3f8455fca4a5d4c59faf94f1bf44c08a561cb67b11f280c9e7785a22ecc42cb2

Analysis

max time kernel
134s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_14326_/Help/help14.html
Size

2KB
MD5

db0163b89d0ccbe66a1fc2669b26f4fa
SHA1

cee803936dc5c76065caf6e328f62c91ac4a36ad
SHA256

9bd10188d6a6ceee64e63bc626890ec420cfd83a1d065043fdc474f2a95853b6
SHA512

7447624d1fae413ac5207f5f6426737fdf090645653e9183ddf595377416d08abec9092ef398bbec9a14d740701690eaa14e0cf4a3756c826c62d90b3f19171b

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908caa36c3f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000052025e13f03a694446281981af9ce5710b07599b141347204a24b3dbeef4b922000000000e8000000002000020000000a020916274a7c5a063d45e2e399c8886022cbef58dfd022cbe3aa2d4fd58d47b900000005bd9357ff42d18c55d7ba51d510439724eea79d0e9e74ec488e5c9e76957ca56d6361f3f434edd1916c97d0a74c935bbcd45d6a7610d4f6fd1937d7b4611e5ea3675741869bbf96a03a993e2a28416edf5739bb15679346f08ba33b61b44e0f075fb88d39ff4c9c98d1e232980206185987ed87805378b10c65e24e37135f17a8de7aec6dbdbfb7bbee6417d46bdd21240000000deea6b0929773fa80f24636a85ee10f64df12ee9789dcf6eff24e957f6804e16177428be83bf0be07b2b47bca6bbead79a532eb526c8110e3f8d61e3a1dd627c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430404109"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000f48575e5d703966479133c25e092717e0752fc654bd497d5e3215f02d1596d90000000000e80000000020000200000004e6f6227b0178871b562684b602285b0c19f8a228a1f726e53684524ca08f84620000000a5fc5fcb882ad0310cfc20caa0ceee885ea95f0a45dfa9a1372f4b3c9593571f4000000057cd352c5922fb2669a93a9419744267b653f619c345da7a566784e0cc5c439d7a420de482d048b3c5666508c3052fc7c43aa5cc81b363fc618ec53b1187790f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62379881-5FB6-11EF-9D33-D6FE44FD4752} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2364	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2364	iexplore.exe
2364	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2764	2364	iexplore.exe	30
PID 2364 wrote to memory of 2764	2364	iexplore.exe	30
PID 2364 wrote to memory of 2764	2364	iexplore.exe	30
PID 2364 wrote to memory of 2764	2364	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_14326_\Help\help14.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d0b08574baa55f4d77a2a0a39743dd6

SHA1
3d5f4912f7ee3c21af9dbcbb5614f4cc38a4f468

SHA256
c5a9e0ded24ba987d2d8b687d4b69abe5de3b9e969011157d91e2d35364b7e54

SHA512
7233e5d7ec66d75cba8f40cec342c259a5ac783e2b29d559a21db55009c919b9f708dd1943a672977ac1ca557f506fa149aaa7bf1173db208f0477f4cea9a42b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43881f184bc5f73e078cc508953146e8

SHA1
1779b9a0277cc1b0bfafb9531985b482670be34b

SHA256
85b9e672e91c9deaaa7bf64cc65c2ddb4eb8ae70d902281b93999b768aa97c5c

SHA512
60fc5dc0df5d236eda6994eabca112dfdcb4084185fc91f7f7a82691efb1f41754a24c8ce04589549541811070b06021faea662fc8d29ff818532cbd0ef48dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e449e7657572a122b7ee2939a9c3962

SHA1
a1198e86fdebeb09c04effa5e01c1554c1486ed7

SHA256
c1ca5555360a903adb5a7a2ead5467e2def5112c4b5f611d36f516aadf567004

SHA512
dffa535601417fd2f6c2c813f2291c38334a48cbb87cd354ce299ee9c71710850eb31628adc7dbe4907584362917241c70584a57d46333a3fb8aa89d09a9d5a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca3adadb6d028e3cd11264f9d2f85e0

SHA1
32fe6a2f91aa4ce36da375ae6e981b1618bd1703

SHA256
7ef0d44f0c0d5e7e7cb00fad82ca643afe608cebc64a439cd0e4f5b0faafeb1e

SHA512
a8aea2c3de4385e0569bfff615b8fc02def61f2919dfdc7c53dded9695cc50480dbdcbc86636718440d935dd81200ffb87f3f16a28af967b9c4415d2f83803c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4824580017ac4e875e14eda5c14a72d7

SHA1
47113e60bf1be051d8bc5492370cc3d4b254fbf5

SHA256
35a76f2b792e75fc5de070e23f438ddbdea20b6facf7dd2fb12115847fc0ac15

SHA512
02b0b2a79008430380d2d14b92948379d54bb1e77892ec10546c5136da0a9d91e044f0dd04d671873fc7b1faa1cf33631d4298707de39d2d36f0beca7e30b73a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b656ba3cb22cd5de1faf4bead63c15b

SHA1
8b807116ea4b39810bb871fc20804be40d285cbd

SHA256
0e9b2b720f08e47a19156641224a019727967a183ca229846fd0ce3832b5b444

SHA512
20b0de7d65e7c5343c4c8acccf50db8d5a3604f26661ee66918521963995f045163bc846c243fe296adc056017420eb555d102701b208adef4a125cf4eb982d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38d2de3c3b9696857281a7c0da70a811

SHA1
84633e233989843e6723f9af72ee4f9e707d71ca

SHA256
aa6e2466a8c291325755c69119476d968da68b6c8b9b857ce0ad8393131ebc1e

SHA512
7578a6231fca30d9a70af9236ea91a52399a54e097d0cfb34dbda789bd39b964cab778a0a56c3d186589b154c093454c5df7406d18ee60763e215f9601790909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
651328c3fdbff1d418096aac93b4d14e

SHA1
a54f271af6c0cd7ace2717a09d585997e159c9bc

SHA256
06c77c9ea2a46745fb3d03d00635dd6df1e6910b502c3af70b8f091bde2c2b5f

SHA512
341fb7df825a22821e45da0687de7d554d1efe21499cfb7cb102110d2df60e48432adbf111c3d26148da76d742c238a66c6aa284320b348d7bc64359b0d8c670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc7c42545b9c6ff4b97dade3efeb4096

SHA1
3e6d82a305489d733d950e3ce57ef0c1469e0665

SHA256
8fa69dd0b9ae22ad11fd1051066144fc28b7373c85d49c67aa48f222611de46a

SHA512
322a3812fa3af4ee3bf5ebd327cab1c69f3985610993cbdade26c019b32a17a05ce81f78e5d903dca137c13130c4cda72c1c48fea57f4ad080e1d4ac6e42499e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af9c0e29025e36e8a579e9df0434360e

SHA1
f4d6012e813daf5cafa717768ae00ff84b0f9956

SHA256
a8c31403bdc64c51796b30db5b81e916303f53879fac6aa540ac7b9d8c843cbb

SHA512
993d6f2e5454b45c7aaf9fae48ac5aa3714035b3cd16af6aaa383eeadd126d67c5237fef1101cd281b52cde81353320dbcd6002e0c0ce4e3c2ddeed0c00e792b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49cc68b6f604bec30e5549d3dc884d7c

SHA1
914d75afdc0e09c95035db92b22d51853cc3c662

SHA256
fe09f9aa3a9e6bee640042b8b934249e61c11d7b68cdbd3bd95289865d1909c5

SHA512
997969a13ec64cbbb886423aa65b5e41a93f15a7791f05bc27cd94817c2331ce278c3c6e1fdf659359301f032ca67b505c7c4f420fe3cda52331392ce10b1431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8bbda1330cfeb2500e6c4697e53fdc8

SHA1
26cd2548f027b90fdd22fbd3b0beccba2d4b0764

SHA256
dd3b078f9e2f7b88738dae84a19912d221bf762f5b23f6752498b9c538daceca

SHA512
8e6c3473f4e5f037fb4c1585fb318008559d4b401fba66cae487a35a3438438b503e58057cfa6e9311fb0a21c773304ed6ca995845d42eeafc4f71cbf5237468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
973e0a505fc780aabe84ffe7a1712df7

SHA1
9d4ceee64efefeeabbea0ac036d38bef9c4e13d3

SHA256
5cf9c98a92e3f3813b804e9d865d5db6215dbb8768fb8e9c7d91d4c310ab300f

SHA512
284847518f0f34fd2c724b6357116bdc03db2713354a0f22899aec78e2bb4980e10dad2098a74ba0149d837b06f3684c18bfd97ce3fe312bb95b08cf81695140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bd7828acc316f7b3896461c964a3130

SHA1
b1b420a0e50d79f93cebc295197e6e2fb961c6c6

SHA256
94a4fa83be5ccc8b9d2005aa1fe93fa82436205434e376972bfb8e699517f813

SHA512
c03942252d61eb5c88164c0db16ac758936b7fc2a695e45c13cf5a2d18ee9d46c4b89293b9e2c53cf1899b2a9ded07cda29bbf4d0654e28949ab178d6446f773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8487bbadb782dba9e640306689bb049

SHA1
2c078de203712d5242694fdfd9a511d24b932957

SHA256
fec04fb466105193f824b8eb18abc727603d81a17cd61c61e227e0e943ffb7e3

SHA512
d128c3b0c764f2ff7bfac1eb4024a15144583da4972cada6f57ffc745e00a086e6ac8bbfdcf126aee80d899e6e8ea373d9f2e64a59f0ad56e8a04fd9ef8c43ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e213da63c457cf79ac79627e189bc20

SHA1
cd3a24726ab143ba1eee8f2ff0967f28ba884605

SHA256
02dcc79af6fd8f64737968160e2ab769dd2e0dfc8e9ce47862adfc82b447db9e

SHA512
9b1ab5ba7c2545e90f284436b17288cbfdbded410cb56580742123bd988ad62a814f3954fb7fcacd411b8c57f059c40a2014cce23ed3dc392b9023e4898fb717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f661029ba8f0d84952d52301778364

SHA1
2ed2ed6957b15e119d2add9c191f9e2c0aed567a

SHA256
83112fce40a8a2eb034d6625a77fc5ca6c08e03e73f554e751409e1261653264

SHA512
76cc5eec7be3460538ecc194a7f69636420a72efdc0736908da2a2dc9a9adada85b334905648269d7225ccc364ef45a829dff003f545c2decb5eb64bd768e66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7297.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit