3f8455fca4a5d4c59faf94f1bf44c08a561cb67b11f280c9e7785a22ecc42cb2

Analysis

max time kernel
138s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_14326_/Help/help4.html
Size

2KB
MD5

90b76b3f81ca273bdef239e48067d250
SHA1

df4b030c4258ed22692a7f8ab0441b9afd380145
SHA256

877ccab6efbdf9dfddfe898a634db005892eeed71a32401f023c6fe53e6b45d0
SHA512

49485e5a826991539379edc20bcad17fbd794e7108b9d690a4ac5f6f63c13200db7a467ce40657a34c0fa115542cb2004fcb8de7068612f2372151b5a7f4c05e

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65C708A1-5FB6-11EF-AB71-E6140BA5C80C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430404117"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000000981782e5b745a5150ee0575f5c6721cacbdbca2f22c85b2d1464a679e68f986000000000e8000000002000020000000bc607afe84f25af1328674680ddafb3f1dc6d554b23b2684bc4c7859393b65d890000000cdaf3199b5453995d69e9c103ea713680df65321fec468386ff6a7eee0f5dae6c928f7bdfcdd7771625cfca896e8f844a9722bb03ad54b16f7c127d2e0a361fe49edcb44ca288344d9c8c3b083ac34c8d7678e5b31b64a652d07b13ac44b5f93e4fd8e5bf3545f5d2561d5a3dbc4c68208f64400ed168627f867152748a63754077f88a6dbb3462cdb35e79109e875ca40000000c09fa7730dda85446e534b82b1c1b85defb4ddcc08c816e91bfdf7058da39dbe1691fb1a409263bac7eacd875092734122819cf34aae930442f0b4bdc8bc35c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000000c8352cd1cae78d481a0824e26a81d7fc8392ce91afeddb6456bf7e4baeaa9c7000000000e80000000020000200000007bb8ce081cdf358e9ddfae33df3c5f04eaad8254426cb9ad5c94b0c29cef73c4200000005b91f97c7343980fa1a90a6559326294372a39b343f4ff4d85f87bf042b81acf400000004ef2c0d3c8e4e02f091371615986aa0dc74bc8408e5c898a2dda277ed8b98326870cbf9fe6af0fd94ecc8fee70dca91dd3a03b8ecda44765badf166f98404afb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80b6403bc3f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1412	iexplore.exe
1412	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2620	1412	iexplore.exe	31
PID 1412 wrote to memory of 2620	1412	iexplore.exe	31
PID 1412 wrote to memory of 2620	1412	iexplore.exe	31
PID 1412 wrote to memory of 2620	1412	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_14326_\Help\help4.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1412 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e8566a2016d27ace9310d6dbd1de7d5

SHA1
bb8728238df7a2e0e6c6cbfe35ead23495ddf0b1

SHA256
f241871670a8d21b14ffb462bb273772ac656d342b1280888366dd3786f31200

SHA512
1c2e6fe19cdb613111cd67a38edf9d8ce612a1a3871fd501b58b9cd18a7ff1951fd048b217f268d3f4782dbcc6af9c4034dfa0f082248ca1979c7afe7fa5e7c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69a2d51c1504caedfd27d166e74dcf80

SHA1
80292f1ccaf9c3c397aebfc39f0254548419572d

SHA256
da944bad959bf49195feebbf0322cfc3632127f6062ddae06c51cb293c670493

SHA512
2b87494b8cb88fa7eca0efba42c80f49b8447fa601e8e2f0a0465ab361a2bae631a488450df5a23d3c1d82334ce30bb5ba757b34e32acb98556074f6e15a4da7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce1603e5f3042bcebf596c184e3002a4

SHA1
6092c7c31a64d5e583fd32024a7fdcebb9267060

SHA256
ccb3a6f8a7b53b078a27f90f04301fa80848206b544f1789b9d4cdcffb4c3130

SHA512
e22f311a8717dd356f32c8ec7b7ce6d3b0ab31d57f4fcd9815040965f5b3216b4643e0dc4286b7c1e47906e0ab0fa26ca9d990bc8ea207ac0dd3f4433679232b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cd8bd1c68636b4968e1fe103393b4ef

SHA1
f151358567e7bf6b43336af3c6d82a87fb1b5631

SHA256
71289533d531fa34009aded927286f96bd17aa4bc173d5c283f91a9e0223823d

SHA512
7a02d2d5fa538320067a249d928848def25b0175b6e1cb50b975df0c7084331593cffc04606a4a5e6183cd76efdec0834d1c0312d7ffe48992efdfebc3f2055c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8e968efbf082b8e189f57cdf4bbcec4

SHA1
c49f63250c9c31468c33154f70a5042f04e891b9

SHA256
730639959bc692b387815380b5c84c2cc62e24643b26982c5d96586e815e7a3d

SHA512
c36e07723c092484bd3e09562edeb7b6027f9dca1c2fbba144af890535c9cbd81e6708c67b23555405cfadcbfb71bad3d3e025ba19f0767fece2cbf78c28f14c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
612b8ada7d155d4712893993c387c09e

SHA1
c3cfeb122d6e2d1cbc848fe1a993777f6db7878c

SHA256
c86d9732067b15a0f2ba4b7f3bf54b6517d1310cad68ef36e42571911ad9e408

SHA512
d90a7b5513155e0d964181126725500295987bda01cd88a1035a45fe61191f5091d14a5d10bbf2bb8c02805439163af01b59e85c29259e95d52bb6061e626aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4b6cb09ebc9464d5a36d23c1f8e0f38

SHA1
b58ccc6b7b211431faa9fc395d49573bfff4ffa3

SHA256
9623a46782c4a119093aab50fbb601dc775d3c79a3c53fe9493c855bd8c0dc78

SHA512
9a75791fb1776a8f7595d4aa4a8db75b735e8b5498557dc03a92e9ca7c632982e44f118e98cfacaf3f56c46613834ad8f5a68dc01e06153488f2cf085e41049f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c00f0a6258eebe893d8f89e4130ed79a

SHA1
567f723971786b1f832b2dacee11d858a6de5eca

SHA256
e95f31def984ffebf7a74deba2c897562700f1cc2e64f5623ec5603c072c72aa

SHA512
e4644bcaee6d1b0c3cd7633fe9a670c195b69cada261503e9d5294e71f0ccdf7f10224fe1964fe121d4ebb7cffa684b9bec9cf42bb7731f601c6fbab268c1499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17974cc8a81067a48f1217a77b9b6786

SHA1
b3345507622f6933409c0837b3811a2128e01033

SHA256
48a26b8747283dbbd56100c5fd0362a2489311bec3d58c77e2faf0eee91830aa

SHA512
fccbbd16ff90310d5bfcf39f501cb76ed5ab5e5a4509e33e540cbcf839011d03166e2242eecaef2a209f04aa0f7ebfd68ce23008211081b453f3bf7b74c45b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92e06e7faaeadcecdef2499a9f829203

SHA1
ff14d9228f23ca88186bbd53bdb0860d80180428

SHA256
555c14e5b352cf6c3a6dad97e307cf145e7339e24d1edbf82de78c128f7bc667

SHA512
bde63d5245219834008c837f9296c4ac17eb3f587f34283a75372a239c160c5827900ff57e583ecc01a739277b45a1dc0910fa7291b39a83176b2ba8e321a15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c018bd273f34e90fba717c4ac7117823

SHA1
3513f3d22b372db2195da7a2dd80a60e36fd9b06

SHA256
3b267ff3b03ce6be443e82840e61e68dd94d2bcdc8865fb7d4374a6aca922d23

SHA512
28c0c865cc28ac35658fe214df9c78a8105fbc67b0b73b5b62db4a427aaafee6e1a356012461dda6eb80ef2b047c5f712d0e11dd5a8f2d8ef373573382b25101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48824778175eefacaee6b5bbd09029eb

SHA1
c7be61f9090344e9a5c02f964bc5953b2dc2e3e4

SHA256
e88101bd3c45d5806fb6580ac09edca64a419cb1a9eea6fb74ac0f7b06fc226a

SHA512
b52fc28976a30cf375a93e18ea463ac2b13dfe86113d43c52e7027f5c28afef503bca13cebb6d3602a97dd82b84f0346874df1b02bbe5c911982f543bb7a786d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8f86a6e21eeb4fdb0543d48e8557bcf

SHA1
e044df681e7bcf2b667029fd52253ae90f931cb6

SHA256
5663f4394f41faa33943c2ecaefafaa8c2182f79912f01c6577150911c079dee

SHA512
94d6e6ac75e377f7df79923d1c9540b601699f13bffe902512ef6be94e8bf0b9d7dab618123f0694d9ede4ae0921780320a3167d2e38dcaea0ebf3d6eef20745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
232a2116911bc83a9bd04a65731cb94d

SHA1
6deac82f2712fbd855a33a26824f1c7b8780c466

SHA256
26da8380e4eb62082e4d1cc2d208b3ee0b14586ef99e828c39d2b4f4b6e869fe

SHA512
9e34b52c132d63d0889b5ab0224e833a7ebc8db8bbfd966016b510d05c3b56455caa607d8069f677d3b2b66eeadce9e54490e75d5156ade13e5b91ff224f6f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f48c346a7fc74bd00fdc2f43b03cdef3

SHA1
f8258d12a906f2d3239ee8c85aa9233532d24daa

SHA256
f539c0f133b01ddd01a0e81ad7651538334e0d5098694c27520ab7741976128f

SHA512
07d6022c6e05ce5a56769eb91dfceb211b1400ae084970db68e51059595ed01602ff708f2ba4e669cf1de801932a90b1355a9c561eeee2646cff3791e48abeab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51f57586952a93515f04df595e9d3736

SHA1
d8a9abbdab9cc3a6f2aebe84c45b45b6e82e1204

SHA256
2305fb593eaec484381a1ed5c6351f150a4365692b337c9b5293077782664c8a

SHA512
ab80a7c2fada19d347125b177b95249b0d097455b01d039360349e076ae8b910ff08ba871e7d22c9343b6dfe1bb13fe1afac62bb8c7380185f641b8f21420ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cea4140db3ed489a945684d8969fb6c2

SHA1
8ad93bb1eb8c9df793af4b934193d0d7a1ca0589

SHA256
dd33bc8177564b2be9c297a156627238f82ece6a0a4ab6a0496c40abcd0133ff

SHA512
a68cbc9b7a754ce5a7356c78d91e2377fd6b5c83910bbf027dad190719312bb74a712b46e83a0219cb1cb5354fa92bbd0caecb6687be5751955280b749ecbe84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2CBD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F7F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit