6663ff536e707a57681d585f35903f6164baa543667411e89050add532240bb1

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

表情/喵喵.gif
Size

4KB
MD5

4c1abb72166cac4f8fd8369bbb7cc6b8
SHA1

8eea78df805ff4265fb49f5865e5c71ef36f8f89
SHA256

c08afbca12ad7dd2713e88771661a450de63e46e095714039d98aa9ddfca6932
SHA512

2b9e9ab10befec509355215060462509a7fad2a7a0395eda58072ae3a9c7f522347fe37792e37a1b2b7959f57a2da6009e1c26261a438302a75ff5a61d23cd3b
SSDEEP

96:5O/V7PBfO/V7PB3O/V7bOalOYGTOaIGO/V7GhO/V7G7:5OVBfOVB3OlOaOYYOVGO8hO87

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a2cd3dd84d255ad0bfe32c2588fa9a2a7d750a4533c953bd5a5e3906935b3e3e000000000e8000000002000020000000d2bcaaa90207fe650675d148bc3c0825e2f1920bde9225ca97aa5a2213bd412f90000000a689fa83db4aedb95f21d9833956031d06873797daf32f63824bc25a5bec22a4a8674e3c33e30eb845b1753f4fbd5ce911ac0541c1e30db21b288b245f2f2bc627473db22c077ad5b0cad256d0a22711a7f5586559d1fed3f242a18e39f9aa59517a121f6d28ef88d1684dc03d738a4c2b44084cc6442e3eda72fa24040d48ca753002e678203f2b82f8cf15bdf9180a400000005c070a541a145a48f851a6657884213d97bac7f33d75571fb4705056d49612315c2395bc3d5ac775c06f3bdcf1a4b01883cfea2182d6419b42e109c4f2b593d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000030062b1f86b6fb9e7c9434d175e45295fc84df4926214fe99809383eb60be1d0000000000e8000000002000020000000db902f22f76b64172c0a6b180010f27688c9bb8d983ac3e00c54f3fa306e80a0200000002551cadf95f3816f1aae1e7d0c6f15a0af2f7c8d71049e90905425bad941c72b4000000032c1e5b8f1a41222a77540124bbd6c49bc91c365c8007428fa3d5f1ea601704fc2074a8d2384b831ec378f338f0bc6b4729fab51768fe02b9b7b585f3208bc92	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07DEFA01-6AF5-11EF-8002-C6DA928D33CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101161dc01ffda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431640478"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2068	iexplore.exe
2068	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2920	2068	iexplore.exe	30
PID 2068 wrote to memory of 2920	2068	iexplore.exe	30
PID 2068 wrote to memory of 2920	2068	iexplore.exe	30
PID 2068 wrote to memory of 2920	2068	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\表情\喵喵.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aee56f5447bbcf4d2426828a38a48a67

SHA1
75ec72a13305d4615257350d2b02e92891aad033

SHA256
8eb85fd7ab01e10e9d3d40dd129bc7e4f584687b1473288c0bdb4da1037c15d9

SHA512
30dc67de1a13f75be220a542773c20618db1a796e4e1df6d9517ec708674d5ce38ee0702d0056f78698599c3811714d4b3369dd1ba7902243c4f50930544aabb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19c1c93fd46c17faff704b71cf6223a9

SHA1
0bfcf832afcb098f14ec8217114e46123e79e18d

SHA256
8a3a6891cf9538c9adbcb7285935a98a226d55786c2b9ce475feb61f81392efb

SHA512
4da7ab7a679470f6e8f0dca6d73066154de42e4be187fd690072f945cb11a984eba8ad3e21071beabdc8df1c6a71def28e0406e53ce68b28cdb545e178b10f5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61f22988bf5a4e2df77a4bb4f588fa83

SHA1
3544e1bd9ef277803db55994e0269c25b4c3c9d7

SHA256
028e0bb1f59837a53484ac860176915c8d4940f038cef191725bf4383b874b2c

SHA512
a2507ab76c7fc55c3252979450e0f5428c660fadc97cc207383470124891dd7ebdb683d150597d10c7bbc6f05a462d3a98bbc0db3d665818cd9cdc233f5b73cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
076bbc63cf823941236ef7ea7abb75b7

SHA1
1766740eb7473dca22ccce25b49cfbfc2340813b

SHA256
d4ccc59b7951216018b92d544e5208138069ee565517f4a3155ef1a5f0d9fc35

SHA512
15c17ca82e33ca7946ddbaea6f19cfce3048dbae35cddc457719bc6840349c3ea356e943b192ca7321ef87f13cdf3ea2d4d95c12d45ca160b6d51476f9e4c0bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f6358a4c74da274a618976363e482f2

SHA1
e06ebe4f0dc166cfb1c0b837464eff4c9defb68c

SHA256
1765cb5c7f05b944aef2aa44c40b9b494b544c3a4496a1e30b393fc9ed9479fa

SHA512
54d579704e1dc237f3a02ef40131697b97a40900b2d801e0a72204bb908cf2d8a5d756201a07d0e57bfe6580a3d286ede410978985c64ea78d349c216d4525d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eff5735a25f7955982561e416a5eb466

SHA1
b9aaabc2d5fce9ade3c2ef6250bc6845fd3afa52

SHA256
2c497109f61cce5acedbd74aed35476a235c6dd065f2621c9d312ca89d7f05d0

SHA512
ac61c472d5b37db9b4729e0e793739b48d74f321d7e33b18d1c3639d721122d0fba24abd3bc3160b8c4ce228f1ac0d16c777a37e9e2afb45320a2e4b85105865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaa719d3c6ae78ada0e6480c22b20e1f

SHA1
c638d206baa44b34bad3a647e207e6795de1e79c

SHA256
7e554382bcc77a195b84dbcb6e89ba02bef0af47e7ebd3509a6c703636094d4c

SHA512
1db9ab1e510426634c86a0dc24b63c570c333e0949ae8706cee45cabe71a487c6b2e92d1c6835be3ccfac2d26d5c5ca1d6caca3ba962c0f8967830414d22c140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8317838a161de2f9461b781440041b0a

SHA1
0493c66e5d3bb1cb44169f54359b709467c2c385

SHA256
3bcc5a70e8a26d2104e8caf3c86a4147084627e0de49a144db8306153ed582a8

SHA512
175aafc10fbbfea80993cb39719c89cd30cb5e20712abe08c39fde799d927e8a3e2aa67112f6bc3b5df6bef51589220d4fa9a13ef914a05ac62078a84f065d07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ef5909ff32082771cf02c8d50bdbb5f

SHA1
e4a2d37bc5ba695441ad46a731b09210717d0246

SHA256
4887c8f1e0bc8b8c89686f4879c617e526374e0e2c2f94b8405282fbef452511

SHA512
8062d94c7292a4556fdca6678dcdab7e554ceb92d8e213f45bf49aca71284d43538f89b2da7a0838e1439de000775506bf35e5f27f778a89d3ccd834a54b900f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcdd769c89fa2acfe6960c1ef5b4253f

SHA1
22416ca222ce70c182c9fb8d1de81c2eae98186f

SHA256
4618027235f68aadb53173c48f9e12738077ae46ac296aafaa85dfb6d605996c

SHA512
bd1bad7883c83634c3180a16487bd186b30c70acbccec7fe5293d54e24f2f105bfe01076da1e665266fb2893011111c5b5acc8d0b8b82d197d47b4ecd21ebd67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
681940818c787248def20bcfd719365d

SHA1
ae6a120ad903bd25f6ce1c8347be934b19e83ede

SHA256
f19e4285377f27fdefe147879aa9672428e7050e4fb0dfa3a9fbec4b24fafd66

SHA512
40f1340ac309e33347501af3327cc7f970edab654ad6f5d9071475d1f9c9a79c9839756f8186614a5823404e97828618abcccb53bca2538e5be061bb2a03b3ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8aa2805298d9fc370925f67bda3fe8db

SHA1
1836f4c7cc7e9f93cf9783be2e8276a5203b4b0f

SHA256
b4dcf157de0772accf60a61028318e5eb5a467baa7ba76fed547d1d15882c07d

SHA512
1361475439d32aff2d43746aff2a789a29dc786ae2244a81317f8e1e4dfd74908c71ef529fd64b0ddb6fdaedc26c74e7a2494c9b9c901691314f79b95d50c6a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
decf95bdfd09f8988882e1bd9c5d910c

SHA1
a644aa58b4cb659d0cd89ed7f178242f6ec6c1e2

SHA256
74f7181ec279c441f7ca5a1fbda4af94bf91dbcbbada40be86a05b8524ec2acb

SHA512
01ad7c2e8a358d5b452fac7ae2637b9d0049da754de7bd336c06c4da82464b095a8a1d225edc750fa022263265554adc5fbc9577367426d4696b54a2a0adced0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f520abe7128687008da0f199d619607

SHA1
ea9e75a24a07f85e3f16b92102f330fcf2181885

SHA256
94d7e46f4ffaabb270bb83481bc9429aeef3785b5505bf3838bd92d8852c6dd6

SHA512
a45ddf672867e3ed5039c190e9ea180aba04934088063f9f7f78d5f5140a954319792ac0475f09b1e3666bccb0cf20f9d844c592196ff903c634810d920ed48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f92babe6401798b9279b6773bb86dc85

SHA1
5eaeffb89fe051cd3511e2ac312a3b1f464ce43b

SHA256
c856800663bd039459fbab164cc77db4d78632e6f9c736b6e2a0bc6004bcd9fd

SHA512
1252f951d670bfb0207f7bc23a5a65fc13f890daa117fee4d823cbf1266e941b659ef3c46030e7fbe59218cf76166ae378960384c15c371cac565a2ecfd8dcdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cae683f00ce41bd92510bd1c7987f9c2

SHA1
f5110bea812306125249b196c085266ddd395e50

SHA256
a26c7b1c0838e32fb81117bd76d09bff55b70ccc782d72a6925701162df6f9fa

SHA512
0bdd1a40ec0a74ab1f82358305946bd8698132c7f3d855d0b912886c734d80502760204e0b7738da60eadb695e8c8b48b0bfbec0bd3ee85219ea67134edd6daf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
caa6d083c4cece777da1166a3dc31d8e

SHA1
6f58f558429a498d0cbade4c6ba9d50ba49fd5b8

SHA256
a46d4ba53ee83250fdfd4c9ab73665b7e233c40bb06e421cf8a93432fb8a4650

SHA512
a6e12a52a397d68c578b5aeeaddb381eb71bdec1bd9368559d732a28575b3a3f8cfadecde9e62002f7f002e9637e8c2ceece30159ccd964dc9c571439547963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9F5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAB5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit