6f0a46301f101b70e32c2580cef04956765b269c68ab4b8bc515aaf39e4cd782

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

网络同居程序/admin_menu.html
Size

8KB
MD5

2791c2728b453b3a12fbe34b41f36d8b
SHA1

2e94d53277c513d213d4b1f32f3f5162737b27fb
SHA256

068144065d9d7dfc01de357398e21a645ebd9217d64ccb325373fdc3308f4017
SHA512

2c17f794a4d1fd9d9135ae50c70d9b9b35002294d4534d23870c5bda0620cbe59789fbf2e41ddd876e6c2e60be62fa9e5bf3e140410a8f15c0833059cdf6a56f
SSDEEP

192:5R/15DXe2aa4F4BjLpmh0XjFgzaem66bKrlXb:xm

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000370e7e32c8c280ff672955111cdcf64c56e4ddecdb0a2fb7d9d457587251e57d000000000e800000000200002000000039e4e80dcd7751f9c2737b6de6846a2fd19a72629f26cc45395aa258a52fb89590000000147ca42becf5cbdc2a728b3a1295fa1f3bcc022ab071c40df1b214686d9c358b1a22517c6c199098775ce0bc44c9fd247b2197be07e8f17538a69ebe09909e1dbf6fa6c9cbea511c1b2d169ad739db6cdf3141ddc377df9bdff86bf8627a7492e23f921ec341ab0eabf35da755e9d6d02ff7539aab7af91af3390c4a071502c3964680f9f883ab4c28e5f38311e9968f400000000edc6a83e41b5ff0b31465b2f2ab91120db080119ad546fee06013cccd40e89d60044bbab7c6a1a4542ec36c54852b0ff2d7cf528b66fc891bea9db34f9d48df	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430527728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32DFFA71-60D6-11EF-AA78-6205450442D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0148207e3f4da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000c9ac8dd4cd9b99dea42a1fd456f70c781d7b23ecdd3572fa7b79e30ab3f57edf000000000e800000000200002000000048adf2edce62feb1125022a6c24730a6d490ebceea4a252b9810069a6eaef6432000000082b57e55232575ba487ff982fc704bce0c7d9eb401c820553b2870d5b758057b40000000de11a695421075cfd18f3bd5f757c9944ec0022a001def7700c10ed928cca09157bc00890dc2f61b193403167aa1432c55f0fdafe7b9853032e044f68b19c84a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2548 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2548 iexplore.exe
2548 iexplore.exe
2340 IEXPLORE.EXE
2340 IEXPLORE.EXE
2340 IEXPLORE.EXE
2340 IEXPLORE.EXE

pid	process
2548	iexplore.exe

pid	process
2548	iexplore.exe
2548	iexplore.exe
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2548 wrote to memory of 2340	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2340	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2340	2548	iexplore.exe	IEXPLORE.EXE
PID 2548 wrote to memory of 2340	2548	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\网络同居程序\admin_menu.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9aec882a298673f26ebe1acf440431a5

SHA1
1d78401cccf72ab6ca56470f283cca9d6ae2a2db

SHA256
13dba78813bc951e25d57e47cd5d89b0463515864e73714da8cde906a3a3299f

SHA512
349e5318f6c6e95979502ce624b194db0f6027c7acfb2b8619560058af40a1965ecfd024fd2a0cc0e624f11b42487ebbd4c9d8a53da00d0b3c49f61dd4032c9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d57ed6ac73a649dd69e330c66a0faf56

SHA1
4f6d8e6531bab65f99771d2202e8c71483ec3ee1

SHA256
a1a565c80c22746a9c14ec83b921a4794a77ebd315d9fda8546a9210836fa853

SHA512
ada92fec2a03301f481e175b12a2c037c7a008c545741f9c0a82a6406d3436da5ff4199ac3b2ee1a2195353b07d2084f29cdee6112309590c192024604b315e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73ceb39e7c8caeb11d89dba71e637ed7

SHA1
4addd69dec547959a2e08a8732aac0d18a2a04f3

SHA256
46cced3051603afb8ae0cc98cfbf3ede19d513878fa8920cb2d49c1e425f5753

SHA512
651d920ebfbb4cf719cea17a1fa785a667d0610f4264234fbf582edd0fc96b0b0df8fc57149d2e7f3d0213d63eb17ee0ee656d313b561fbc4549c967714bf3cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8541fcc8df09882ac0e8893d0b5d6e80

SHA1
e1dd5ab6ca7acdecce6a9b11fae5a7205de33b92

SHA256
8b33419c3b739e8aaaa4682d7fb55dd7cfcaaf39f4c2533ba88ce74a5a5abfe0

SHA512
5b1c4c0abdd3ec10a3d30017cf2ba7bba13f4acef86a49c7eac5dc7f847762f95b1921c8d1f878c8d3e7f199f7cffae1b587108139cffa947fb63c945f7fed69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2c5c8857342ef7d5c8ef2d7f8312293

SHA1
8c072252e8ae9eeb17a591206ea655523041c018

SHA256
e3e01088e7953a21da199192633c4b176c07cb79f649805807758b5567d0a49a

SHA512
5cc5a3be650e090e55d84725d006a21dfae7662e4ffcb80a5a987cbdcd42e91ad3ef691ce9bbcf7757f9309015aef033243b1d03b94d2c6f575c61b08aec898f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc9365743497215a4e32050c5a32db01

SHA1
810dcc19299b4f245721c6a9d3ec523b27a9f225

SHA256
72ee7c00f556330d919767ea3863151a794ad40a1e144709e0fff876b7b3d55d

SHA512
6d1e0d1b849ad4a506d3a3ed6495e0c4aa46f52d88f8e82d88a4756a4c5cf21753f8cc0af07163b5b6723e5709735d54b4f8b9c98ef31b134b8b028cb43b1184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f23bcf9b1b8faa473ea214eb3537e4e9

SHA1
ed28e238969e1f595cd48ae31ed8b8e16fa25a11

SHA256
65910d6fbd9d9f17c54174fc21f760f4751c0fe3b28531ec1795028e71022e9d

SHA512
944953271da43ab194be9caf4ddf5c2720ba2d735eef3cbe07f161929d7d193fc2a2aef50e1f2be00e23f7a50fbce7d447a9cb8394f93a60241ae87b18911e27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b099aec68c3860d85ca1a557d51907ee

SHA1
dd3b600f98f5bfa55acd0719c4e6bad2c2671026

SHA256
90285916ddc2bdbf0156498f533e87dd5d385e30ea903be9d579541ba79818da

SHA512
aa11dce59463b89fa388fb36aeab04d86f1e7b61b96a63432da17eff1586329e731405939fe08b0bfd4ee8f7fb19ad06e565a2e6d06f9c656ebabce3e8e49898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ce9fab0499cb70c20bdeaa5fe9f3668

SHA1
d7514eca922d241f8272f4e1bd6c5ebd707916a1

SHA256
21039065477fa0a335a58ea94add736e6bb8f5163c7d9d499d397434c544528a

SHA512
02370262cfaa52d5e34d8605ef5a9d62510f93a8271c8745369a53587c90494075eb9b6c1450b406583ca736eff60d50877c9c1a4b6689845245e94863bfe714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4c6e2b7c8bd8a2a4edbc39fabd7b100

SHA1
12c94b61fbcb6a71b98b4561d83f7481791e7c2b

SHA256
e3967c5dec0baff83238738f6b791d3a224d817ec6f0ce03e7989107eb8ba4ec

SHA512
f467c2878f0ef3846f058547180ce940642799c6b6b4db301930db34620c1a57750b23bf78746d3339d1a2e08885fc3cee27c55d27de239998fd1c0be48ac0e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71b36c02348278427c91ee57da62e7e9

SHA1
b5081ab753753d80ee7d998a34360d9ce72e9c22

SHA256
a1393ae80dc00250f58c96a9744fd5939eaad85aadaa20b2e552c716037c6522

SHA512
63bcd3232c374df1cc88c000127442080c2990ac595293d75fe351d848642b2566c9f5d6d78e65cb162ccfcff930e6bb59d5b94678b817db66c52fb0d0c4deea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06a4789d0aa0fe9fa2eeb9d09123842b

SHA1
08cd8dec76d48bc905e719d753400a2d1791fcda

SHA256
68e7a87c012b8b7aeec342fd762a818b20afb5369ffeaa584a6a10ca37671670

SHA512
b11feb76a4848e0bd3f94785a0ad1360f0a61048589c749b157dd006fee2572c65e4db02c77b0062e25e68c944980077c0699fe11a2d801efaed61fb13ac2bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3BE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD407.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit