1ce88c684532dd70ea40f17652ff58b3f845d50409cbeed83b5180ede4f2c442

Analysis

max time kernel
135s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275620948/Example/Example-DirectDraw/Run/Debug.htm
Size

1KB
MD5

70e176fb0b0628b08a7bb4f5a2e15444
SHA1

168a9321b799eeb5f13f551df800aa3a169ca449
SHA256

3b07961c038d9ea2a648e9fc646904e77284e5051ace032d3266c438e5606582
SHA512

d326a63921045bb657433d2f3f1b11e7a818c8a88b0036fd18d52f6f771819382a13ce00f7ae1a7f0cc0fde80c2f8ac3c186ffe6f1b39457fd45f5612949750e

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b7d23aac02db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000a95ee22e9c9a3f700b95a035ececb6075a05acc5ccf01096e639870c76c8fba2000000000e800000000200002000000067d6757cff9724bbb78f6c2124c6f7fea53dea6ed8a67d26f035e7f00f58018390000000e1a7d6d7a674f1844661c7067e340ea7e7f98ef0d7483f070dfce8a765c975ad36ba62a51c63e30f02438bb8a00c5de13890b557e0a4ea8b99376c1b614b42c02ea8aca8aeb23806d4f059372d9c743e9cd1cdd2ab581dc49962ec569c74a032ef7a122324d093d968523f98913d1e885f2b4bd19f3764a01baa814b70d7a7b0788083e84cedb0f3afe8590441b84e23400000004cf50e62a15573a71623a711ac2dc4b70f48ad01e1c840bf27a911cf29eed942398b572440277da90422a9602c427701d5b75f977b3d531686d432230836cbb8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000623d31188c4df2e521df9964ce1d8b9aaff0e1eb613988abedb208ac5b23b474000000000e8000000002000020000000ae05ebb214ccc1d1a769de25b9d2702031cc42ab250bb433112ff5dfa489b12c20000000ba86c1cef21f3d248f8180bfa718c9c7c8fd558e758bdeb0c539a798824c79a140000000f8f3856ee25eaa2d0d7420de478de013b874c27afbf6d1a8551a90c4fef6b7c1eb411d0188fbeda0c6b4545d807802c85158c694954487e24d3620ceca198590	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66535F11-6E9F-11EF-BD41-DEC97E11E4FF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432043506"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2220	iexplore.exe
2220	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2748	2220	iexplore.exe	30
PID 2220 wrote to memory of 2748	2220	iexplore.exe	30
PID 2220 wrote to memory of 2748	2220	iexplore.exe	30
PID 2220 wrote to memory of 2748	2220	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\275620948\Example\Example-DirectDraw\Run\Debug.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74bba10de995752e2afef16b77ce637c

SHA1
9481500b211318dd63d20951e51d69d6752e879c

SHA256
0fd1822f1da31ce068246dddeb236edc3d68a99a059bdde27676996acaa1cea6

SHA512
534ea226a5138e0861dd4025ffd281b6043f39d11e60ec9cef81178bdd983b5b6a2cbef5863369ec68553fc5d3cab73d5c76c7188349ed7dfac5f991b4005460

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c37db6b5b173f105451c3293c716eeb2

SHA1
6ef7f477aff6092516ef81fd5f5fed93cc9de0be

SHA256
d8d4f7b2b1ce18cbf150317b4d1ea6dcf642be15a33b90a04b7d466721e8601d

SHA512
c464cf65e3923534b90477993e33de4c9969af0e281f68e1a25b831ebf4f61d00607a0b06ecbf0a4e3c861a47c1dbef42948f1b2dd770d947b87c0f204b613ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ebf5d4432addfbe7016290f0350f03

SHA1
49d13a256d623f323d0981fe9ec3af1566c2d15a

SHA256
aa2d5f163336f5e097bd66fb0ab9d5169b1d19b0748d39417750541c1a8b8fb8

SHA512
2bfa890cf71b361a3de684663c33bc7274500cbb69366a611b35a427b88c2958bbed31ce8c3685402963683248790a70cde8c34ee3286bc6631cd383918b7936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
462f73a6a97cf1dae3a7c09fb149ab8b

SHA1
17e7e39d5f28d651ddfb84173eb0686e9f8c9b6b

SHA256
98b69f36f2512d97042dceb418c16568c0d375930505ffff4b5e3118ab04adf9

SHA512
56f3673c655602385e87897977d6ef5d22674ad1f0b426d5873af1fe460c0f37f51b03ce0674eeedbafaef601cc32033b4357be31f7af23201bc4d1eaea2b68a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15921e533fbaf9ccd475fe473806f62f

SHA1
1d42cbae6ca6792460232f2a034cb58c76dd9f41

SHA256
cf60f9174e947c115e104576bbc9a52afe72b7853b1ed672d01af4091358e6d2

SHA512
1ab1503b05b35113ad349d4ad993bfe38cc1a50f6c12f040ee9de3ec24a46c2bf5fa9502f8f90ae5a3b7052ea4f4da9ad8eba305c48f075daaadd998f7bfae4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1dc0333486dd0ec739184b8884bc403

SHA1
27dd806a237cebc3ea585b596cf3d7c0b8ee925b

SHA256
3045daf84be8d40fe79d59d34370106f86e76ae1fd0202f2ed9592a2ac8e2f5b

SHA512
354f270aac7106b6bfb029207ead9b9f00bac91625e98e6e130312315f2b20b7fbbf804cfa61fa0f536b48d6af9894ad7d87fd3cd231ce4c7608e4a3b3562cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
291a9919598629207621c158e5e97205

SHA1
54a5a5441abe0353f2bc1a5f8d35da3be2a17462

SHA256
7edfb5a78ffa8860be41694bd34734f37ada6ebe6b7fe24d115b4f3c0dd0fb78

SHA512
9ef7a7fd8ba26f380ab3c09a959bc2a2d49cc85b750d37841cd15611de6e80f7d2e9ec5bc3e4bb39faedd1d61ba465e6ab916ccf3e946d0ad50115af22f4323d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa940b213f9205267ca4263772d8e1e

SHA1
dc399d206db03da9b62c304e320a4f57d8387ded

SHA256
54e0ed8b0e8c4f3e6cd58f117a2e8472575148332d10da3e68aada72a439becc

SHA512
fac8015b59012f224973a81aa902c5b13eb4307df40583a104f38d59b4c3ccde352f0cccb81ec9791c1dd7ff60b7544737e60fea534f69195500ed2a550d5e18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
650fb58165cdae2a566c0c93e9af0f0d

SHA1
154352b889452e8104f4822594159801d03478ed

SHA256
f22d4642b335c528ca4991e1590caf835da15454558ca09798d4dfe9a0f20755

SHA512
a6c2998de9d733d17ce9642b9220a056f5bea771df1120f25761d050c5b83a225fc6cd1c859020c198a90b3e717e2254ed49e97b3df0fca2b7fe7232ac6ff211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb055f041924be1b3ff453d52919e1c2

SHA1
98afdc4170bf49ccff85bb615efca039c692531e

SHA256
ab7f6a61c7bbaa07b41fb1ebe957661e2e521bfe309468e06308c4aa6fdb9fdf

SHA512
bee47585b262ea1e2f5c9b43535981190a3dec6f4ea9418f39e299929a4c2f50ccb98caa52b98c8906755dcbab8f97a0641569210bbb0e6f3824eb95c81ac206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28c32569da46326d500edee91be64e3a

SHA1
3e65453e36827fe14605546c1aaadf16c9d9fd95

SHA256
093b27644c86062d70c5cb42d60e50ad8a9c0bdf3705469f040a7b4771a5ac35

SHA512
f98371a7872d0b03298bae990e697449e9ab7edb8595e6d6d8148cc0e1a2786d4c8effb0fe0ce359977df260142ad87a92742369cd21b93a470803086f0cf1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC40.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC53.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit