430336a21f44aeebb4c6f8da5536c5b5b149265b2a6371ac0dfcb410f528ed26

Analysis

max time kernel
136s
max time network
132s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

thinkphp_2.1_full/Examples/Blog/Tpl/default/Blog/archive.html
Size

2KB
MD5

f85eb0118c272bee7d1934baf23a57bb
SHA1

915abad731a90cf6de055611e1e2616efd93747b
SHA256

5d6500d73ce3675f339030a44f1aecec211fff32f1057bff5c0d9cf44ba702c9
SHA512

c43de1e89c75185dc4ae66a900b00ed58aa97f584a3eba1de76033a485215a3a456270c0609b338b65491b0b8040ae397f205507d06ae7f9c73bbcab776fc0f3

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A3933A1-5E3C-11EF-86A3-DA2B18D38280} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c0000000002000000000010660000000100002000000048bc0bf7d020dadb87278915f31be00f0e522387c2c20d880a439050568fe5db000000000e80000000020000200000006c08370c44c42118a5d489e65c577a404c36841a4176caf7c0b9b3158f050725900000004afceb88b6175886bbdd4e98fdb4704631e715d0720b0b37486ebdb7919254ed643cc3900757c55ad5f07bfeac397baa422bd1a9bd15b4b5ddda6e2deb610ab32e05c937438c9cdbf935614e0fa87dc967c6eb2bfa1f19f64148601d906eab0ebf44c6417f72bd598d51fed0f2e3f34a7aa87a947c4731374d48d02f11d1960fcf9727263645ea9d26f78cf56fbad4c6400000000ae6919c94398698613f728e03659a63c057b6e5c209d000b11e233e05212c05db0827e2b89566abfbbc1e2e60fd2fa96a225233ad909f1e1b9c7c13b7a37d65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430241828"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a8ae5e49f2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000100ec64ab85ea2274084e93cc5b51d7555f3ce2ddae65b7ac9fb3e5f5d17d011000000000e80000000020000200000006206772dfefd9d44c0e6557a5846a273af7643f16fa19683a18b453f05704047200000000f6651097642ad16bf219531a8214c417fb3803e8443c31b48c1da6878d5be6340000000e2170289aa97e65fabd4f835f41eec16af1b1dce166ef1c63a5ab99443c6b552ee894528e028a9e75f4171f5e3b6ae2814625c352e0c1c9e913fca4cc2f7d6e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2420	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2420	iexplore.exe
2420	iexplore.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1940	2420	iexplore.exe	30
PID 2420 wrote to memory of 1940	2420	iexplore.exe	30
PID 2420 wrote to memory of 1940	2420	iexplore.exe	30
PID 2420 wrote to memory of 1940	2420	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\thinkphp_2.1_full\Examples\Blog\Tpl\default\Blog\archive.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
94ab36d73554d8d6ec90aacd659ff000

SHA1
cbf1a4062679c4b36d9847bc9ce0756488f46ddb

SHA256
2c8cb1975a860fcc37e3fe230ebd45d2da343109748a2d6ae77a0cd7ca6cd1fe

SHA512
399e14a9ef7180527a95dbf0a5c36cd5cab97093c9e22d1c05847c58d18d90ed80bef9721904f27169365b201f10cb89406da9b442fc44889cbd4daa26866bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
287ddf9a8328542c35a4ca649d76ecd3

SHA1
30b6d3d2f11ef1124432acde856577e1467006a2

SHA256
c9736fcd8ef72db17edef405c135b8098f0de99fff21062b5ed2b73f42c19431

SHA512
53e6caffba10da0560f1e008d2ab5f789d7fd7358a1b0d6e6d939efb28ccdb4b6d30ad85cc80171080249cf08e7e341a4f6fe61800c8569323fa3e2f87fcd9a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6b93f25e9b585ecfe1012948cb51b043

SHA1
18e50b96e4f5010243214ec69adcaa67270495d8

SHA256
d9061cb9b1d01c92a05f07c0bd0a4053bcc59364f3930715ab19ea01c13c1afd

SHA512
9e7c489da763209239480934bb9b9f73218b1e77557d8d49c85eef2e2133b40b68e233394021832a3252ab45f460c4766fa92b904485174643c795c714681f35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b5a0bd2b72ec13c40dc790bef5c84937

SHA1
2c5c820c93a6db512eab4338430880053865585b

SHA256
4265c27c71fa4df987a07e7323eafa4b2357371a5ab5bbfb9270ea17b761da9a

SHA512
f237216caad12c2d4a53ab5c62e339334b1556156a7bb92d10ed73253e6f1be8e70d947bddf903f8faa11e0dadc646f116e244f0903ad4e3923f358a13d364d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9a4acd8f454ca81c6f0c53fae48ecd70

SHA1
945d0cd22d9d9dd8239dade7d4e8b5b7848ca80b

SHA256
f16f3abc9771d80283abd644afa545a998cc1658c7d33e42b1418a0a8e727f16

SHA512
434e2a508cf802737a5447e753652cc1c9fc81c95ffd429232f50da44ef39bed4116c7f30e1d0d0a691c6bb85e3a5430c61534d1f5004744faa0e98388e4296c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
82cba8f5eebe89d1a9f44012b77e804d

SHA1
33b644c609618ef8bb2789f8fb2e570afe89f9ea

SHA256
43d379ff7cef2421731619383e0d7cf0e7dc8984057f8d861aa2f0fb1a3192f0

SHA512
653265bc9ce01a70e91b56f8014c26ea52e32d1e4ea77e6d1d61eb31cbd7377acc412533322909b4952f56abd9cbe6f009262b045faa7b74a0ed64d213b62786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f5ab8cee3c3b627d0e2d9a73df26c560

SHA1
d4d7e92a9dc73b5ce294e602fd90e7e22d503043

SHA256
ec8f6267aaf1bed9803b142879d96997f3c7a0290c730aa43eae0faba350adf6

SHA512
b67fcc5646b3a74a1b53e2c631b042b38819f3467668e276bf001ad67d6fdde0c452c08adeaae95b273936109b92457d1da66883894ea325a9e85cfa71b7bb9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7a8679ef944ea472cea7f9d283e08d57

SHA1
1bc0f53164d9ab911cbfede80e39b399eac5188c

SHA256
b260f84c527f9b34208bc1b9cefcf2a36b937e8e5521567d4a11421d3b5f333d

SHA512
d31fda5624d5e1ff275b7c2ddd00f33b85435a312ec7f14e08fe36c07b861d55fa661884a5ea0fe02001c782a48248da1b0d53eabf5a7da540f98ecb1d702e8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
54b3acfbd33eec60c68054f8e9bb6714

SHA1
a25b4dc049f7a9737c89cbbfbda7d8bdc916ec25

SHA256
6f3042527266f3371bf28bbda85e331b93360e24608fb388b546d504c52703a4

SHA512
272ab0f6b79cfa12b24d244886396fd3fb721c1c8bf5fd4bcacf585b892efc08e276ff02fd95d83ce0cd5f7d9f4d8561d344d7ffd614c7aa3fa7ae36ddf627d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ada2d819cab0242c73672c69c2521b9f

SHA1
4c96f7280e7a1db0793282dceefd2aaed06c3544

SHA256
e8aae341384c651ff3ebec2b69032722fb80a03a9a05f7ac5aacc93299a4c3d5

SHA512
38c4756e483e77bf8f0fb73aa55578e306c5424d66318d3213e5b79c639afde840f05fcb15e99bf834a08f00489b1b70a5e39a46d90d122d1d614c3f00ddf832

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d4dcfd89ebb5de9f6aa9c0a3c8773d53

SHA1
6c1babfe8102a5d05081ca5a368dfe12769bc260

SHA256
36e5e7cfb3f645fc4dbd4857b1320d606226c51f70f6fa19ba8b462e13b17cf6

SHA512
96a436e6dadc76343729ef5fdb4e0758688da750eb40c7d9dce6cee656aebafb540509edc3ffa9a472deb2204e4c3dacfcbf001de11f034df3bf5aacb80a65f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5e4c304055c7f0bcb5555724ae161c26

SHA1
c33980bbdd831c9f4a2c70ce26c76a52f7528f6d

SHA256
2ea56de375aad5a487f88fbb980201d616fcbc4d6bff2e8fb783093a15b32951

SHA512
257893e11e69d4c1a9e2db2cc21414ff7b9db54870e2e0caf3da4f9fb72622e3cd1f33aac4789b668a611dd00d8825a41b773c0bd83dbab5dfa533b79620b048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
888d50f04f814b7be0dc393bcc6a4fde

SHA1
71c2c35ab26a0f822e59689152c52ec457511ff3

SHA256
e6b2a19984ed600679d497194d12ae89c84c05cbe73ec842adbce56707495e66

SHA512
a4fb3657379874a28a533be9e35ce7fddb4c849d94f34b875d85309dc6935421f4f39e579f5c47da4bf26c5a74f0a852adc3c7cc588d5299a4e57788424b2d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4d25eecaa87a2eabc0bb2e55dea8ca62

SHA1
cf9b9ee25f38b6990834acc5b5dd64bd176f1c0e

SHA256
c4d1f29fc44ca8fdbad1cf038ccb13f14b7f4c92718451617d42c7a7e2d659b5

SHA512
656705ef539b8c1e690583ed9f8b4611a0252b79febea5dd8cbe2c77ddb785b0f1f1df0821855f71da67b8f53b4cc87507593682f05ec035f5edad2ffbb5c2ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ee5b8ad4a3410c942c57b29b2cbafd22

SHA1
f7a5007bf68eae30512c8e9148a7fb245338efc4

SHA256
a1db2b62d35e32e893b4b9d2ae86fcd4aae7626d38a8958c4979ccf1f9a0bf89

SHA512
b0ec1dbe962bd090bb44c4548190f5b53208901a2d727873f2cfed8de0c6089815a2d2903dd6c67f53006f0a8b47ef3ca38e8eca3e03ce9343c1f3d099cc47dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d1f3478af628f4bdd2749a5f87916eaf

SHA1
de375666d3fb1ed6c5dbd650cf9aa0bc31bc065a

SHA256
abda720b8b4d3b40d5e4d42103e9652933fb277c44dd738f4a983ed2d1f5db73

SHA512
69f84db0bba5dd3aaa41c32df45aabf18aa8b0d7f4c182d704bc52336f378011c0f323a6f372012ac947a855a853a2696e2366de50028528600b373f916cca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD885.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD935.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit