acef0d5119b2d2e5d11209ba5d1b34f6b664ab964df5ec8031908493aa9c4a09

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lossless.Scaling.v2.11/game/LosslessScaling.exe.xml
Size

174B
MD5

2a2df45a07478a1c77d5834c21f3d7fd
SHA1

f949e331f0d75ba38d33a072f74e2327c870d916
SHA256

051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa
SHA512

1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000ca4fdf9d74bc6524adad8ef9a1d7ba9ff6a09a037b2ca797f395d28bae2dcf5a000000000e800000000200002000000035fd417300af6e669c80759074a5c8f0a6016413906a8c2c676b83f89959885120000000baa8ad1064dda45238447482434ae6fb15174738aa35233364c7dfcf42a2b25640000000e67c385323199215ff445c1e568b1bec75b74f70fb3431c603eaa9b4a97b8e2c906ce6aa854e2beda7dbcf80cd30c54f46d693d793035032e944954a163bb41c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430261571"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20fbf15677f2da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c920000000002000000000010660000000100002000000058f953f0d80255d0a1778b396103c84bb4dc6cdde8a9392a40e8e82542a67ad7000000000e8000000002000020000000cf875b23edd5f8fa72f6198873871ccee722b772bf9c37251375e301020d8f1990000000b60960c20f6288c81e3271a76b8cfe25940a94ac3aa0ca072a90f280be37d7e6ab40fa865b5c14dca0433c42a20f0dd24879e321f5fcce2ab3ffb6c63f8cf3ccb9d1aa0383ed7ebb1263fc9472f11b96dc99f6e4b7d522b9a6914b0ddd670c6bdef1c208dc2527aae7d73e19a64f58638ed7412c42e7a20b84c3b115dab99d3e5e17bccc8fea20f9159511a2aa988d404000000044f60e64a0723cefa37464d2277370d13bb326d22b844689b37d0c47b0d79f402f55294547948b12f75be6db16147c11632a00c74d25ff2a030a39c806abe845	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{825B90F1-5E6A-11EF-B88D-EAA2AC88CDB5} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1472	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1868	1972	MSOXMLED.EXE	30
PID 1972 wrote to memory of 1868	1972	MSOXMLED.EXE	30
PID 1972 wrote to memory of 1868	1972	MSOXMLED.EXE	30
PID 1972 wrote to memory of 1868	1972	MSOXMLED.EXE	30
PID 1868 wrote to memory of 1472	1868	iexplore.exe	31
PID 1868 wrote to memory of 1472	1868	iexplore.exe	31
PID 1868 wrote to memory of 1472	1868	iexplore.exe	31
PID 1868 wrote to memory of 1472	1868	iexplore.exe	31
PID 1472 wrote to memory of 2840	1472	IEXPLORE.EXE	32
PID 1472 wrote to memory of 2840	1472	IEXPLORE.EXE	32
PID 1472 wrote to memory of 2840	1472	IEXPLORE.EXE	32
PID 1472 wrote to memory of 2840	1472	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Lossless.Scaling.v2.11\game\LosslessScaling.exe.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1343f616aad3d23496c046ba16f22ab7

SHA1
3ba785849a42ca3e724a21d57de8ce0565d7f455

SHA256
859e8cc4976df14fd87c5acf99f0d33748add605bf670cce43f3d987533302fa

SHA512
0a0daab1c0ff94f4b0fa173305461c53eb71beaac13c8d3d599711646a06014cf88a42016b2cfef08568fb8a47bd2f4ffb440d549a1d172bf7cb1dfbb170cd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8cae5bf7d9450e9f3a1e95a89393d7

SHA1
6bafaf9de9998ffc031a35386d5e6b4d00a671e2

SHA256
4c606341aa5f50433fa3dc47f8d23f61e47bb4c45c77a014d62017db8d22b17a

SHA512
8aaf62ed13ed4cc86be4aff312c00940051ef8dbf9a5bf9c98a651bd0f2b079244925e2652565b2400f1bde41d844781f80ab7849be34538a959ca8b491bd0d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9974f15cea5b30f60bc886ee1e56f942

