21

SHA256
98d2224e6021f55a7f88ba9e46ae3b4fbd499c7f75c1fd388e1396e259b25fce

SHA512
a383b112b32fcf31f79687a2f9b3e2053ac6eca6ee568d61b01a55e031e8011813a3684bd5260203cb0561e27c059238cfe2ca71a16c26cfe5eb2aeb2f6abcdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f158a26aba026ca9de0b260cc248c5f0

SHA1
12627fb6d1a73c4715099f7a78cf9c9b40313de8

SHA256
ebab30c0de50607ad7ff45a4621748d600d116ffdfe6d8ddddeb69a4cad7a207

SHA512
0019c96eb3a6b6c11af40577f018a1c912deeba34bb3dd623eba18b97b039bb467f64dbc28192224e2f687a971df182df0c237a845d7cd8051af0370e0ea5545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e6f489d7c78ae4a5767f7a6ef0c357c

SHA1
6d1eeb7ec03faafd177b7811edfc00e6bd60e266

SHA256
edb8ed2b4839750897c855bb746d4816f1ee536c5bebd9fd0c74302867c117e0

SHA512
1625bb8abfc74f0ff72b355d803aec882c21491a5837ffee347588959f9e6ad2b9beeebfe6c646ea462c9c2511d864da413e4fb0ad5d60512f6956e33fc424ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
398073ec4b3c076838db3561c4b8ce25

SHA1
5b731c4a918827366eea7804864489e00ef208df

SHA256
5a0168b61d0f38f733a669d5ef13776748ce3a796bd2d40b4f1121b56927c4a3

SHA512
62e88622845ee2752536d2229f744109898f65f8d06d8217ce2ca8e93508c489759403ee0fcab1454aee643a9487f5e478dc35480cf8083bb8b2fc8726654c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab3295b1ffa8a0ffbe83bfd1ca0fc949

SHA1
769c9a9c94ee899083ba8d3b2af1dfea8e4f87a7

SHA256
52592fee7fbeff55548e94c6a5a7c8390c40067da7da9044f3c00b8adaa176e2

SHA512
6bf37de7c3dd02a73f3d4bcb3441f7a0a11d38f99712d75e914c0dc0106fb3d08d2e8640d12f0b64640f3f50ac955c4ba11814892999f41469a0dc9a12c0e909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff63bf549437b5e01ab77437a055f9f3

SHA1
275471056be312d6541e9c89cdaf52ac21db978c

SHA256
259823b31f15f92ca99345366566dc5d202fe23a57e0f377be4143e816860b73

SHA512
3b895c6c532c528766d5ef179a851368ba0992dd7d6826905199bc4a1409c581de9619faec9cc092bd09f3fa840df214c209c8234dbb8fa8ba90fb0f68ad7424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e33b533b4976f5ad2de771daec5617

SHA1
51f34dd1a3c0c996c46ddb891894d6d0522fbcb5

SHA256
9c3f0d34870c21a373988a4fca9a427d4016f511b6fabf842b55a547cb6df87d

SHA512
c49e3f4e2c907027ef4a63c81c46a4c1c950795a58c52e11eec0f57ebf8e7659e9a466752ee7ad143ff3f7c015a2a7fe70b832a73851732120660708918dae33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c21826948006fd374128d022cfb224c9

SHA1
2fc7b69595edc34117b84347d9cdba3f2d203185

SHA256
e93322d426afc9af24a6303f7efcca23f8152263437759b1ee17d53b53fb4dd6

SHA512
8f74ebc20ddb148b48e7b08565afbdb4b412f6a1bc8f15e1cec75a8adc0c69ce89fdd3efb79775f16d0ff6fc535d546dce8fe86789e65a1ef812fa6b4d636e6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ece1600ae05811e3af4dac78bc50c61

SHA1
ac139bdcb765b7f6fe7e0d5f4a1214c05c1e8062

SHA256
d177771af99a209f618b51651ca1b3d8356ce192656e3ec09cd57aa0f4aa82f4

SHA512
1912d68f6666d7e858f4fd19585e0351fef7c6e21001f03a7b44bcd1e9a66541e3ce8443ad58c48cfd8b5c76c30d2e4cef4539f245e5110fc331ef6efeeed080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fea135538c7d39fb558f27cce6707ce0

SHA1
3aed14b000b6124ca5d5e482970d8da347209b5b

SHA256
54431a0b693f5946a8f4a328a3c4162856077c0241f8d90efee58d7e2b963a25

SHA512
7f092f0ec3bf689a6b04d3fdaf003629731736f406dda9756266863b3eb3a8f121b9496dda8afde6ddae91413b3c0a725dc22caa430469b63f3a54f036bb54a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbead3980e42954f3a8b42cd934a9c19

SHA1
060bb18bf8ced61a393e9b801ced492d05aa2e7f

SHA256
a3467ca3e4c6bf76bb1daa22fd1d4cc8a5920ef603eaf967e0f02ce4f59412ce

SHA512
5e9afcf3c8aeab6b979d108fa03130548ec9b8d6a304226705bfeb4c6986c32bb8d21cf6852b4333b6bd9c7c35b2327df99a2ce68f30af2d2d24dcf28a518a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53da1ce8e26cfb55dcccff9ebafb8e20

SHA1
8e1cfd4b419fad7b9f667f5d3aad7891276b9c36

SHA256
aeab9d563829e882bfda47d036180d0eb56e703c6c9c34878332e52365684492

SHA512
df97ffba3288a2354641c521fa44b5e46f8d2ad84c2eacceaeeea8dc62a7057b9a43eaa2b724297b92a36d179a9c18369be5377b9c0cede1840ab91bea82f22e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b7641b859f97eb6d7f72b4cf3e43d75

SHA1
84deab913b8127615f0ec57ca34b1f580a75ec84

SHA256
523faf0cac2b33f6fa0db717b68adc311d47cbeb5e0cc50236e6bf6c80b51ed7

SHA512
0f413fb1bb89a258da40172feafec8698070f94b035fa7a16cb96c5eaba0dd40b052b01979e1f2e1251bbeeb27a99dc11009516c5cddf05c0710b0dcac75ce55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d859aa1936a846d5d6aa363644f7dc6d

SHA1
0958a1180a9f2bfd172e624901f33ee7e59469d5

SHA256
c2979b7725c0a9b8ae5f6203b62839a8fd050179264e91eb8f4dfc83667c8416

SHA512
c495a44ef0df7649a8e6e96dad7272407e5f233ecf23734a38a917ba602b749f4db8930630492be7edc39a49568cec898f14a94ca0226e1085604e617dbbe72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E8C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EFF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2260-32-0x0000000002510000-0x0000000002610000-memory.dmp

Filesize
1024KB

Download
memory/2260-33-0x0000000002510000-0x0000000002610000-memory.dmp

Filesize
1024KB

Download
memory/2260-34-0x0000000002510000-0x0000000002610000-memory.dmp

Filesize
1024KB

Download