109e28e1841956878110d3eec893a910c898eff0e7e1491518ee249a2dcf0d52

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

res_mods/1.23.0.0/scripts/client/gui/mods/mod_a.xml
Size

1KB
MD5

ff03ec17ee5f13070dd50717620ffbc0
SHA1

3243099738c6b40d2fdcaae8b16fef280b5eb835
SHA256

8e7d953780ef22d302a154cc504a0e13ff031b9177f9b20708bfd8ee9ddad7ed
SHA512

535f4c9f6911ebb0843d0d8c58b2613cbf5122281b50b056918e693e0db9d9daf54fb17b744ec14f95929673868fdb516f8d1f5330bf930a486c9d502fb7c2fd

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEMSOXMLED.EXEiexplore.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ab84dc99f7da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07F30B91-638D-11EF-B961-D22B03723C32} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000ac02d81996e1de1c00aab912d8148bf2be94683cc774833068c76d6811661c5b000000000e800000000200002000000054ca077babca7fd06f1bc50e4f2906f2e7c6f8747819d75fbc7107d11d18b2032000000062672ea37e0518ba8c5a98f7bf472cb76cc40f57bc1eb4f7251475ecfcf030e94000000017af727d7187a5cdf00db74f6d306c7cb20e1e99d0ca5ff7f35d64e0a2ef81d8c5e7ec28a5a656a1759087f41154a1b62abcfd02b6b306c06540b2658f92f0a4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430826152"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000407d27c99a0fa43c28d3fd04664edd3d79a48de8788e4afd117483e9a8bf3140000000000e80000000020000200000003e8a4ae066b4999dbc98352623ad1a1a5748bafb4e35f0525be07acb4d75b78b90000000160c668001e8f9483bd1b4550a21cb01f4250aa0963eceaaab82ce06ecabb7a3a75b9c1ae2c1b51f31cf603a7a0e62f137c150a03984e56a714d99d3f38beb11d111634250fd6979f8e796391b20d286eb825dbe77a78cb9e0580360461537edd6295150871e77e3b34eabb63c3928f26779c4297677ba89c60453508730d9862e43dae77a554ad6ba8e502a52a667a040000000099127957a86af83a66b5a5aa875635c2bc420fead7f602a4fe5954dc37ada4b6ea40a2161498767c4595a573700f9fe02d4115770da442e2799c7416542cd6d	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
1588	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 784 wrote to memory of 2464	784	MSOXMLED.EXE	31
PID 784 wrote to memory of 2464	784	MSOXMLED.EXE	31
PID 784 wrote to memory of 2464	784	MSOXMLED.EXE	31
PID 784 wrote to memory of 2464	784	MSOXMLED.EXE	31
PID 2464 wrote to memory of 1588	2464	iexplore.exe	32
PID 2464 wrote to memory of 1588	2464	iexplore.exe	32
PID 2464 wrote to memory of 1588	2464	iexplore.exe	32
PID 2464 wrote to memory of 1588	2464	iexplore.exe	32
PID 1588 wrote to memory of 2736	1588	IEXPLORE.EXE	33
PID 1588 wrote to memory of 2736	1588	IEXPLORE.EXE	33
PID 1588 wrote to memory of 2736	1588	IEXPLORE.EXE	33
PID 1588 wrote to memory of 2736	1588	IEXPLORE.EXE	33

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\res_mods\1.23.0.0\scripts\client\gui\mods\mod_a.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:784
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d35bed3fda00e96b3639e435829cc4b2

SHA1
7040cfe37d0a585b44a238000a336fd62f3a127a

SHA256
5373094969c4cdd10d7edd8d33c31363eb520dc9d68c6465044d007e95593a66

SHA512
9ca66aeeda637aa1454f59233e7307345f355ce67019d3c223872bde36a8e7092f3b7f2bb63071dc0e7629a166ef222cf0518c828040f46e72814a991e63f4b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
995c6a7d0cccff253ac273297e57d176

SHA1
e0528112f83261fce496c260335a59d18eb717c6

SHA256
71f29cb82570150a4a59c13b5f3741af4661423f9f4b0384896b0599c68e835c

SHA512
42b55564dc6851e33959c116332d06ff803750562985b430b498cef12424cfc121fb80299e912ba8161febacff2029a6ce15370292852240b480ce30188c9159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03b02fe92bdadb205d3f94924810fdeb

SHA1
a6f584a5efebfd0ada05c32201529a6f4b36e24b

SHA256
13eb9d1be7522627ba988c617b23f2fbf3391ed6b75815e17534924b4b8b30b4

SHA512
fcb9be226e734279cad72ced98175ff7f9c4ba16d79ed7dfdba8c59db088145f608c17dcbad444d74717f88ff0b3f3a67a66c0446f660240128da390cdbf5524

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f220ef3e826c81e4b4a968a4bfa701d

SHA1
a49b56f606e4fa1fd0dd9cab16cb2e45bc978af9

SHA256
97882cfeda279aa41246feb451cffb0b3b8a77da2f013a5c98bb400e71e270d2

SHA512
acb11f690e746a6b52c67b6d860bf0d2750e42fc5332c604c4b8a7fc36cf3c42f79ffbe348bf1f57a79260752e9c43728909bf1b0f8f4442b61f118663c05715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d87b1e63b465a607f7634a04e3448f2

SHA1
e24518b3760d54accaadad06d971fc3ec2092b40

SHA256
4a9fd4b693e6ce8ee4f8f92c40c9cfd28086eb2f05cb17cc347c1ca0cd34f6d7

SHA512
4eb8b1edb422530fac5acf8e1aae48fcb049e56c641b32f6ce8db97ff50f462b9fff822db8fd9eda923aba64a0ec36aff291db7c337ab7b7410669f1f94ae946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c042a6a4fc5d93612db61acba528d5b

SHA1
a730607d28dca4755df57ac8848ae40197b7e59f

SHA256
87f9a6158b90b2894047fcf9318e999c78ba7581b58743e720c848a9ecbf085e

SHA512
b0d9c02f936a241bdad8276ec6ad7a1ebb45a76605d458080d54167b29958f197f4dda101de6db8a54278a00d410cfd0720344bb24012b1b7e1db9cb9cc48f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5a82fcc28202eb819a6a32737877427

SHA1
dc469bed3cbcfd76f8046c0629258ffb83e350d7

SHA256
02a44718ab2b1743733fd98ffee8c91cd1a4c6d65e677ecf7a64d113b114f08b

SHA512
1f117cd26f9fc4d0697ac37d3a03e0793987fd368845cc8aa727bd55bc70ed1c1f5d08f37fe3853e584a4f6b055f0e01bf99b633a6b7f9519290d264f5ef2738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab641fe7a44e4541bd7c78968726bd8

SHA1
f58dfb2ec010c476c8f99e0db4830951dfc42e9c

SHA256
9daaaaf47609301b2fe19ff0d17e0ce69a7577d0361ef9b09ceb0c462272b4d8

SHA512
3579482695f6fa940756ae878e78d5a3e10a88aa83d5b5757e11acdefe06ad7346ac890d32918d0a18a8ab013841b0e2a3bcbc06987049c10068dce7dc440992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27a4540704d1a9286293d52b93ea97d7

SHA1
b6a8b795664968beedf92ee7609e0623d5153167

SHA256
c89390e2fdf254dc5f699fb6b30197d5b17f38bbcfde1ba9647bb25ae0cfe54c

SHA512
81ab9ff307bf2008e7985b362824eec5cf270aa8513053f0e6a922d50bf73d34e74b956c8cf58c4209f95bc44ba35d3a712792bb7914e5a25ec75992192e91e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9843af3bad083a683ff4ec3951d76282

SHA1
d2b2d484fb96418f7b7040901c427d124d2a75b2

SHA256
ec4cf763f4541bf8fb41c01f979bc34ca1e1e006ed9efa2b3666b812af003acf

SHA512
2fa47982720e0ad0a73d6ae3def25b1b4e487746069808835f7b61ea2399ad89c179deccc883918ed8ccd4edddcc2754766e4f011270b1adea7e41b7d8ad5781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b0246bf54ab4238484f9fb838bd06b2

SHA1
29d9b216a2cf6fce0f41ecbb8054c328ed4b6d49

SHA256
67203caa9aabef006aa634a3166f340b68b720c7f01734f148f3ec98e03c0694

SHA512
af8492c0c6f8debb4ea6709a5b9444da9dec03aa0852218bda0c58748fd5c364479db13bf5dcc8d0ad35436825f215b3fd26bdde760aa7665a554b53d0962e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6DF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF7AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit