1aaf139d28aebec2bd164929be934433b8097a6729352a9c51ba52714aacb691

Resubmissions

25/08/2024, 10:12

240825-l8vvesyeke 3

25/08/2024, 10:07

240825-l5r95aycpa 3

Analysis

max time kernel
578s
max time network
621s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The Henry Stickmin Collection/Henry.swf
Size

116.7MB
MD5

0a0f430638a3d2cbed623e3de1788041
SHA1

537d9a27e4986a86a0c0ab9296365b4c91998505
SHA256

ef749528f85f2344478d79cb32fcf45e7d2a6681fd045f599fb6f91a8c88528c
SHA512

2e9e58182d7d18e6d2021dccaaeb934175c5fd3dcd34b0a973e226ac4546a7339b6a3d9e4e2f935053ab55c43a4de6ac55f4f29ef8f03515851d9b7799640a75
SSDEEP

3145728:0rDhfdY1VpJKkrmMh/L1XKywdg2OmK3PBFrW7:YhfdY3pJZrdL16yUlK3PBs7

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 50e451ccd9f6da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430743694"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{097DE4F1-62CD-11EF-920C-D692ACB8436A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.swf	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.swf\ = "swf_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\swf_auto_file\shell\open\CommandId = "IE.File"	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2720	iexplore.exe
2720	iexplore.exe
948	IEXPLORE.EXE
948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2756	2524	cmd.exe	30
PID 2524 wrote to memory of 2756	2524	cmd.exe	30
PID 2524 wrote to memory of 2756	2524	cmd.exe	30
PID 2756 wrote to memory of 2720	2756	rundll32.exe	31
PID 2756 wrote to memory of 2720	2756	rundll32.exe	31
PID 2756 wrote to memory of 2720	2756	rundll32.exe	31
PID 2720 wrote to memory of 948	2720	iexplore.exe	32
PID 2720 wrote to memory of 948	2720	iexplore.exe	32
PID 2720 wrote to memory of 948	2720	iexplore.exe	32
PID 2720 wrote to memory of 948	2720	iexplore.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\The Henry Stickmin Collection\Henry.swf"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\The Henry Stickmin Collection\Henry.swf
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\The Henry Stickmin Collection\Henry.swf
    3⤵
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0a337ee1b5e04bf3e94f6a74bd7275d

SHA1
cf406e95a933cdc0d40d67535501ee189c5726d2

SHA256
17e8ed236b90f66b74107c3e517cb2af15ef76ee0dd6715a4da152261d120a72

SHA512
a0cf0004a6ec01e3170a881c9ec01b011f2deb80fc42a19fc1fd025979a96910e2936e3d932f048203dd7b654a8cc6edc64b4425f45ea2850e96c7fe772c3d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b643e09ac6b6e22ef59ccac66d4a2fbe

SHA1
c9074b06de4263a9e58e05499f744ca42c916944

SHA256
9715ea2b3adea0656b7b1c745403cd3b6da73f840aed1fb4223052dfa01f5e62

SHA512
90528bfc409d2d2296f45506361b4cf8b80c9fb804962042a89ceb32e758ac4dffa9ec332844729e0ea7889a94eb20122637ae4e3901104e35ca9a8a7c0a5ee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b5591f96acd41f37c9df7bd5761d97c

SHA1
9f54b58dd2d6eebc6df0ca214f10209e8e0f72e5

SHA256
c5b7f2e537e90290d9900c381f39f260439c22c0870d0b490e59e4a2916566f5

SHA512
9d721c84e2e027c942d40ab8b071c6da8be99fbc24351ea402534062072b379cf7ad9b7905893d9b148f48923ca1be7373b7d3ec386714df5cdf0805d934e5cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
292e36f8b157b405afc06e3fb2054b82

SHA1
ed68ce9935bde00c65ec35f3239449e75937b935

SHA256
27caf991331edb7458f8e0059bc949fec91ca44ce3c7c2accbeea9189042b443

SHA512
614b116de1d0d9dc8f53958b4e1a04d3a8ea6f60c1a547cc8d498f625eb88a4a4c13d0d87ee5d478946cb8896a2da87d9fe3207c089b629b0ed971417fb7f79a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2632146c57e81e02347aa468a2e9d9ac

SHA1
3c87e4bf2730e4465ed98ff315171259c18a83e2

SHA256
df49e57a366cc00b3ff893d92e1aca47c7cf56734b2089288970613c55b792d1

SHA512
0832ce0bd059ce5a2a5d90324e219a91ceda244c0a5f6f31085c5c1fb9ee1d31ba519f8a0d57369eddf4d3ecff78916deb78bed5762b1e848e33ca405518a796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f51ccbdfd9eb7558f1da9d979260f04

SHA1
39694705bd55fed246cf13b9b14f8d8ace112ea5

SHA256
be2b77a708d96a1d687e81ae76525e3c7517bcfc3a3949e70aa1944bac2b6cab

SHA512
9d358f0df6e8486d72e7945ae84e11ff56b0936166b02b43cd10c73ec93f17e52f49c6966596339f100ae98f85e036b396dfcd9c6211ba7e398791a6c8110c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d08cc0aec33f9aa58b33b24eabe25d69

SHA1
0008ff13d2b6f652859cbcc58c4bdbd4ad34cd61

SHA256
04da4d677b79af91420756b4e390c2459f8caa6580e1226dfc71a9120407a363

SHA512
89f2c0ba095b89fb536f017d30dd829686a58b9d528b6550a5006059e9ce8f70e299939785749fb69424b8d5d1103348b5993f2d5ed9ba198abdf98c1d481aba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba268b56a1fed8eb092902388a796585

SHA1
a8e0c3fc407a34ce44b58efc745ff72d440d46c7

SHA256
893541aa5717943ba3a0fffb4967746cbfb09d0f06fa135ca26f4e6cefaacb4a

SHA512
5793cb7a43c6da395d68b41f93605a32e9b320863b1617bb54b80bd1a40abe6ea0a961e3c85be4f2e6a494874f5ab9894c224bf516ab89e5fbf4ef72f0f59759

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e7898388dc020f999fbde162d2dd80f

SHA1
9504be0f716c0fe86d8f68c6d9a5adb51bbb9bfc

SHA256
1e6cf01080ddbbf0c1c26e4e7aafa786c4e272002e0110ab8e78598d5d059755

SHA512
18149e860e2bbb714086fef55be19ccac4cc09ef31fd3c314b60e789e4af3a5f71a2a6b077f960b3a7b9bdc7b483d40e2aaab77bacb7a67e57e383952b635b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB54D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB60C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads