9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e

Analysis

max time kernel
15s
max time network
15s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe
Size

234KB
MD5

5af20a57cdfbbdd0d528045a87306891
SHA1

1e7e9b25098ebffdbee7d87c01f1c1b08a9abedd
SHA256

9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e
SHA512

1abe00143294e64caf4c44e79932484107d9c1df0119bbbcadaa61ec594f104b04555093f101116207e622dbbc8c576ce3f20ee6d10d5850fa5d237528085458
SSDEEP

3072:benp+iGyuVYE6LbqV1tE7sEhad1GRzK5MXAa4x:benp+iGyuVYE6Lbq5Ecd+zbAv

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DFF9031-741D-11EF-A817-DAEE53C76889} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1716	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1716	iexplore.exe
1716	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1716	2904	9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe	29
PID 2904 wrote to memory of 1716	2904	9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe	29
PID 2904 wrote to memory of 1716	2904	9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe	29
PID 2904 wrote to memory of 1716	2904	9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe	29
PID 1716 wrote to memory of 2092	1716	iexplore.exe	30
PID 1716 wrote to memory of 2092	1716	iexplore.exe	30
PID 1716 wrote to memory of 2092	1716	iexplore.exe	30
PID 1716 wrote to memory of 2092	1716	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe
"C:\Users\Admin\AppData\Local\Temp\9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9e4027706ea871d19520759f1dc29b6f15b47f4bc8d98965af68454a22ca563e.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
8f759f4f3418a937a9a8ff12b2aa8a39

SHA1
41a8633ff8bec6ffd119c1526c79be0ba7a52a3c

SHA256
a936026326d036caa3eedf48966c8842dedb592fe5d9f2206f3b527e2e6161eb

SHA512
0beac7d01a29e8cb16968ec28f590d305f45495d9beace276f7b652277432698009614490f24f1e06b75148b0899e2103a423495c3ea981dc4b5149d0d2e7749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ccf4c17c95c3ffcaa3b6702293024c

SHA1
7f067eec7025134aa07bd6e749d1a1aa7c256849

SHA256
c2434a092479e62cf470f51139a7b8d4db5c57c2b98d1fb8ee18f8cf2df8a239

SHA512
f2c2f4c9e1b732254bfe1288dd09b560ffa26e8d1a53c8fc6906dcd2458d4eaf498934d1867eb8579f9db078a1229d36030c715cd501c18258d161119604e854

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68e1fb920887211ebfadfe885e007b1f

SHA1
82e556fb4fb0f3902e91e290445edaac2eff7618

SHA256
e91d11b7f1e1e01c720bd232a1e49e3c8b0ea7483bb4a31c9c17326036386628

SHA512
d7098a8787f79bbc86227e6ef770c2453a3835de00473441c39c6fd2b535a16a6cd7c24cf8001d2cd43c027dff1e894a5bd4b97180c2ac1bd881ea149a426158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97fac09c1f96c16b2ff4b7cbf0a2908

SHA1
c94ee3fc9980172b1fff55390d216052bac5fd87

SHA256
6ff03c348f229308185289833d31014ef7a89c413886eee25a5e46051034e93f

SHA512
1d4b2171b6c387d7c56ce5a23683844e9c043aef38eb595ff7fd8b0f75f283fcdad9cd56d0374de1c9145a77954c616ff1e833b58d12c6b6736274854667bd1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd7c170c0c2ff99ec79c1f29c00eecfc

SHA1
17a1bbb0ac4de3a1aa314f6be84fd0ef2eba93ae

SHA256
ad210d1338e4d80c621d3bff331210c9dee558e8ed36c2ceebb8a083c3044293

SHA512
2690f5a41136522d6f045eaaeee5eafa1bfc7a6a2c7320ed6473d4fb213a75f3ccbc1368c9a3fc6116f06f8abda5248046f86cac341ce58c752c90ed92d2b632

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cca31d951431bb5d70600bf85e10cb0f

SHA1
eb84f2379d964188832cf44f0ee65c6c63450574

SHA256
c299de13dc565501693e5894f76565b5f67cee773febc0b70f6693414c6d1f7e

SHA512
0db5b8b69f3674ea60d1c1d5324fe41b3c4abcf0072ccb88b2460ebea3252d739d09258fd63416950f8397d79d7152f324e67642b8f49359110599285c5fa745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd3881acf5df0426ad066f1614edee0c

SHA1
c244a7902cf6e5dd9e8a884a0d8f3b7b3bc064b6

SHA256
6db793306127f0c6c7c90546398f0e149bbf5aa4d756c28797144e277bc42307

SHA512
1555c585b8c07ecf3a4b2d9aa40d7d65a374823671f462a52592db6df3e5676025249e038188ea04dcb8794dd9ed67e5c33abe4851f4ae0bd871b31462b8b892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f84ba171aec089fce8af1872136ca621

SHA1
a27dba1fa9e38d2251a6e48235f9bb57d0753044

SHA256
8bb80f0b10b12b54194f00c1eac926433397b82d79b8fd62b4fd57c1db89643a

SHA512
80c0810263b9f5915ccc275c91584da31def938a456903159cc324e2a2f68ca591c982f4a2e1031c8ae4bf583913057a046ca2d584f59cdbbffb9d8feb770096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55f5ff6faf70caa8b61eab08fe9b6188

SHA1
ce15326be98a21e851b9652f77f9f848f598c4e2

SHA256
ee149561ea313a10cb14df87bc165fc9f143c178583784801e9e1e0fd20a4444

SHA512
a2998a8f52e59992b9ef4614a9cecc87231bf6e6699985d39ec1f3c56ba1985c64720d8f59d93c787965201c98aa846330244c04c7a601989678c7987935f03f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f783ed801885c953ae3c6b533fb33cc3

SHA1
4e16c75b13e72769c48f654403f586dea1255c85

SHA256
e3aa3005d08f6ab8a64ddd8bdbcb8144db16d687e4c23191aba166acee2a7d59

SHA512
23a83c7f90b1a7100f2fcfcabe5ee297282d21bc3b66089d3bed97a9a8353565c6816a850b69eb9a4fdd95e45b2f3fdfc69ab203a0bf80e789b131503cc34605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a22c9f9d4ab82abd7f3707aee20f635

SHA1
83646999999131b5280b6bf8d8116485b94a80dd

SHA256
8a9d5b6e048cab668d1d0598b496626680dd7540a82e4533e8f6168175cdd14e

SHA512
e614d96e8fb1ba43e8a6aa15906ef5d1f2092929ed967758b567c1091c17bac6e06dc7d4a9d6e12e415922de35158dbdbcac3f97f3fada23107ed0bfcf2b39c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e417e540801fea827fc47e7ab06284d

SHA1
7ae72b1570cf259b2595bff2c1ba009e55a3f6b1

SHA256
5de17867e0e4920d2cd1053eeaccc261a79b588c44a72507b6e201df65646fa5

SHA512
b9adafb30b74067fec58f4607466799d5f39a562fefd0d47bfa9228a0923a151a495911875628e904d1ff0b34c097362b97c84d0617414033e41d5d6e433d021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6109595bde8151eb7e61df9ac9789de1

SHA1
1fc41e1ae4b829c0f05c04a1ac95cd8183999adb

SHA256
835d56e7e89d3921736e154f0c5035c45e2df3e389b5fea347617e75219e5206

SHA512
f1ee783e8961d8817f776ed8af7b28d2934fc60d71a830e5f57d376958cc697eb46dc917057bb3f283923406cdd879a472abce0ee8c12f9411365cd48e26ac7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dd9fb28166f80ae039792a7d897c310

SHA1
890d7b5388ec84ad5cb5f257e0eba0f7beb49aa8

SHA256
ef6d10bedd00c2e40ae099681efc3fd64113f2b7c17b5fb3caf6e6a3a729046a

SHA512
5fee157ce45d92cc34255a493f95a03365d9c6874e68e7c1e1f2b1428a9be058293e57c71f7ed566e0953c765f73a74642362dcef543c7c4b73875196801f059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
837e6b1192c06cd57415ae794226b1ac

SHA1
a0b55f39287b9ce0b903936c1ca097d07d2944e2

SHA256
06bf4f2baa01852007cd88b1c7eadc66a33cdc66dbe75fd968cc205b464ee6c7

SHA512
8c5f63561eeba36fe4f8309c3ae19e8a5d03a5747b3586490172ed8a0c06c1fc5d3c625887316972a5f5ed3fc94239c102ccbb9b3cb9bf46e5f36002fc34ecc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a89f4f0f64de9949ede83f362141e4b

SHA1
42a3d2ef049dfe48abd50529f5c276d9a865a760

SHA256
ebde5a591d33ca20512fdd0a3cf0e124b540137ae6d0d085c8384999da0b36ef

SHA512
70624de78076a0354163f3f9967337f260481e921b3df8347f94e816dafa85f8177698bd7775ca8cd6b0b3141d35689298f22966c8d3ad397099e5f49b783969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
057c72b8d78076b11e8d9ba46db7baeb

SHA1
8d9a11ddb4984837a3eeec6405a0ee630aa74b44

SHA256
787ece3916e75538ff64dfbcc2059aac0bb852a3d216a02aa373e73a636959f5

SHA512
4620cfb7029a0cd75060d79e300f00a4257e6715898df1c44c3b0a7702df32c921101fb7d4b023fd9c67ebe95364a00f647377d96988df8b6dd5332e0fdab862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cec86448cbdd01738da520b10f739c0d

SHA1
a6c1b861ccf67db94af56cba201eabed78651e90

SHA256
2680df2589fcf7d7f7bb57e09b1a2369f2a9d9ef8cd713c6d43bc79ce15804c1

SHA512
95f5adfbbbdbba2e9a1d6fd108777f72a58074793db62987710bd0b60d97be8aec46736cffda1a5a5d1653841c59cf6db934fb96de958460d9b75b2af7ac9045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd1447fb0e74485494c62b5f5267ba2b

SHA1
28997ff3a5837d15bb5a3701d15d3bbdff701b25

SHA256
420fb17ef87d5715aa4717222f94c34b8fe0b607e78c8ba49d41f9a441898cb7

SHA512
fce648f04f78c5756af1bc3a4b0b53cf7b058b0f025a010cf7ed9c8a766d881c973d6cfad317cd780b2cda43f9b66677742a3efcebe02a96c4df1fa4b9603d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA36.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAAE4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit