e4d899b71ba483dc9ccf5e66958e98a22efefb22f5c4980220f86679b366cdb4

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lvxing360/data/logo.html
Size

1KB
MD5

a44f960117da9c6ec62b73f96697fe55
SHA1

3456ae42f58eecb484a641f0384b1f7dbec70d31
SHA256

065868ec9f4d22506e07a26dd31b31fab49023e335074b83f7011549b082c751
SHA512

59fb5cff9c4506c30a76ff20547c5b353c60ef2da25d822e399ac88ef0e0e5ea0d00a27e83e747dfa952a0adb0e22a60afec0932824870b0d4a801b31a1d9256

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74690C91-5E68-11EF-A207-6A2ECC9B5790} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9047114b75f2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430260687"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000a9759fd4738a70db5475bcbdc9cbe3b727cef26cfec3c442cd04c5bb7438de3b000000000e8000000002000020000000f0be7bac465b52eaca35cdac125b2855a78d9074e211697bed4f4f5a735a20c990000000e1c41b9890a5fa5a08a62af57110eae15fbce931b071bb453dd68a63b06eac93e128d704388143291c33e2e0996adca939f1f7bcdf23fe05f3a79e9deac524d82365a580005162abe3e83dcd9946035fdbfd30b8a882aff1c5a423384843d58ce808f31f4c35aae0ab89dcbf3a36e751a084c96c4f6ada62d6d676d459d04541e6d1a51c45368baedd848287f9f4d7fc40000000452c68d3ae80525bf6f3d51565b9a687409ec86d927f73ecb95a89f5c1542b88957169841a8a54cada5a46b481fd43821afe412142a4ad6f490c77fd9e24c263	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000ed051b1c8f931dfab44f411670792d7c5929d564783dc56913408b05b1a49c2c000000000e8000000002000020000000483fc5eccb46c2651afd4dacff2640342fe439764a05902150987947e80082f4200000003f39d2c51c8662cc4318b392de879ad7836ae2f7fc5c8c3483a835d53be3c72240000000ee8e9ea6cac8ffa34499665a500c3eeda52df6804db9904210f89c6296d49a945069e1e078159b6758f756bd292f4e6393f9744cc5c7f5c3c0e4791cdd269b10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1992	iexplore.exe
1992	iexplore.exe
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2536	1992	iexplore.exe	30
PID 1992 wrote to memory of 2536	1992	iexplore.exe	30
PID 1992 wrote to memory of 2536	1992	iexplore.exe	30
PID 1992 wrote to memory of 2536	1992	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\lvxing360\data\logo.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1992 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f044deb68b2f4936a0fee6e2b21c5a1d

SHA1
cb6750c1c8b1611d66ddffd03837cf64542d48e8

SHA256
ac7e3a7685f5dd6f7ec68edfaf07b1b230324bef3477fc2eb25ccfe37322a9b5

SHA512
c678b015e66d2af8630cd6161a150c6d6a7744b54baeb66f491f0c9fa61b07f5e903b76f4409c9d1b5a4402719092564abf97643c646f8ca540660e1bb9fbe5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97126c6282347a59eaee84d1851c1f83

SHA1
242f02e31cca29fdd4b261193652c43bf8740eb2

SHA256
c63c6d263b30347a2267bc01aca5b89b69bf9e7c8f967ef2c99c4b09d1097ddf

SHA512
40318feadd2a77240f26eb3b0c87f3388145c1e88d297c5b3f9c228987b139f78836ec78b87851a435d4a15b850ec7f8ea40910073b25630394006dd53ce8993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
827e7b2a0b1723677cc5cdb2de64d1e8

SHA1
f59536fecd9899a1edafda837a62224057833769

SHA256
7eceb41994966ad3ac581e700ec46e4946805b583bf80b660c40281ebd0887ee

SHA512
8e99316c25bd5f113fc338bf070886fee14fc56192226587a08dc7a5856c518e1c5ee42dd9d002d45709b48ad3c552775aece835283e54559953a8387fcdd115

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cca805183867b2495de778bb85835676

SHA1
6a360e2177a26e234044ff2091c0306dfb124893

SHA256
0695caeabfc8c16778818c001001c5aa040335c8d61e6bd3c2e6bedecd2f1069

SHA512
6bce7e22772e29d6281f300864e25bfc9dc43ba84f64a07bbb839ff15b348f961ef8e68e5dd90473f88517453429fe35119e7cc6343f5fa1778908d65e8ecf1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
183d81b9b1573bed11d570dcfee3432b

SHA1
6fbe6626a603d51be1858d25f15260c2a473e8ca

SHA256
a2155abb4fea590ec51e869df4789c9b21d86a53952252b146e145a9abfe68ba

SHA512
2c79fcf6ad1334ace1970110df9ab8b5940a024b0e6da0261d4931bbfdeb0760b96b945659e30ea4c1ee7f2492b14ee8bdb85a97e28ab238416362b4a49ea74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c4e55ade307dffb4640c3affc7a7429

SHA1
31946386230622e653383549415af540b0198a45

SHA256
45d471efa25ebe6422ff13fe8d5b13c68d86ec9972b86fedd11f02591ce9ad58

SHA512
53036674f4e770b91d923bbfee294b280686a9a2b6695f1c346757e3f3e9be86a1674c111cfbd5f922e4a8b37bb0182d547dce153bf5497f45feec2e85918bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b199917b6f04ead5e776e602ee89ffc0

SHA1
e6302a656b110fd090db67c3b83353443951938d

SHA256
f55e5af121c2b7d0b5adedae1114eb2e793d299f22e1284edb2f43186a482210

SHA512
eb0d55d50bb664bbd8ff9648e2767f62954b3890c12fbc39edc97a4a85be22ce32b71da37a96401f62ba874aac05f832df30a66f6ea635e80e800ce96503a3d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8c30342aaa6dd0e3e5df9a07a52e2c6

SHA1
0c13d3807cb9d6c20ffcf560e171f84264073a48

SHA256
aec4bae7de263c2e3f336e35b72108321689ef81f63165249708f56694284303

SHA512
28a865bfc7d63a22f2c6e41212b5bd614546beb76a4b4b5930b455e5649526a21894d80dc66adca3e6c66f3683c25cc208b4eb247330f27421e09537391dc5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1846a95a64225b67c2eb715ddc59845

SHA1
bc3db739080d8f9bf37dad30d5fc43c89aba3c2b

SHA256
51a7f11050f8e8b04a2f1967d4eb9e5dc9d6904b8f6dc5d5c6283e4e4d76a495

SHA512
f807bc0ff039bd4a38c40cc2169abdaedf913402bfaabb3fae563371a997fbbb01ef4a9bea93af37f6fce977bfc2182e7a2685e682a8001d32b6538befa4b752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ddb3629f7df95a16ce565c5bc996564

SHA1
a257798aaa1706350881d10655d28abe4e6b3b85

SHA256
2628c18a05851c18e873946c99aff44ab286494e9a7aebf456d392e71c9b0425

SHA512
1899b306bb24138e891e3d80f1a2cd3a07617d7de6e18a9bf9744ca08e7eecc5acc337315b610eccbf8de133f7f85701b184e7fc4bbddc03d2995d38e179e71c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acb8a1f7799b013599e830a1c5a62b68

SHA1
2d77c96832978e7449e32311c08ca816f850a34c

SHA256
c9f25d6f49a70e25371024929cbe2ab21341ee7ad75828ce100a1a38367c94c6

SHA512
f4401e45bcf4df242776dd05c41f6866f96270a25baa26dbda503a971ff881ed88578f64f7f69a749cb8a290bf23b6f2f61add0006b18dc4a4e677580fa8dafa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
808d91e1d2acacbe9aeeea29ef6a6db6

SHA1
fb7d5e6cb3887517bf316755e6c4eccd713bbec5

SHA256
efca5f42213987f00071b176e6a96cdf11a12b629faa7662c5f4e04382d7de16

SHA512
8a5fbe819058e8861a212f387a10705526dd0c96fc2f2e27190ae212f0541eb9a586150ec99e8c2c52ef812278c49eecb5d8617c2f32c325e0b89cc0f830c5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36595d37fefc1ed6e4359ff13ffe186d

SHA1
a080c3a60c4c683a68f7d1802863ae3d8a7d6c22

SHA256
4b58e49be6d0eefcccf88c04e31e7b64bf8bd782486b68337e300fdd89625a43

SHA512
4435baf5685b519c1e4eb81831e5f2f51f4ad358855059b099dba6af5f5fa6eeceac7f49a0b6a65b45ccedc6443b5d7def5f50f0e45011c83e1339a28fd1c46d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bea99de14a1002a6c5c517fe6a0cfa58

SHA1
46f2d506454786d39e6d3d78ae2405da1fef4c9a

SHA256
760028422eb0527678729d7edbe1b8f4da86bc0c3ecea8da4a7ca8ab1442272b

SHA512
d3a92c4505a4c7afc840ab3fc9ed3c8b40838914f5a3eb54582fff8d2555c7cb2060d10d5dd41f3e761356d49dd1fb02b5945cc3cb140f33a74d919a6576e56c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f8935721c66ef7fb262f797cd89d3cc

SHA1
ddc1bcccb20c18dd115b1a52b3d44b7ea9fc5608

SHA256
04b1876a0faec33474a1dffdddd80bb3ae73a46313a854d6edcc18ae6eece839

SHA512
1f7ffeb4319114bda23fd6561b4982fcec861712083c73f7d05b4157966c94fd17cb3e30edffa2088ac18e2838c549f4880d8e994d96163bd36acb6e3d99eb0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b2d2e8210d5b4e8835679b5a33df255

SHA1
cf643c1d565b3bd66aac722100e541b06516d321

SHA256
2594cb97e6cc261e3dece10413e42e4001f417cb365e553ed2f18517b661bd52

SHA512
07ec98a6c30dd3805e599fd75111d58e9b4f3046a2cf34289f2a77e085c8cb1c9bd4045104a8749107d7be12268ff6bf3d540682ec8939d312c44f5823fce36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65fd74daeee17d0fa7dde88616887ee4

SHA1
76866c25dcd20523d3b9f69fef7472f5eccea797

SHA256
72be5227def766dd24b662404af7c3fc19c758dcfd792492a90c1d4cf4911419

SHA512
28d204bc2e4a53590622189a2b8c46e1b09d409c488c701d5769887d7d398debea139b286a7cf77b4962ab01fcee650d307f85fd4cbbfaae2b30ae60ccd036ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF99.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE047.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit