591aebf6e2ef1633c1b52367e43baf4e394ed9677fdec43fd24098c84a7b9481

Analysis

max time kernel
121s
max time network
134s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 00:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

content/aboutTabs.htm
Size

143B
MD5

30b063c23ccd0e573f7956a49e6ad2da
SHA1

b43ddff041bd7e3fdec541b0b3004ecd661db8d0
SHA256

dde0330a494598aee2dec1ed467b0ce99400b860a9eec03e59a963090736cf9a
SHA512

5af5794bc10afd6692ef9eccfb860248fbf656361fd6cbbe399e497bf0f8c9e9e603eb0dc3781344a53ae84578e1618e60a9a1096cc3a0b149e2e4c82c8c43c4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c000000000200000000001066000000010000200000003edee17d26900e3eb7ef64d21ddec04bf47a9e4dbb76c9f2f4fa33f1b9a14414000000000e80000000020000200000006ebda2e31696eb7163dc0afbc9619b1d7e8a262bad973b92e893f1117392711920000000b5259c18cfb7eef50d03b6031bf7e820c6eaeb13239d4ea6ad185b21de55b45d4000000017cb6e796a4e8e3f340fed40584fa48c5dbc55982fac83a95e6152727ce4e35d669578cd61d9b979ce05953ea4322ee2297cfa969b3701d8762e9185eeb1c964	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5EC6521-5E8E-11EF-8FC1-C2666C5B6023} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000769270ad5951c040b955912689818e9daf199f00a27986a03bb1bb56da262a92000000000e8000000002000020000000d81619fc25b5f3f044bbf672b0c44ca856ed007011769ee57808a5e78dc18aea90000000e8ef6f5b06514fade87dcdedd697c45323df247aceac1d8e0124b8ad1937ee261d6fdd5f3ea9a8edbda42703350b95834999642f62125a94eb2d2acba0533b751052093ef830fe68c87650d0d918c7f132b0231f0893ecf9378f6be8ff47d8c5720c32a3b81e04680650d1b96a95ae467a833b7e2a045f90fb5595d14dce955cc94f1065796dac85089d682d27884f8d4000000080f0dbc77c4e52596f96d27376e80ebc400d4e425977981ec41ce8fe9a772b60641f31eaef46439b9657b7bebbcbb327a0ffddd7a1f79f2f840b0324b4930c3d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430277231"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904360ca9bf2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2852	iexplore.exe
2852	iexplore.exe
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2588	2852	iexplore.exe	30
PID 2852 wrote to memory of 2588	2852	iexplore.exe	30
PID 2852 wrote to memory of 2588	2852	iexplore.exe	30
PID 2852 wrote to memory of 2588	2852	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\content\aboutTabs.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6569bd8197a9f9a222e4c48c8e6821da

SHA1
47c506c2100fb59bac0e9455680b63a74780db35

SHA256
1850e818000fb25d8be84b055fb15cb4c319217e957b28c1ea9f2add2d41fc8f

SHA512
682187d8563754c4593b22e7c10d5dedd11d524f4d6665f31755a735b56f8aa281f6e04d10df8a11c17f9306499a350ae3b19dbe2ca23b38586fc8cd90f2a2ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
be7fa8e90ffe5280af0361e2cc08d530

SHA1
64f35246f598c1387f22bd5c9c7d0f785e80dcc5

SHA256
6d6f2bd483b176acaa088ad2cf6369feb4f169c75a8f9bf1dbbafa7773edcc69

SHA512
a5c0f615712b09aa9b0b6124b9da2670b75c75c3e65132777a8271895f790d7bda111af5170e106e10fd9ae038891172d59c1f73837ebc485a1aa8bf3f72854a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b75b58d7fda70380005f60225862aa28

SHA1
0e9e138c9e17c582d636d9325f130fe8b5168b88

SHA256
e53f88e9f0fb91fa5aa9489fbc517c59cf62e2309ecf143c8d3c27c3a763210c

SHA512
9cd0a6cdd42083ddc6177ab9fc5a33d30e0d990756a8798a59e5641c6498c4cb4cc862004dc8bd6be095ccdbcf40dbbf64d99357967cb875315b57b89ecf7a7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2899f5cb2586f88fcc9700deeac34c62

SHA1
16aaa5f2a98d175c0139e34405768e6e048dba33

SHA256
6142774cd58a4d4bb236aced7d656b81656f9b2d0d7526d86405df3f1ccaf95c

SHA512
759b0d9924f1327e4d54f1078ff37c4aef464ac5f29c5bf200e1212e040d81982f47580c4ddafef968f06c226f4a997f3224956e41c2ae1f7f77dcc367bc53e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5e68ce354a6b31d062f41853ad876175

SHA1
811a9311dc55ad0fe375ac9f0b4b8a3510a1ab9a

SHA256
6150eb4ced6815f2f75d7744ee0c605ac693b48d3cc9b2e72dfbac4fc58647b5

SHA512
ed1999d7c379564da9b839569bd6759363bda2e8733052b6fde535d63c70d33d7e8210a99de718faa7bc41278fff9d446e0603728ef2f1724ea77e76beee4ac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
00444c8cc4170421ebe30cffb09d5720

SHA1
dbc55180be30e1fd7be7ff311d859dcde481b111

SHA256
7903eef5d19707d29506abe20f52e73334519620c031a7b9d06c068ae1383671

SHA512
e72255a11450f6d34f374c0a6fea437e12100901585f3bbd70a1e2f4ae69e7c611a6faf87a690ac746cf8c0c204fcd6f57e4e3c2ed80f9ff99698978c19114b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5efda34a3a739a83f978456b6d4b77bd

SHA1
45b812221384e0845b46b3f040f77e09507d4735

SHA256
3877a5ca7e4c5131a3dcf3a7de356a8bed1ee6f88a70b1c1c3dbe267d10359c1

SHA512
10d506bf0d376d62cbfe6d0e1b1e55df06606cb6e71b7be705152fe73cc024ffbcefc17b553650c8d12aa9270df2570d911308f6361935c7369882919d617f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f1b42730c40d8916c7379e7d49dda81f

SHA1
d742410b494ffe97d8cfce3b49ec4d9b8142304a

SHA256
210a998e59ad0326e8bb798f901b27e4d63066f6b57f4e53cd1c436aa326e6c1

SHA512
b77cb2cb9b3391bea8937da04f8a8e266917f08a49596bd8cc07cbf321f89ca2293e3fc82df6590021ab4937de80550a07f274d096a845c24ef3cb1a1436bf8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
56d2ba3e34fef4061ae5611a33b11458

SHA1
ed5e3a196282db95b4ab2286d960b6dea864f5cf

SHA256
3c94f3e2f798033284935c965a56a4d5a8a40e712a25cea59f7ff6fbee081597

SHA512
c66074daf2874c480863c116d4a949f6c5ed9c00895d10f9c40e211f65840a76d40cbd9e8508c521408046e0917f7e39bde4ec7ca43c5977f3d74f9cc1cce4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
106257fbee8f2946dee0873c0d570877

SHA1
f856490bde853af80544d9d77e82ca83b6fec1f7

SHA256
0567585ecb9bb51d9dd7f5045d8ec90596929da3e8782e64542e5108521ba71f

SHA512
da6108039fab96238eeb8f268842bef55b2c4ffbc83c7d186aa8ad1fe52dff8fed4a94c5de481397e12ffe8c4aefb960bba9fb0516be907fbae823a4f932a266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a988e88fef624bd88176105056525320

SHA1
2129525ae41173d340efdf19ef6d8f41c7e4a5e1

SHA256
e9b64a7e79d2bceb92638754b47c18a47fa2e1c6b82918a41113e45834189b4e

SHA512
a40173ca85e1e36d022a80f4743ade82870ac540e6169a02ab5b88b1f14b6c161e13b08f414dab327441275db208ae81f8db1427131da232aa655f1890895d06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
83d7c8ce1c18649701f9c4369afa2cd7

SHA1
a3785fd7d7df3a85ec21bdb2566033b5dbb43138

SHA256
b045113f2198af5e25da32f4c643fece05f4bbad7bb7c5b63c80258c7e3eceb3

SHA512
672ed4eae011d19a71c70a8014c3302abbe201ed720e81e5f91bb9afd1d4c18d1c2ec3a6244f8dfee4edc304db0caf6d54e1c99401d11fc511d050e0596f982a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9973e72415addaf61757be3d3270c9db

SHA1
7ac82f5301e827e0c43f805675099aabb01382da

SHA256
9869b5a9c356e6c9c69591c2eae7bf00419dfc2680f5932b1c1e23cc498828e7

SHA512
65e2a46deffe7dfc91a12e7cd4f5917dbebc485d66b1d81ca3b87cbdcd8997056beaaee17511b459e6ec8727d862e69c7abcc5f0ac5e692940bfbdc98baf2aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
551057812e81e009ffe00e6ae092bbc2

SHA1
de8e8ca493fda53df359d408b795cf98c506b59d

SHA256
cd76039f830b52956d409857409d28764d7cbc979fc9e39d7d56695f27a936f9

SHA512
b16c2b031ea4b8ed3b307975cd9c0569f0cf43d3f5d8b4c66286815991e688e6cc72cb5d34aea3df85ab6907504b5b76c538aa1d7fc55c9269aa1999df6005f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
07ad4ec63cb605e7c3f845bde50bf2f4

SHA1
a1e76e6e99899e5047a9f9594c0fc7b8fbc7b5cf

SHA256
87ec25909e65810b4ffc66bcc1befbf670e7de27fb37761b0cd42e78e50f1a49

SHA512
4740123d239d4d4253e25f38f245dba62ce6477b8a09919a110f3edc71b88c6007243633d3eee77eab638ce625527fbdd76cdcbefa6d7904ef62cb21b0b330bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b0cc1153ec0dad4b41a3b4d748ca2fb0

SHA1
5bfc9fae5a7bad0e242c1c811b470e4cddbdbb0f

SHA256
9918b250fe2b413d4a804f323c29fc2e327f4695a0082cd287a5b26e842fb00a

SHA512
f7619be29dae5bbc6f5f1799a0bda06b408e7464836c2e4b0e8558d776e920126ff6786b8bf5701c703d30ca7e2bc1cc7fec80943238160f41c60552b7159aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab827C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8877.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit