77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe
Size

2.0MB
MD5

1ae568d2c74ea511d2044205cc66e202
SHA1

837fb6c763d696b213c83e7a06140901c0c4f1e3
SHA256

77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813
SHA512

4e3dd8ffdece5da79035ba9766933247b04409e079384c80b7841230ed2910173c249dfc0ec889e7e199f8c32472c229293c0f16b3e1a938a0c7932233d19feb
SSDEEP

49152:eDUB5T0/UKwNVKa/0pZWRKnTRGhswvLyooPIh0MJElhkqHJGT/pJbvz5pSio7SU:eDY1oDpZWWTRGhsw+vgh5JElhk+GbzLK

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000cad3bb4a02e12904550030a3f1ae6146bc89d9f690af4d1e82c759ac11aaf0f4000000000e8000000002000020000000bc133c3580045be8ae5fccca28a55aed9a25191a738771f1f6924a1d6347c61620000000ed84e1e177d9ddbe3e2a8303b40205d08b5b49fb469ff1bb37447339614ab443400000008b7169b9319a9c9a263df95c39c77abc78052ca9934513511d891d696a36d6eef0a24bb336dfa6743b2f55042ab6dbc7150892af6b47a6dd5d6d97a69e0bac08	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430102323"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9000331-5CF7-11EF-920C-D692ACB8436A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a212a004f1da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b700000000002000000000010660000000100002000000024162b59f1df2cf43eefd8f1875629570e05bc14234048d383aebd834cb75024000000000e8000000002000020000000c8295461c2f81f6d51f487f5c2bc24e28e7306e0f99d3c6c26a7de497ee82d4c90000000e7e828415dfc133c8bad3e5b8ae662e0cfcb89c7dce436f34fe5c05c99b5912875f0f2822521185e05b56ab4fd76d63b76545b15ee6475b7caf7c827a0c52db7439633361ee8b55567f7d44841df5e3bd05417e6e13fa32a1909c9c2feedaf78d978211c64d664233be1de5a8cba9b1a71418f4b5771e49025a05404a42cbd41504ed620073dd0bf7dd1b2668da7f5bc40000000a390bd0bc51ced4fd939da0b541968d866fe1631882ff31657fcfd810e0056897f397f51cb31be5940ddcef67b8cb9febb700d6137a8886119ba47293fbdd164	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1712	iexplore.exe
1712	iexplore.exe
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1712	2532	77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe	29
PID 2532 wrote to memory of 1712	2532	77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe	29
PID 2532 wrote to memory of 1712	2532	77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe	29
PID 2532 wrote to memory of 1712	2532	77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe	29
PID 1712 wrote to memory of 1716	1712	iexplore.exe	30
PID 1712 wrote to memory of 1716	1712	iexplore.exe	30
PID 1712 wrote to memory of 1716	1712	iexplore.exe	30
PID 1712 wrote to memory of 1716	1712	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe
"C:\Users\Admin\AppData\Local\Temp\77b0a04cbb4ea7cc5c1e3855f1ad320b492ccb1e081c842352326afd9da8b813.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.filenori.com/?conn=filenori
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0dda2e6b988eb077e4e6a8d65aad853

SHA1
70e2d4e8cf765583353597eea8cb219547990a66

SHA256
36548fddf744de408443e7fa53240e21594d1c195b5e07ad0cc9619a9f7ffc74

SHA512
1d266be21f419639dc205c02eaca8a0f19846b6675fd5e1fab116dbf811a593537ad53a1d49445f3d434e92132f1dd0fb4c9f849a060bf05b449791372896e64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cae66878c943c8b6bb0403ae1d252f82

SHA1
ccae71c75b7e3aee14398805665347882e876a62

SHA256
49fe25ad77b6b02b91624ee212df4cb4026017a2c5108735bcabee1534ebd1aa

SHA512
5b813f707e205a57cd627eb86be5eb12e8fe355c55930e62877fc67ab553f4e363704b47a30e2d788c50b590e7b4d850287f0d1bfebb98cd3df63f9fdfb28ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05c3999cd8936ab5654ae3751b9d6f04

SHA1
1049a707148e5d58997260420c3490bdc7a39a93

SHA256
598aa222e1bd669449f57c028ca5772ab90d661389f63137240e240a04f12059

SHA512
2aa903dab34da536da6201e14b9a981147f317a4ad5578edd63337fcadc16d72ccc636e077dbbb1fe1c66c7770f18dce33e424239f65d009ee0847551f95b291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
debd4a2de285a3f852f0efc966d0f233

SHA1
85bfb619a5f3a381e754b48177c56f8e85a94f28

SHA256
7b8289bc98ccdf4f7e169c3b3a72edd03b0982e0df1157ca8b48c36f83607c9d

SHA512
3e70237a81c74c3292f0ef5b830ba9029137f0635f3bd2503d0ca4da0b7f1280a858ccf98b477bd4ee78c527b65e899edeb9966097b84d5bf6c85946796cf649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3064d5a8a7b83099a88b98fdef1db408

SHA1
f6ae2928f51e03d2e7ef8358f83c54d9296cbf9b

SHA256
e64fdd1131f2f340a73cdea917bed510d7d1c75d987062f1d7a7fe061a2b314a

SHA512
43627fa15619e3fae77bdfa154ee0e778705f4634f6acbdafa45f6ec2ad530da83a4bae9fe6d8a3e8c6dd94bf005361d61de6ad3e7b2a8d6c0eab2754817c015

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78e53d53bf499201f7c2431c81265ee5

SHA1
a3170659d2ba022bcb2f1ed2edca8c341976d2ed

SHA256
50096864cc35210ee428c831f040e94860126996032776f590f55a9c4b278a97

SHA512
070443ac03f7ebb191135eaf7f9d42bc38d305171034f9fda7435a31943ff502d321a5c8b7c208d37a61a72fb89094c0af7cfee97cd1800c979a772420736392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab17a1520701bfd78d5c857c6783996e

SHA1
33fb33776c6184771e38925977a076423a617910

SHA256
2504a501fc7f09e76b93ee26c1b38e0bffb0f2743b69a7eb9786f077ea249056

SHA512
77703cd2061c32d5132becf45fc7ae9170c0f66f136ddb5917f8d643d2820a0bef02f3ec650c8acc56535f53362e7e92340df4549d148a2ac5a6b69fc11065ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e3688bf5a524d69a72e5dfa71923be8

SHA1
381582c47711831b36a724b2ed311525b7b57890

SHA256
38628bd632fbbce264a5000273e2c656185b84f305ad0268cde2f0a45f37e2f4

SHA512
cb21a2dc5f68620b9ed6ec900ad278a117fc524e125a71708238bca576a3e19c9661b24036a7803e3475e6ec8f66eb4944bbd59200643be1689a732c23924fe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
455cfaf46e3f885a1acf49b757ac3587

SHA1
17356aa1ffe8b4f9d57e08836d5a4a4a24d53a82

SHA256
f04c9e2851cb478bbbcf5b65aee0a00061e3aa7ccdaab386fc26c60e0e81e61a

SHA512
00d8eeb58a58cb51593298a8282051a0c003c9a7f6d12f011904d3fd5473a3769262765765d1c9f1dca0cbf4003b02613f8382ce721686a1c8625204913e9641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
598e321223e185f0bce3f7936fc958ca

SHA1
51a96f171ecd34afc5156b01c7a2f3ab4810f2d6

SHA256
d41c23ff0d05fac88eea2a18775ddea0b117aa9d7cce24823df82e9f86429b3c

SHA512
7e70abce991b62a30f5b2f565b928f20e2d266e9ac517e5996caf24867fa9740b67202cd561a6666bd70258ec198e5d4a718f1d01855306fb617c3bbeaa9d9e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4012f3e68661c3f727212d3b123a47e

SHA1
4fa59d10e44170724f763228f4074b742566f432

SHA256
be44d5ad10cdef0d63c3a7df2fd225891059b0b8f51944cc445cc12912ef4383

SHA512
ebf2fb96108572d78ea401f2c7fdf1fbd81d3c9755ab4cd264947be59483bf6649be442dabce186b5ceb52bc54076d787fd4b4a0eca04f27f6185a6757cb9a35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12dc8c8c74d0826cb733c598f47ca7a7

SHA1
ca6f0cafc845fddab5ee6eeb18fd550bce7dbdd3

SHA256
7bb70d7a87b7a8e64815b9376f6bffc205da0adab91c3fdfc3df62f64175996b

SHA512
1fb26507acd2e46e806b97a58f12bcbee8d5c53038e728d69cbd129a3e12e66b1cfe385b048427771459ae2ad2659061c33462e162f04af1c5b3fd950f3572f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CF2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit