03d60f06db313f892881188829f27c813efe8a4e987af1f483a4bbbcd78159db

Analysis

max time kernel
363s
max time network
364s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Portable_x32_x64/res/cravats/broachOneill/bestinkSonarsBuzzed.xml
Size

76KB
MD5

1695d921cf1273c4c108c38ab49b6e63
SHA1

6660529626f8fb6e44bb4dcb43542946d6a75947
SHA256

a1ef4e13e10998452378480ac8db26e17c110cebf7496dab8e3669304609195c
SHA512

d7941a94a19a8a55f10bcdb6a141fb3e96cd9aac3f44fb7ecb76a1694cf9e1e5365edffe8d9edd454fb7a527e7f58bf4fe8377e397becf59290985237cacb200
SSDEEP

1536:lPw7ITAAk4ppa1XpFY6rc/t6fxD07a5MfKQuf6LVtdtm:2ITAApa1X3pr4W35rfKtq

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430490799"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38E1A8C1-6080-11EF-8CC6-7ED57E6FAC85} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000df0daf4fff59775089493bad78b95f45a799a8beea0d63d467f38eb68e2deef1000000000e800000000200002000000071739319363d5b0201c9b87141932fbc5f24bcb7f82beb009e3c096d5d64eb529000000034fd8938e7e300645b21c3e77ad78f2d08264fc28e436e42f23e1b5e04ab6801f0c032c1d83147374dfffbcebf961890570a32a5580071ecd20ae1bc4541317690d4ec1389bdcacb6db5d40c8f48beb82a9da98ecff8b2bd72c4ed0efb85c0bf33a4ae3c68b929ba4e532b79875ffba87fc24c6e8b569feccc9013f8dafa527a9b7e5942e4e6523d628ac50ed1da353b400000009fce5c9daba549025f50fa5ad26d393ac74ba5c5c78295153edada5d21a697bf9c358b577cc058271f80015646943318e14b2a184e07f15c7f05db29e21ea317	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0bad90d8df4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000925740ddbd22d0fcacd59b344664b340435024d4d7d5976cb32fc8cbf28dac95000000000e8000000002000020000000d8e86811f11967d87430e933a526523dfbfeb4d70882d39996c4752577952bff2000000041a521d3417104af56b8e7cf03dbdb0a3d0564958facd7340f2208967521ce1c40000000a35285aa77dbf6de08dc6ae4d335e2963fc3d45e81a80a31850f5d9f29996f574fe661098877f7d7a2c47fb0ab6c3de6bea919bd3e3efef8c62bb0cad04391f3	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
1696	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2404 wrote to memory of 2396	2404	MSOXMLED.EXE	30
PID 2404 wrote to memory of 2396	2404	MSOXMLED.EXE	30
PID 2404 wrote to memory of 2396	2404	MSOXMLED.EXE	30
PID 2404 wrote to memory of 2396	2404	MSOXMLED.EXE	30
PID 2396 wrote to memory of 1696	2396	iexplore.exe	31
PID 2396 wrote to memory of 1696	2396	iexplore.exe	31
PID 2396 wrote to memory of 1696	2396	iexplore.exe	31
PID 2396 wrote to memory of 1696	2396	iexplore.exe	31
PID 1696 wrote to memory of 1944	1696	IEXPLORE.EXE	32
PID 1696 wrote to memory of 1944	1696	IEXPLORE.EXE	32
PID 1696 wrote to memory of 1944	1696	IEXPLORE.EXE	32
PID 1696 wrote to memory of 1944	1696	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Portable_x32_x64\res\cravats\broachOneill\bestinkSonarsBuzzed.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
240fae89c5b7f5d34e59bf4d65c25b9c

SHA1
cab0941229f335ec3c029f095173be14a3875585

SHA256
a09a02bad8435c2561fefaa406ed8c685065ff1ec7ecd8adb0a4551013a319fd

SHA512
1054483c877cb9cbe9e1c9f06fcfe039dbd2db35df799fda901d6514f2a33569dc8ab94c27734aba3bc50b069a0b8c5961b748164aa2beef8240af2cbd227184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a06dea91b196e0c093de0b55c7dafcb

SHA1
ed774c0b555a67bd6104dc3b65b13f8edc58c126

SHA256
b1cf0709dff650798d38ecbcd4a9c3d92529d158f180f3c90b51a729720f905e

SHA512
02135fc01a59de9bb8c354e13787b499e85285f1ee36d99110f000907a650fcfc242b9ba8f5da625a00729521362c021a71b95296ae8053e6be7cf7a2264b942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbf660ee32967e0308eccd019aa3708f

SHA1
2fe1b0dc184d4c0ceaf2e4735e068013e590bad3

SHA256
13edd87d7c64d6ddd792c0b668a71073a66e1cc56a7d7504c61cde00c1ce436e

SHA512
6fe4ff761157d0aceb766e194f718a54f58ca3728dd20969354e7971ee4ac824c9c431cbc80cdb92cead7936d18fe6b8350a33f636111d442d2a28976ab97031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bae5b472430491a79f1d2af763439d58

SHA1
9d158145f4a9093e8716b74a24e1e0ee2b155547

SHA256
82446066bdc1be4a84f3f194c79927016125d67bc1a5a786dbdd26bc114e03fe

SHA512
a9f10aa3ea2bc7dbc681e81cf7578ba762ec808af4c162a1c56ab34b5096c47cb1d7e6e2f9c9b109b829fcef8269b96ef512bef507189af7ab8cca5cb490ebd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5694df6ce3ad3e6e560e72ec3ace7120

SHA1
248751aa9605094e0989fd0bcaf0bd763a618132

SHA256
27e3d3c56011914765191f59a6d142e27f78c91601900240191b1171d3d06da7

SHA512
bbbd3e771151c620dc862edc9b183d1e2733471667bd8b364f5853b1cfad9d4c713b183653cc04c8ea0b1fc621e02cde3473327df08bbc0fb67aa3c9b2d69f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59b164e2002f0690a3b19520b143f6a0

SHA1
b4dc22cdb17a609d17aaa7db989ccbf6aba64ee9

SHA256
15f6b07bb2247b2018f67727515a31344fb58dd1e1a1dfb44a9774426bbfdae5

SHA512
536407754a601a8d5bbc466ed6e1a985f9f3ba73b850f0274c2da47446ec402fc96e587d0d2d72bd74704175f2507a86d820d3336963309ea91ab73fca60b9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54c06eb8296db17cc78be5b4c3f65fe4

SHA1
87428e0f7046dc01d281a605033b717570ed8a2c

SHA256
022210a5f6c992cfa7bbb502f7a1b8a746780279cf9e571e315f20d57d58676c

SHA512
fa8632fff88fdb896f3f3a3ecd9503c5892e743757428d9b6c55fe11525e57940efcb7e7a2e82f871594a6e6dc018b3d1a01660d69abf4adda427d33bd34645e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea0706213256e179f4852f94ebbd07f1

SHA1
cd918936d6aa7980955f77f2c703fae2b7a3f4e7

SHA256
762c338640644f0118acfc3651fb4ae85af57601c0ee90406433b65ed327a28c

SHA512
479f78bebc16fc58ae19c9252067af6f68cffd6aba09441c4e23572d4687fb2ffd9bd84ef6a1fc4bf590f6a305be967ce4001fe256044bfce7a9561e2e1ced5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3589c25297fff93edbc44e021f0a614f

SHA1
60b34fd901a3be7a839d0952146d8d4b3712f223

SHA256
5268c4cfc22e721fcdd0a70bca63265403850d9917de298f2952a89eb10f67d2

SHA512
9c773d4188b79e55a043fd42511da9012d8f1a1b81b77ff13bbcb1cd14ac6b083ac5c90bd545925fd69e2ac2ebd1e5a8bfe04fe600c22508f360431900da40fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2301d4a86459cf3c27c1a5129d0a27dd

SHA1
02600be6c2cd0ec8894b14c5829ff3c924c6d72e

SHA256
26e5631d64a7c1cd06d43ed9f26415296491726efcafb1833a5941d274b58386

SHA512
9520d4076d9fce75b375a47a171ace9443227c36ee7c69f2d4b1bcd06cb083103c0fa0a3afb9400ef770ebca5e04383c1541ecad6ed25a5ab53361476d8db017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61ede1d0f9b80594753c427396a3fce9

SHA1
389fd43d756a437f59dd0c7510aaf13e71378e1b

SHA256
f135f474e927814fc791447e4cda758c6cb76253a6e4bb185013def14f24c88e

SHA512
e746b11b87740295043d57ec86adf1df9aa942c0553a822a446ddfe3b763969a675513edf0a7d4b62259544cfd82eb9625b8dd749bd28067e91576f1979ed6a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b852e0af1b96c201bfbae8946202118

SHA1
c74c5a7d8c13ad9e0dfb6e57c69a71f588872435

SHA256
b648f1b50e098deca9bfd2b2523cf05713330234265bdf1d7657e4abbc786b01

SHA512
483ad1ee2e15a597a77d42aa9a21f77926c4d91b0ed4c34a039e3ae9f4413bd43d0d5dc5b451541079b6688142e50f03224d227ac92fbaf71db329e40cea38f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7870da55dc07f9ee5c0109e360b764d8

SHA1
4a74fe615da05f65a3e86f5b44e6bd9178ea9e23

SHA256
f78e0dd3a607b2c06b5e9aff0fe49f1bbfaa2008d4385e45f865a229f8cfa808

SHA512
28c83a1dcd27a2b9121e1d0963b49cd39fab8aed4dd43813c289da069d6db8ef925d7282bb192ac3a19153f80fd4ebc4a7a81078dce5bf71d06aceb562b8a1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD76.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit