9bd15ddb2ada20c646ad4983065a45f63cdbc3bc0db4195acb750699192fc170

Analysis

max time kernel
10s
max time network
12s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360.xml
Size

3KB
MD5

6c300f8ec4c4f67d1b43a303c5b140ef
SHA1

757c02cf6cd2977097c7418a98c3e35f7a9db8d0
SHA256

9bd15ddb2ada20c646ad4983065a45f63cdbc3bc0db4195acb750699192fc170
SHA512

88b455c4de8bba0d0f80b966c19100c19eb14ec04d4101ad36df630c7d9597fcfe424555fe616b4606b503b3aa960b8a80eb651d6dde631c0a0e0e5d2ebffdfc

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC3C29E1-6122-11EF-BAC8-6205450442D7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2348	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2112	2504	MSOXMLED.EXE	31
PID 2504 wrote to memory of 2112	2504	MSOXMLED.EXE	31
PID 2504 wrote to memory of 2112	2504	MSOXMLED.EXE	31
PID 2504 wrote to memory of 2112	2504	MSOXMLED.EXE	31
PID 2112 wrote to memory of 2348	2112	iexplore.exe	32
PID 2112 wrote to memory of 2348	2112	iexplore.exe	32
PID 2112 wrote to memory of 2348	2112	iexplore.exe	32
PID 2112 wrote to memory of 2348	2112	iexplore.exe	32
PID 2348 wrote to memory of 2896	2348	IEXPLORE.EXE	33
PID 2348 wrote to memory of 2896	2348	IEXPLORE.EXE	33
PID 2348 wrote to memory of 2896	2348	IEXPLORE.EXE	33
PID 2348 wrote to memory of 2896	2348	IEXPLORE.EXE	33

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\360.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
919d193925bb25552e5717309467932a

SHA1
55e8edd6cd7d9cda2f2d777b940ee65e00c0f9ce

SHA256
075329cee20409f7dae744f15680d30c078f686ddbfd9c21284a856fb9e0998b

SHA512
84ab16090803adbf11f266d15f5896392b7b2f04bf2cc581b08a372e6ac0acddb2be13cebf1ba545484ba17ce6285e9af2d7875c17758c849890aa63b902363c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17101bfbe2c58eecf16fcd7201dbbbb4

SHA1
aa32f0b5f7bb163f59ff8d8242f4da7476365dc6

SHA256
32f56c843f6bcc2bc5da11b3b36c6c4767fa1b8166afc727058250ca6bd58828

SHA512
d8da82dc5ea7b2555b9dc39f767dc682aca7e6d2e18519a4db227cbc5af36998c3a24c051ad0776294e408df602231765a20b57a9f4352f26af5a15c50f74b9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba1273483fbbe69d004565048c03ce3e

SHA1
a772c2752ae29be9282c26850fc941cc7681ada6

SHA256
330cffb22944076ae5a6863b6e9221b0a5726928624a5abc4489f4e0d52bd9b6

SHA512
b334df84ff2054b40cc080aa76b116fa288f97994ab347a2180e67b5dac79052ac06729d828530d0a35b85854a94c4480ff4c0e375a376f41e717c911bc9388f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12349a270e538ee4df10aae1fd626227

SHA1
1f29b15096dcddc551e70c04021acdaf79be1dcb

SHA256
19750e9c578ba5a1ae33cd71451d5fb6b5fa284e9abc52bc5b99ae2a533a203e

SHA512
64896d7da9e120c21dbebd785ff7adcfac81ccb4a912b16d0e0b2d30abe0aa0d7da3de4fd3cfefb1c6ff496d23978d4e6efa3015b6524324319cdb76b05c5206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9bfb6d68094c3b620252b4462cad851

SHA1
110d9f581a59c437f1e131b6735411dfacb8673b

SHA256
b802efccf9aa311062882c9447f668ccb259edaa1f3cf5daed446127e7c5bf7e

SHA512
d8b267ea6dfefcf47d45780f7dd9e7b0770cd126eaa122234fc581a6b3d873c56655040358f6fa4d512afdc72d8157f4fa999647790a36b693eebb4956549ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
345f76a7bea959bb79d9ebd5e62af19f

SHA1
dbd42df853b89be0731bbb666e87d042bdd40cce

SHA256
e4b0d1dc748d3e4a58c00f3fb4794e6797a0d20e61aee8ab76c5135d3de51087

SHA512
2817cfe36708f406a2b6695807071d142b4282b0f2663dbdb1ac4cf5f44352077915592be9e8f5503981514f69901932548d9ffaa1a64c9526b4617c2227173f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba3d816d5f4abb6e3fe8a42aec1fa2d4

SHA1
7737265b4962feec451e7e6d7e81c63eb2768c53

SHA256
aa47b780dcc8df19bdac47bdf36ff601e0e2a466cf58423f0adea93451f79b86

SHA512
775a5fb8e66234895dadfe1e8d8a4f87f4b966921127961c8ddde54ea76596b54e35139993145dfc694b1364585ef3c4262e2612df53c52a2c7228027d8e14ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4a4d0bed5d9134b32d6ad7f907eb0f2

SHA1
e2dee4a9b9f8a1d0f47fd272caa48659fc6e5448

SHA256
fac4d694c553580fe6b4fea99f8f899c8f585432e794cdc60bf74764682ab1aa

SHA512
7a3051317e31b31e1d0f76fecf26025bb167b9798c3c1dab4cf368b1eecc579f4ae3bae6388318d8e2eda7656becdec2566d04d815f4d02c74ee2682d0898c5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad465c88ea2230d38b198009f342d365

SHA1
6653a331908c8c1ab5b1785bbbfa1f48a866a8f2

SHA256
ac70a935f294a85cae327ce608bdbe36b3b37a2bda1adaa1a9fe62c0d4d00470

SHA512
5158cf963eeb50611712dde0ac6c357f0285aaa341627ce48a890825457a5a624bb3220a6a1bf521dfcb0cf3b79a9e54cba1cb93ecce5c9b964b3e45a88e25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEFED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF09C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit