Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 14:45
Static task
static1
Behavioral task
behavioral1
Sample
PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html
Resource
win10v2004-20240802-en
General
-
Target
PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html
-
Size
146B
-
MD5
9fe3cb2b7313dc79bb477bc8fde184a7
-
SHA1
4d7b3cb41e90618358d0ee066c45c76227a13747
-
SHA256
32f2fa940d4b4fe19aca1e53a24e5aac29c57b7c5ee78588325b87f1b649c864
-
SHA512
c54ad4f5292784e50b4830a8210b0d4d4ee08b803f4975c9859e637d483b3af38cb0436ac501dea0c73867b1a2c41b39ef2c27dc3fb20f3f27519b719ea743db
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E63235C1-5A4B-11EF-9AB6-F6C828CC4EA3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1820 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1820 iexplore.exe 1820 iexplore.exe 536 IEXPLORE.EXE 536 IEXPLORE.EXE 536 IEXPLORE.EXE 536 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid process target process PID 1820 wrote to memory of 536 1820 iexplore.exe IEXPLORE.EXE PID 1820 wrote to memory of 536 1820 iexplore.exe IEXPLORE.EXE PID 1820 wrote to memory of 536 1820 iexplore.exe IEXPLORE.EXE PID 1820 wrote to memory of 536 1820 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\PaFRXh6fDu4UDCXB8RrCMW2uvSIr3RWnUfxVvUHC.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD53c79716d5fe8d5b7fe2bb1dd1216d9dc
SHA1ae827c98942ac1d8e17c1cb99814f94e3d7c0785
SHA256bc18da397ff062cac64876724779c49141734a6bb21affd97ecd1e3241b286fd
SHA512da669eda68bea4003b64b8e7dd53c354d9754c3b5a7dc89533259827fce319dd0f1ab9145bed4232181b41e474cc18bc38e4b038f70420af0093b4d453261f7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD59ae786dd4feb8cfce484edc9beb89e1e
SHA1e8810e730aa5e5db968bca9bd5a8d736b04bff6c
SHA256f1ead2a41ceee5ffdd94a16c0ed9b5b62fc13f38c1dd48a9ddd570315e4c8f95
SHA5122c4e14d25491f42362a4694e1838b1ae9fcc0875fbcac9a755f4b25c4fe81af2a0dcc6c43f5e22e0f2a8b55049920dfa998a7be47d3b94b5ff3fde8bbff2d8f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5d9cf83a528bbebf357407500ef5eaed9
SHA10a159e5cbed47736298c7aad6ae67b934eeb5668
SHA2563bab2b1d5d5893c21d23abb0dca87be0878c99a7320e924fc0954fe141ec5ec4
SHA5125782d13f124db8555229c11c92d5dd8a71ae9bee0173f0c6ffe9cb2435d23963d8f4715de76ac0269f38b2a7465a50672c5c4f09c748900929ec2e00cafa3fd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5a9afebae5f098e5336ba64d43f5a688d
SHA1be6579121add79501b2e1c0e0c027c6222b4e545
SHA256e49f6bc8079811723379b0b20f73079be7cdb75ba172cb06a2c420fad5786541
SHA5126a66d45d8e2258aa54759c81adbac3969ddc24c76e454f542489d9c05b7aa94f83c636f80f7af88f94bddce3277b219cb86266d517462d82f24a42a5ad2f2d1f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD567d7c1936395142b1c2748479602f8e4
SHA1b272c4f52f5987f66bab33b06442f97acdfcabf3
SHA256f0d7327426bddb7cc1c8f353a386783ee9cd79b18155e7fcaf96be3d9dcf6c71
SHA512f54d359b7c60c390fdd6e5e6b76dcf7f0e2e52f152adbf080ae94d9f6bb85d039351f64382f353bf0341f389502e2ebdd29aedc8237297bcf10e7a148d815fa3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5ad7e8d35def8ca4774a1b572089212f0
SHA127bc5d8f8a3563f6bcaf1d3288fd3296fbf10a99
SHA256880530aeb19bcaf2549c6c7bf503cc44f1beb38282e8481c66750323695c621d
SHA51224cc869506d29b3564a1d49fd19bcfc235fa6da20d2ca1a31964aa19c841fdf43be31a32d1d8100243002b2f4e6687900bf24f35baf4e364c507399cad0d5d7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD51681cf67dabbf816970b1049c4838128
SHA1f914ac8fa0ed0b676f36dfebd31a2b8831495b6f
SHA256480cbccb9fc07a0f9dbb6287abb53c1d162b81ffc87f9ab923434398dee8dff8
SHA512881ddb4b515759a9501248a965d509e2d22d2f913c7eef2b34f322048190310e144e233aa97b62616c7ef5ae54561d3aafc5af0b092a3ae71bb8bb1b7b310880
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5267fed40d42403245271b5f1390a8818
SHA10829efd1fa3296dd3b249983eb69df9391618f4f
SHA256f5f6f6ff771ad39105d1b2faa7ef97bd084e201e8d2fb3a300d4827b53ada96b
SHA51223195c5e299e0c1338291d5895445dabb355cc8ee2da5ca1cae57c68a0b3d96eee6201a16fd996e57d455c81d7c111aec0bb6a58012f051675505d77fed52227
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5c7be31e0cf344119dcc56a4f2646a5d5
SHA120f83bb1431705090874d0f09628423450fb5ac3
SHA256eda1c9a80e8c7ef279dc2dcaddbdedebacf8d91bf0587896ebfe0bf6f9bd206a
SHA512332f0c10fb553f6ff7d17384d4bbaf6d506ec5ef64c2c6762a247079e05e740567d124eb341e68f26501015a8221b24cbc18da930a6d18c75151f782c0fd9bc4
-
C:\Users\Admin\AppData\Local\Temp\CabDDC5.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\TarDE73.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b