SHA1
f256b6461089bc7494749257fa56b413ebb2fa0d

SHA256
7a45440f5cccac3b5b2d6512800e2f9da92b291550a0217634a0be8af4d330ba

SHA512
2fb3566cf8ece547009d0fc9bf63548c268afb7f3996d646a9cb4716ecd4af2f7ba3e9fea518c96c4257c1b2e17233f8931d3debd18f03cda14c71c1eb2ae40b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d58116066d11ffc23ee6224252c80e5

SHA1
4f8b4635c189cfcd25424f28f1cf51ac7f8315fb

SHA256
83c61fd784f1585a466ea8c9167ce913cee789e4de30deb852f2e0224d2b4ad7

SHA512
24de707828056415519712ab5372397988cf68a5c85ee9d112a95d44caea4db37d1eae7728270d4f4cb6a12c4928b97c67a6807a40f075cdeeca6584ba488aa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eb3066662cfc72a11e3e443c4f896be

SHA1
48b25de8b9d6fa0906526599341934f4fa189dc5

SHA256
12839c7e5e44585b040108d1084433433e78ede8c581060b9f942485da7ec639

SHA512
d9d871ae99e9d4f37e56767def7c78c54b0ef562492e5f52076b20aef1fe512010cfc82b318b338f3d3d7af7ef17c095aa3e367f4a7729bb620bb84c21e101f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c23c0ccc334902f9a40fe638c97663e9

SHA1
f867cadbb8eb5b47b34f1ad518a1f947f29ecf85

SHA256
27b5f32672d256879708f098ec58ed44f74f9f2aa83058a80ce651c98e1b9f2a

SHA512
337c9a6070c33a8598925a9f4077c9c1dd2f684c7cb5a9a78565af974b0685f510d9f9f5406d5607cd38e2e8205f38ef7497cba81cd994e192c413eab58a1e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
124d0770edc3ef738b8c0fcaee4a1c19

SHA1
3bff9c3ef354bbec03736dcceecd2989cfd44188

SHA256
cc6f6463f04319b61c4446e953d1132af55404c7728838265a5c8af0465ce0f0

SHA512
044b75b78167845db37603fa313f271242e87da0e6eefdadf2d4b197ecaee1c0a41e5fee528b34b687cee3b15c43e4d0e0f860cb15ad8fa86b0116a001af8a11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb51ab8f305c53788a266696f93da1d1

SHA1
f631c1577f2f3711bb5673a49fb31f1ab2bd9444

SHA256
3a449e91f46f7a0d05716eb98e4a9294df2526939bebcb9004ece487b9d1bc1c

SHA512
7508aa11e0928481260c2876b55fda0dc51086727ed65bf5c989f04ac36cdbd60565e6a70113fa404f275794d5e4a7f0dbfbeb9b452e4943bacf759093e06684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e8425830bd871b80b9822c9fd2cb1f4

SHA1
f0033431d8d599b3ac55f82d132fda4686ede30a

SHA256
24e13df48fa51ff7932aaee7733f3436b4b56fa31868dc0fa6415062a0096fe8

SHA512
28d3b16c4ab374adc1c34fa3f679ce01425ec6860d8b3fd8d525e06623a438ca166932d8c8fdc8d0f123df122daf2c3d952dc2a93bef4c422f1d1e949ff108ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fdff6bf7fd888e581f4db1829d3a635

SHA1
133d48d812bf6578eecd29785bcdc9900b616e94

SHA256
35a5338227fc1aa1677544619d75c486b4fb579e5033f6b1ea8b485152c064c2

SHA512
f2a564785b99664d9adf6dca3062ac702ca3a89be2484c8f4aed8c70ff83905280950ebb95d4b3708f097eda6ce45410cb4b39f22ebe7949dc7c44bb37570ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab99F2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAA2A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit