8744ee87d793fcc65f93fc7d0cd65f9e04388850d15ba5f2a02682b35ceb8678

Analysis

max time kernel
135s
max time network
132s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upload/app/index.html
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb000000000002000000000010660000000100002000000070c9da491f1e1a28afc1bdcae4d47fd3326aeceaaf2234f08dfb40d8b182b254000000000e8000000002000020000000a259a7532332475e4fcaefb09956dadbb6ad79d603de43770ad2ad6bbc01fca92000000081bcb4528742dc62549f6bfad2a914e34d429eb8bbc91ca247e1897744b90c7c400000008934f1be0f0cf6d776f4b795669d6181b281e0d0c2a4c6cde195f711eea015bb1df40034db3f0d3ea0ff6e22c12f4f49f6dd5640fcf29d1b8c19bd8d2376650e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430396573"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D620B631-5FA4-11EF-B6DB-72E825B5BD5B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408d83aab1f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000c9a4ffc8eeff0849431cecd5eb4b18ad461c3e4aee3764db9c1cc7eb7b0250e9000000000e80000000020000200000006008ded625723dc0c7da35b2f647e2f7c3b189fa3fc692711fb44a6117f96a2c9000000064b44ada03b5c6f61acf32e8207e37f133f909ed318b0a8d9ef717c419adffca1cf4ff0527fcda8db988d5826452cf0aeecc4615401cd1c6f176bba23696548caa0bb7f883eeeb9b2502a4af34ab00477396fd32e68b21d815178b3f39b5fd2884d42d427962853eb92461f00d0d562698563ea12df5199f31b7ff1cd286917b9c28ed7706b444d922c7df52b631279e40000000b2a22fb3db8e98b8719c77569d6177c6255780033194d682655c21d8f15fe201ffddc63276b487ef9fdd7556a00f06e0526901b29e01a6e41bc1fe6008e677d0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1040 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1040 iexplore.exe
1040 iexplore.exe
2132 IEXPLORE.EXE
2132 IEXPLORE.EXE
2132 IEXPLORE.EXE
2132 IEXPLORE.EXE

pid	process
1040	iexplore.exe

pid	process
1040	iexplore.exe
1040	iexplore.exe
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1040 wrote to memory of 2132	1040	iexplore.exe	IEXPLORE.EXE
PID 1040 wrote to memory of 2132	1040	iexplore.exe	IEXPLORE.EXE
PID 1040 wrote to memory of 2132	1040	iexplore.exe	IEXPLORE.EXE
PID 1040 wrote to memory of 2132	1040	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\upload\app\index.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:275457 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6573062626a6cda4543b1126a38d4a67

SHA1
3e55bdee958fa4a20c16d2d050e6a40975df267b

SHA256
1afca15a533a27a6c2d8a2f19b91b3806a9299a83b376da30d26ce7ced9f8097

SHA512
243bdcefb74b7a7fe4f722871f7e71325685c25e829a58b54840cfba45d9f98f6be63985148208b929f2decddc50616f95269290c229b4136f4a06c299be1845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
38cbcd3beac585fff9fd2446fe828c41

SHA1
0b77d5eb7b0920c65daacb257774dbe5950160c1

SHA256
15e17460ab98fba384ea114c1f9489af3725012d7a12b9dd757c249c8c785811

SHA512
2a3e320f49f84da41ab5219e0981dbdd3484a11d5886fd5c5cbbeba3844f24ed37fcde2cec6298b0bd7d66e740643a797b1417b92bd42a201bad634f1b8bdf99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6d63747c5b0d316e75c40748c96a4a6b

SHA1
25088800c31908491d730e3b2cb2ff954239f3b0

SHA256
ad4872bca6b6ac463803fe3e5b418e8a14f17dcdaffe42b387570b9f70dfbaa4

SHA512
9dd89e2c2f27b2ffda56fd7534bf1ba81df4de507e86bc1aaf413ef6d9b6c99fd04106d26b83fbe7c5158c6c7abc91d5a2dc3c0c84c3e4aeafad1585cc98aa70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1ae5199fde0eed58b9c1888705b0c771

SHA1
37066c7e30ef1089c02f8b52f3f80fb468d3ed6e

SHA256
ac745c29af6dd39d5d853fccfea10439933d9436039c87d294821e4a371a98c1

SHA512
0b69d4f0c5fb69ea9eedea3209babf9997d89d6e07f2cfa95679badbbece31c628af28aa0ec42526333c16d0772522172dfeda20a9e714018075698e98bfc8ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e485fc32615262448a31b988685b82b0

SHA1
5c3dd262e630200488fd339892e5f53e181c8f33

SHA256
43a8de5641c56fbdc315528394e4d413deff230515f4a422a55a73886712a264

SHA512
4443f59f19ed7ed267e13f8fd79b587d349305963b90ef94822206e88649e8f0f7b1f991cc5cf9e3f178b667104fa13d7c96938ec3874488054f9d9439269499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8bb6626d245f7ac28f72d6782b82ad41

SHA1
bf2a59e26a3e1a3070e650cc1942773d7084c3a4

SHA256
8e58aa468d387a8c03c9a7c211b5a4b810f3cf589c52cda3c25415a8e7f7a486

SHA512
ca997f652e331ca9a2381dd034501fbc0c39eb6a4b4afe19c2652cec4ecc5def428153430ee1208f97cd6d985701a63897bda745e6708fcb4dda9baceae16562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
677dc0f44e75ba5e68350d0184b4d76c

SHA1
7bb94a36348e9a37a74482c1445586187aaea393

SHA256
59ad95c340c4b0ad5982e0c6ec5bf04f4557ee00aec304c7b6bf99ea8cd9781c

SHA512
0a7813eb2256233a7befcb988bd08b8f93a323ad2002030051a12c35f6039e0856c698df5b2e4afd72ca11e9403192c41f6013571686782e347747918de90b08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0db7b29f2a38dc6f2486e634d8f2d4f0

SHA1
aaa55da06b39f19b660547fdb0c8dfc3890e75f6

SHA256
d7e6f319de19ac51413c621ece342f0fdbb671ca8d3b42480c60417999b55ed5

SHA512
2893e167123a2524548d21d2bf5fceadc50c2c05f5ec721ab8c1c78120746f8787652ac132c811f17ffd09f44cc2e0c078fe88196c35b319b68edd3db2530fba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
59bdcec53890ad2f335b083d6ccc3397

SHA1
0ae68851d5d8a9a16ecab053eb24222b5473877c

SHA256
79f7b93a166deb94deaac4ca838e65e2a228e99df0257c18d8ebbd4bc8632a01

SHA512
6a4c74132bed4a02a8e06394043b0926adc9917438f63ecb38223ecd7f0048b623b6f1aff6021825583b72d366d3d5ed383ebf19e1925430fc8bcceecd6b2373

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
04c786d0db5edd9cfb0b8f70753e0caf

SHA1
984ffa9fdee28944f83dc724d3cb5c48a15ae88a

SHA256
0c5b55ab00c7235b2aeac08ce376df1ab49a16caf4ad86d57ffd715506e3659d

SHA512
6d31e01df32233488f3d8175214dff51a4f0eccdfde05aae10e0b0aee1b26887ccf9fa7377847754882ce728f0d0eb850b0f45add8af5bdac0e8663063c775af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9f2b0ac1d9ecb86d5070df6fd2a12652

SHA1
44804b37ac08392aca16f0fb608dcae6c45f9eb8

SHA256
3a2ad8dd518d79a0dd3d36479aa859a5b4fc3afc94a38b6f71ddfdaa8595cd72

SHA512
b508cb090d922ef38db4609490e9ed1ccc280186718df110b1b998660407f6925191193705477fe6e2f121c30f31c09056a26c2b43d7fe7d234491ff31b89510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b887ce0f58502b28b58625a1a26b7829

SHA1
079d522afcef042708bfcb921e6fb8d7d53de1a0

SHA256
7dbd7cd8e2caaa9219865f17b1bba21caf03bc4bb555cd95641a492d3f741635

SHA512
f93edab21884147c556b74d9c9edb4c60dacaf1fc49116487b25794439de6ac052442a4c725b83ed2a701faf7705df70ef1b5894ea31a78051a8d410deea346a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bed304a5ec23796e2f6b8ea72c35513e

SHA1
55af422d116f74ce516b38a2a69d16d07c5f4e3f

SHA256
3a494108928bb248a536acc1f957686c5c668204dae0a0abbfa3e339c50efc78

SHA512
d2510caa30ff025b3024791afd476694cfd424e93dc5deb0781e202a5938d87df684bedbfbb631b02185f855b59a600af45df86652636f5da6f2587941e91c1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b5e894ea0327f8c810b917e447a56fc

SHA1
247bde0cfe1c2dd7ebd54d4e7dc40f2cf538843c

SHA256
cc29d85ae58a33e10da11d0f44f5995b1200a6d8c25df2427cb93e039a326936

SHA512
28db09dc714a949c009603bf4d884288a1dec36d7146d4e9bbf84fb94a2b46cb402c1acc4a04fef9223c190a6d9b56f18c07f296bb8895fb1bd5a43ba2ad7280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
33cda4494e634f5a4136e7741f9d8e31

SHA1
eefdb8f0450bf1763b0433f4271a353fe92518ce

SHA256
556d5c2fb5548e9675b2cbd0c64a0a36b648c7f02dea993078579312518b036c

SHA512
580194f13f8dda1b6cb868397fd7d1fdd46590525fa7aa54b84991b434dac4825de39704090bd17178e63aed2345e957c67211db8e98a760f47aabfb1f5637b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b9bc4de2398cb30db714ec87aaa85442

SHA1
88fd762da2c6740fdb3ee1763ba1f6ce9aded355

SHA256
96fc55a3fbf4b73244b499c2a291d137eb0f3d8c084bfb38dce53d46d8c68fac

SHA512
7ab7b418f5e910038119d06715348b9a774fbcf2e58b6f6536b78fd68e19fa01048950057bd0cb2aa1eaaf5b2a19d9615f271d3220cb78907bd56d555d0962e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB925.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB9C4.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit