8744ee87d793fcc65f93fc7d0cd65f9e04388850d15ba5f2a02682b35ceb8678

Analysis

max time kernel
121s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upload/app/configs/index.html
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c01dadb1f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430396581"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000491d8baf64d86de9b9b7cd640eef5041991629aace0b132cbfcde045791f86fc000000000e80000000020000200000005a62469042b293949e2eac814e2573aadbfca86e31893d075fce3065d989cc8c9000000014c4068b7c153f22648a2ca3731dedc8d11aa44343f674e96aa6bbd8290084e49b1bd4eb8b66dd2c1be26413938680506966e848ceb8cde354ba99975bc0dfb5c65715f4a5527c035b31b276c96ff747530a5860430a2d06f9a9252295de2a499fc19a9110a86efc54c0987f54220da8a01235f5ad9152c19283d771037ed5e5f5be255f7afc2fc8f4fce6e29f52cd9f400000003742094d1670aac98876d53b8592e5cc1a6afb3a38ace47c6b3a2911ec81fce5c21b23bf9d98f5dec38f557a42994b259f95d00695145e49e0de8e3232a84140	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000220e1db2212e0fd20751d209eb16c2f121a2dab690f0a8f0903280059783ff5d000000000e8000000002000020000000f62b00fad92e927ba50159a571662f22a5de73af8cdeed662a3c64f367f43b7f200000005a98cce666118de7059196baa362dae89c3e7d8494fc159f2069ec9116ec516d40000000a470b0e5a67be7c1fa496f7784be47b7728bd3bf422fcc5745978bf98bab89baeee82e3532be1890c0a3e2a0755d80e49746ff5d0e9d2bd0c4bdf12f654f7e51	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8A388B1-5FA4-11EF-BEDD-4E66A3E0FBF8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

536 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

536 iexplore.exe
536 iexplore.exe
2728 IEXPLORE.EXE
2728 IEXPLORE.EXE
2728 IEXPLORE.EXE
2728 IEXPLORE.EXE

pid	process
536	iexplore.exe

pid	process
536	iexplore.exe
536	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 536 wrote to memory of 2728	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 2728	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 2728	536	iexplore.exe	IEXPLORE.EXE
PID 536 wrote to memory of 2728	536	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\upload\app\configs\index.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
24461c52e549558625b425b75e02e1f4

SHA1
772ed8593a7ed815e323afaa881d4dd3a824e3fd

SHA256
53769ed1779f70fe3558a9b26637fa0a37ca9a05771d55e14ac6d5ceb10e330f

SHA512
567f9f48a01157059727b4f22f563d784173e5aee2c2f66b34ef091c8805232472f17d1983c8b30087ff18498cfa59777f32d294a88d21e3e0d5ca6326397137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c202673a8eb925ded28d3ce3ee39684b

SHA1
772c72dee83d00b96d649f574836ca5038a84041

SHA256
771453ad939763345a33953e26bc9eb3461fb4afb949a5a16db369a9eec3e495

SHA512
7315e54e50e122ab31f4da08e495d6b4129c339a159fd3fe3498b26fef2459696d8b1e46c062d6be10b6a66381e5700c280c2be89f4637d2d298b4de674c927c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
68ccca1b466bb030245e984c65d8faa8

SHA1
7a529444b6f1c3f4547b3e60ed7942c9c974d881

SHA256
678856d0410b8c7fe92538883902a4503eae6afd3ee7ee550d0e8f633e5bc088

SHA512
f66ca918719385371d64ab1a3d9737ddb20b70a0a6db0afd93179536c8ee90493488e78f1afc486484b2f6c50c67ec3acaf986561cca4e8f781027255e57e517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c9b33a78f35000d6e05dadfab4d7e3f1

SHA1
5ebb7cb4f52a2aff2b53d4b2573e654f435abdd9

SHA256
5c112f23f2bec0d202189720ea4eddfe142a26c2d5eb1848c679b74bb712a253

SHA512
fbe5d3da3813d709e4b670b341707f4cbadd0a0fc136957addfdbf53252e78edef03207b9149c572899c10a789fc13cee4fafa1ff948abada84297f3276108a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c9b3b29318859ad0afebadd7106a0328

SHA1
6cd28d942344244e0fc06598fea98505e11fc70e

SHA256
61b1f1303ad42e90d47086f1b7715eb16a819a089e66f626f832f5446b0c2b17

SHA512
609793dc9f7c74b83f9a33f6d652cfed82a80a91290e83af891b59432c6b563523c88ede317d97bae0f48bdcdcc69f60b6ddf760d59a7d1de40bbaea693c83dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1ce916543b613b681ba3091a17f7158e

SHA1
50b06bc0a9c137152c9fe501f93376ad289fcb7a

SHA256
0a11e68883b92a35635ef4f3987114d9ec64035d33aeb5a7238d237ad528c4a7

SHA512
d2cf3d56952f74ad354684616de9b974d6493c5395f7cbe6725e7fc8a25f3b9aaaeec0280d8144fabae020478a767e3010d18ca569029b6ab67f537e977cf48e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e14b2817fbc8bb2a61c2d18dfa767a8e

SHA1
5b3819aa95ff5c286aed452ec3803253fbfa0c23

SHA256
0a0c781aaf8cb42435f2766dd2f3e116cd7f084f789fff219c2d87656e7f8db7

SHA512
520b3c13492590ebc21aaa176966822ed74f001242c776ea928487b6f25cdfff8ec32ef6e519719246bcb0687377b24f6a6795a0a81eb7736de2092c2d7464e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c019b06e6ee6a4683832cdeebd09c15

SHA1
945dcb3572ecf79bc5edb51465d727b9588f0959

SHA256
298650d24adfb07d642428775ec47e31c7885b798fb50568ca76d5c776aa1f19

SHA512
0fb287564fda854d9cbbd5583d7affeaf5b44dc04ad82961829f9a64a925842221f63d0bd4d15ecf3a30051b6e2f5728cb79a38adb00db20c494d428e367acd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2a367ef058d11c61b3119bf641568421

SHA1
ee444c68a3a879898dd5d0dabae60883dac8704b

SHA256
0831a48596df90e27cad76c9a76024bab8122aa3be78879603f5b4c4a0761d9a

SHA512
164fbd168d885921463eb54b1d01d6744523727c89ad07b124196a095722f2a56d256f7301033c169ebbd677520ffef3c7c364374d0d40dc6ac7cd292fd4760d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
82036633915effff2bd491a59b1e03d3

SHA1
522d248c163ab2485cf5512c7549dd057603aa28

SHA256
1ac95df794ba7d29ac5a5cf1bfe7228371df5e83054f2051888e51ca5904fbc4

SHA512
4a22baedc430d5223a98091da7bbb7b890441d67bb1e7bcf79f081bad182ddb6f97e47f98613d6508bf266a4d41224759eb23886afc91dc6b4657c55aea4950e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1580e3042c29c706b7c47f607e1b2caf

SHA1
297cbd33a74164c56418421ff63d1d96ee1f1c4d

SHA256
2739dd711b3fd9be53b74f2d60e4d1c57981bfcfd76f522c785774e8e9b75f8e

SHA512
66d21d03579dc9a943c5a1abf7e4774e3b13dfdc542981973acdf312f1019df551bce3d460e053a232fff0141392c85bfe4262e80a7a25e86c285c26894d4c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f37b685751e78f74ea82232f15dd7980

SHA1
5989a8370c793aae981e197001c80d2008d525d1

SHA256
093a448bf1ef6d9469f0e0c34813eba9106572bba80713901d4d9101776d94f8

SHA512
c8ed8c9a4262a65e29cedb55b8b96b28942287b135091efb6aa8470fa59d663ccb835a3dfcd8cee419af3740e04b8037e0126b61ca3ded5a114a0137ddcddc3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
34ba8ca5b1e9d6aedf5b5d0a9e11ef47

SHA1
b34085ce767d92bdb4d948a080a26cbcb5df221d

SHA256
1ba5a83d834f1ede04fcc775a6d9ba230e2c196ec0d8a8a839fa79f520d03b65

SHA512
5ab931aa5e732839e97f31248e7e7fe939307d8335da7923a363f88759a0ab22d4ee1612789e32b73edf84965db38f78ec7c03760328a9188ea0f9759a394e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
64d989cf1870ed0582a3f994f8574957

SHA1
33373faee7150957fbe8b6204e249310fac2c82e

SHA256
54cf55edaba7a02475f79ead252ae209aa680599389198d8dfe3f9f004047fe7

SHA512
494eac1a59701c653cb1507a5ecff78896fe8d93c189a43dc7f24a69aeecfc92baa68ddd555a276a5f39f13d4e225873140811cea099ee5bbc09e9fcd525435f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
08def67991658b9bb9d21cfac13cf41b

SHA1
0391bdf4d5309cb9c0abb5fe95f5ce4e61d34cf0

SHA256
c8176f73e99453bdc7457764fa5e4ceeaa6dc2687f95f7486df1035b58cab9e6

SHA512
a5079b872776fc4ee34274e994472439f42d2dbc12b60640f93b35737b872ec6ee2795003edbead765f0b10f50b025a4870198c5a9b4fc6c4832548ed926889e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab16ED.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar179C.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit