eb16c17dc767bf23ee7ea3c4ef717824cff858558d7d4c8c0ccc77817ecde6b3

Analysis

max time kernel
68s
max time network
134s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web/authinfo-content.htm
Size

103B
MD5

6db19d225d480e73c44cb1073cf006b5
SHA1

47711410fdc2f7b9e6e1159578e563c0ecbef5ef
SHA256

e60dad82fbe48524133d5a89d1f9c8e5ddeb7037a8db2f29448fc34ec9f9fa49
SHA512

5603640428f2963d5ea87d21fa55e3844cca5dbc72bf461510a5b1fd5b72e38a0963fd6e14b1f691ed880b779278a41632f33c99d9179c5b550d5bb8618eaf3f

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b700000000002000000000010660000000100002000000035f7aa77a73e06e9175fecd1bb488334bd572c79970f8d42cd5a6b482b180793000000000e8000000002000020000000ec6923c8b883c9741c50ea22da282939c831e2cdd236eb6bf7b3d35b09c3c6b8200000009783d8b06c159d4d687ea38dbf480b7b48ffa977cf94d2cb47b3b4974b898a8c400000006cf9ed4d21c17bbdfa01a05b8377cdec6480de687da2bf522c75172ee36f586ce2676498a98eadb43d8796476a1ba8ead4ecc2d8662f0d7a092a768f7c5c6aa9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000003529ee3fd32ea1b1c918e2bfae5c3c9e08919cc5a60772c535e60f6d417d589a000000000e8000000002000020000000ce430907d534e96330fe189de6fbbb950d855d83ec8ade9c34a96d012cb440c690000000123658338db1a39e825dd012856d24eb10c891728805d69ae67f348547b2aa522ffc5c0a4f42d22754269a3169dd21fa384235258a80020d195533eb2ff966264a84bb2a0a1dc33fcb9a6e5d67961f290e9dfbefca53011f442e3da27195b6c93268073f0aa04c0440194ae6e0f00718caaca0ebe38e74bd8a19d939900fe8020853d531d4f6d95e0b0efae8cf0b3360400000009d5711b66859c0c8c913b06e885c93fd2fa6ce673af0c16d4bcd916bfd746163225570b07c2ad1b2e4853aada323131c923371e2f3e72bb69bcaa7587a15b6be	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F2D9D71-5D0B-11EF-B062-D6EBA8958965} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430110812"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8001355418f1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
624	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
624	iexplore.exe
624	iexplore.exe
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2332	624	iexplore.exe	30
PID 624 wrote to memory of 2332	624	iexplore.exe	30
PID 624 wrote to memory of 2332	624	iexplore.exe	30
PID 624 wrote to memory of 2332	624	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\web\authinfo-content.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2db6788a217c0f2ba5fd3bcc4851ad9a

SHA1
8b8cee6b01b9e6539843e5fa10cef4a1a7ae89b7

SHA256
f192cb5638947941bf4b196a282326571cb23213e4d49f2137a59c633f7e403f

SHA512
c82cc0855d99648bf5b37032b80c51898720eb14d766059fc09e2341cfacb3cac5964fcb1275e08fc7a8f54dbd32865f77ecc08df4120b85c2dbef76301f0225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d107996491d86b1675f7d66ec2421a8

SHA1
4d5dee2f82e979d92cffcf9d61a56536edd0a031

SHA256
4f6a8aba2506827d18a2053426b8ad6f87ceff760bf3affed027aab3560fe742

SHA512
11ed7ac355a2a6a64dbe9085706d6a59660800dbb5d1d7b0759f51d27641f1ed559364173275338156108bf4c06f5e35acb011d0b0380d180134952f3c7341ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28629f8a421a9e4a8f23f921b900d728

SHA1
fa2df80385fffdff70d96346f006d4d955974788

SHA256
25f2fdf5f3f6ac943e7957caf82b582c308cbec8db05ad9da07d6f053fd3c668

SHA512
00207cfaa7b54273cdabb0faed82dd951a4d8559f598cc510533016f6a3af1bc59affc2f147c24e317a8b43d82b9a4ce07444887e055f8f13c352c6b832886ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a368b16f146c5c6b5296f249af8169cc

SHA1
7cb804a5091f2d23d3c84a336d4c16372bbcddb6

SHA256
54edbf1fcb71d164753270435b0e548405f0e5e694eca9fb9167402e97cc5065

SHA512
98d52f4d0cd922c8019ea53506c4398c7a69e671eabacf818c3eb00a59ee8bf54a9624e421b35e5677e8d798f43d7f75d423df004d2ba7137bcc1a4b42532571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7295de833e8f4b7d0f5b1dd562921f4d

SHA1
bb2fd0fcfd422f30479b43647cbb256fc1f2c367

SHA256
90f1063030f12b7104dd49e98a24c9e0437f4dd37dead34b977ffdff130ba616

SHA512
94cfb32539a6053c3c1356ccea31758b2aa2fcc0fd378b06fa65e87e90760b363dc742c73c3524a56cadf6678a921f6ea82dcd9614c18aea8653ea9401df228d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd03b19a93c621a338cfde785d2e97b7

SHA1
bef4d91a3c5b9a24e503d3a41d3f7f88156d4a02

SHA256
3d83fad36b3234874111205f368bca4c536bda423027bc1b1bdc82b036067a68

SHA512
01cb6f909c39bf494febe245901335baa3a85c968a357211a922b52188e56e1529cb7dbc0fdfd96b6c236b3fe2caca4f74e44cdeeea118d13671c2aeaabcc702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e3c722eba0648c6f0b68e356c3a20a6

SHA1
d049600e080c5ec04cd656e47fa76cfd20aa9d55

SHA256
2a4d7b7864514264712871771eec8b797cb8c02010f67f170af248b0fbd98c9e

SHA512
a4e252589a06ce75ae18a87314f0a5fdce07b7cd0629ca01691fcbb757e8ce4a0823385ab847511d72ea6bba436e8833f02e2966387a587f6e8d5148c89ff026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3064cf5fea4b1cf2293833da29132a9

SHA1
f7d146a7b29e2ff89a84063310f6b4d80fee40c9

SHA256
1dfcd45fef4438fe6ef1e2dd115bc23bc297407db140eaf200949aef82ff815e

SHA512
8d0bac8a10127cb15e7b338d451e9568d20096172db2275ccd87f06b8168a2a4d7cb462301a45c6194a7df47a097093b4a80d4a62cb4ba1884b961af6afefd45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82810b0fd98bb84745802258e8f43763

SHA1
9428532d23a8c3f3b4445cae1db0f908ece48181

SHA256
4f1c3b0c4ac84e6b7dc79aa8631f6d5dd34509bf9ba1bb801fdcbd75614546ff

SHA512
744565c7b8a53455f766aa8bdc59b8dc8e2c395168e7923889330118bb5169b5c2211769119ed196ef0327db6784bb3570db153dcab093c2e80124fd4fd8bb34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65af7bd00d5aa1fd1636d7ae908f948e

SHA1
4e9a27a1c59756815649a19d999ece3d4f720a03

SHA256
f9087fed0a67afedac8294c1bcfe6bfe6bafc142f25e6b9e3a0cb7314fc6ea64

SHA512
bd6f0b8da882ca5dd67ea63ad87e47d60dde7568d938507c4e432ed9830e88ef27d99e6c13bef481f0b5414974cc2f44b14a50d25c4f6785193829df6db08b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7bfbf2258f407140053e138fb7e46b6

SHA1
f1f25fbf48103c88a44d50290e3beaf963c926a8

SHA256
7d6f48fa849634c63776540bd827b1f80313d8d3d46fbdc1d9f1c3883fc97562

SHA512
7c4368540ef11e9e447f99f060c05ba689d1d3cab47b64095b035f2a4be286338e90e0546f86cd343b53e166fc8f11c89db433ccefebe38ee761b86c71fdd470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8576a075d18ba3ab8b94ba6dbaf79bc4

SHA1
0759dad6e9369282d45c6fcef7ee6accf6d6b62d

SHA256
dc9a36f32d7fb8f303b7b8ebb77e5334135b07a2c9383e47cedce2b26d482767

SHA512
2304f41d691936982e2cd7dddee8040c2f6a7415e6426916ed4aa63fdeb55d3f0ba4271111f3f4802037c55a01bf941934f74560148e6882f3190e033d480620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e35c60b60eb148851ab96fe5c5b30d46

SHA1
b2faa28f73f8bea6493d6421e807b2feb9681563

SHA256
cc79e049bb57bb1ab10fb3facaa9478f36a3b5214b0d437d8aee93bd855aec89

SHA512
476a5279ce9769a0b1feca2b0cd467d333a21a0032c9d8215e07d75bfbc534b0585183b30cbed58237e03aa640242a8a856bb5cc9f845af24b54b16ea94e98ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d020022cb3b09cf19f21087bf13aba31

SHA1
929f08dcad638afc6484f6bb15124cc06fd5810a

SHA256
cccebd3ac47ff8329a1dda5c9c9bf6c21b4317c61e9c0b65e88689f2f96dbec6

SHA512
978d00a1793667c7e453e402dfb64722cdae533cb6874825fadfa16a3111c4d212e6c73b07091abf88d856d4940353c923cc06de1b32cd6d9b34172bbb3ef23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE3F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF2C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit