03d60f06db313f892881188829f27c813efe8a4e987af1f483a4bbbcd78159db

Analysis

max time kernel
314s
max time network
320s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Portable_x32_x64/res/cravats/broachOneill/busto.xml
Size

13KB
MD5

a6440d04aa8b84a3f7b373142f46aec8
SHA1

b794d5a0d5a398713eaa444d10ceabef128a8502
SHA256

774579308b68d19f8ea3252e3cb51067a816bbfcc6b7f7668993110db438be90
SHA512

c7a57376a5e7bae17d59b9d7ab2e2362100d3930af41704ccdfe6dded4649a66754da34df9a7659aee9e3bd65872e919deb8956755a5e5fa8acbc781ef406e85
SSDEEP

384:oR2IjUd8szjPms8WmbWGcBNVEAP8N+U+72hJMWNqOImf:opd6jPm+uajP8Numf

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50412c118df4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000daeebeb0331a844164859307c516d83dbe075ed0a42369f90522bb5259d0f197000000000e80000000020000200000004c777ca318f9844d9875233f5d54f6498bc936fb1d052f250dd546af71d0b22e90000000043808d9b3af977e0d1f0d96d1927f06541837b5e61b5820ac5046d2bf3b7a2f845fbf54103675db25d2670e171c11a5efe1058d5b10f96e7a4b78b38efa15159decb90a5f815cbcd2fc742b23ede691759cd3d4bf99738a84c1337329c2323db0bfc5948a333cc26155109004b2bc4c6854a25380947bf7df77f131c3bd230c63e5f337aa27ab0bef1e6c61b23bc6254000000017b4df5d5890158faa841c05985041b89e8ac6361b94231536e401a4ba2828b684527a7224075860e1bb04381df093c4dda5a2c74b3cbc05cdbee26e3a3d2597	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000c86a0c73d307f95a0fa02fe86a6c45f001aee800ffa0538e268521eb51333d02000000000e8000000002000020000000e76728bfc01d44d90c208eebdc0051a5d046171d5bea3aba03a44532df0ad560200000000fcb5e823c329340e6222e3ee5e14fbc2898e6b97efbc42ea489dbdfba9d16c940000000ad26da773ccdb9f85ecf103874dfff1809af57a700af22a1a2bfb87342bccbac8c9371ca0c3d799a214d490820fed4b3187330910b8f578b1ebc6eeb5a5cfd0f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BB87741-6080-11EF-BB68-FA57F1690589} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430490805"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2592	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2172 wrote to memory of 1048	2172	MSOXMLED.EXE	29
PID 2172 wrote to memory of 1048	2172	MSOXMLED.EXE	29
PID 2172 wrote to memory of 1048	2172	MSOXMLED.EXE	29
PID 2172 wrote to memory of 1048	2172	MSOXMLED.EXE	29
PID 1048 wrote to memory of 2592	1048	iexplore.exe	30
PID 1048 wrote to memory of 2592	1048	iexplore.exe	30
PID 1048 wrote to memory of 2592	1048	iexplore.exe	30
PID 1048 wrote to memory of 2592	1048	iexplore.exe	30
PID 2592 wrote to memory of 2720	2592	IEXPLORE.EXE	31
PID 2592 wrote to memory of 2720	2592	IEXPLORE.EXE	31
PID 2592 wrote to memory of 2720	2592	IEXPLORE.EXE	31
PID 2592 wrote to memory of 2720	2592	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Portable_x32_x64\res\cravats\broachOneill\busto.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc1b80307c0b23e458b078cac451c5af

SHA1
5ff3aaae6e32c7a99bb26c9781e78af6455df309

SHA256
d55f60f9f24b185ed71a5e430f01ad240bac6a37612104dd0daa003f57761b2b

SHA512
c0e0c8b80810b8c73dae142ccd9dc0fe124c720aa19737aa1ab66adec7cbeeba27cb955c4d6cf994a1fb40c0b52917f0c87e7b38dabba40e637a86ce065ce8bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d8541cc486acf42d9f9d92797079c2f

SHA1
0cd77377bcd318deb52cba6d69964482374c6ce2

SHA256
faf2797e78f4f2ccba530163207de0223f7bd8b6642726989fd239c75542783b

SHA512
5dd2bea00b22dd6f3537e8e84e75e0cfc5a1775d2b7bdfd1c47e3c4f6e4cf2a95073f0f1cf52bb420b09ec5130c9f20c11e54e1fc317009f1f5b9b80224cd079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b2f1979dcf3b4c10141528cc696843

SHA1
d99e2bda8c0e12797b3a881d5bb8b6cf7e61f214

SHA256
22e0fdd1ecbff531dbb0fac968986713d2ac46b069841a84cea0401f4fa9a4df

SHA512
e381031197e1e71222648ac8d12794498d1211fa7c1f5dcec03d8c18d7eec87f09e2cb3f4141a3a8b14ab996bc371701f111093a4ff555d87bf322b1578ccd61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
787084f98d6af97e1f61cacaa8afac1f

SHA1
7add627fb3eb449fb5d56e8aff7a0578ceef6712

SHA256
5d412de5de5676496d4aa16d4281bf63049c187a82fc64f1d7cad3ec7e6e3659

SHA512
a5218ced17ff3f139357b7fe34a6b8ece3b9edf00fd09bd3e4e6011f00ce89b85a8523d33f0dddcdbb11428493904e2d2eeec323152be226d407cb3403ac2821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9ba968c55592a89edc31c173e0dc38b

SHA1
fbbb9d795cb63e84cb9e0efdb46e7e59637f5fe8

SHA256
d7000c992d7ea2ac5324d64facc9af2d31548a0cc0a7cfcbfc6bae584ae0b5f6

SHA512
74b2db12890a1f87f981cf4404d722996081d2613deb5bb38086c9e961957f0fcfce5195a3f09146896de0c4d17805ac72299514d5f52e9e53eb5ec435b7ff32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d0d4a3f0267a0435ccb95075a041763

SHA1
494fc60068995defa92ad80e3d6c5961ddd44069

SHA256
156ff998c58b95bed69f105e515f1ed0fd6410528cda87cacb890f3cb68f40f5

SHA512
3d6f9e3adbd77f20a09d7e36567aaccf0442aee77dfa1022698681a87df64218cbd887580bd487ca2a4138a3cdcb929a8fc1d4d7d5b6f8ed63a5a0402f800caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6404.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6510.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit