809f6517480548b9976840145ff402d2598cdf6cc7bc210646306957ca41032e

Analysis

max time kernel
122s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

4.6MB
MD5

87c025c61eabd6db771c0279d880c6a7
SHA1

1d3797edecdc7ddc87ecb5ba09d87e18933cc9eb
SHA256

508fc2e843a8385cb8ef874520ea097e5de752c3dbc040ed0525269cb05dbbc3
SHA512

56b1dc52ba3a3b277a1fcc84b9989cbd446636fa8f518c48d366642b48e252be9d86593027ecf5d1e00968cccafc4b9a8cd69178c0e8da52c538c85012e63f19
SSDEEP

24576:woBBlmnLiLk8hrwrDK7QfkUW2wyfQlQuL:LblmLAFtuO80lr

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432744292"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000ac4c22d6759be669bc5469c51ea07644e0f806d5a144af5230eac6f0f989124a000000000e8000000002000020000000c933c868e5894577277abff3e42c62b08370decdb15f2c22243abd0558d95a5e20000000815ed43d4784ae475204dccf0bd6e7fff57e01ce47bfccb4d1fc252fd49c118e40000000df05af36a48b147fa97cb5b55151298cbae30d51f94e6a7224a3836c5423d6e2f01032abc5dfcfec2f84de8c8139fd84fed3de36b0ae7d558949b27a7b763511	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bf72e30b09db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000002278ccda6c97eb6f74090a987127fb842b36f514ef88a19e7be3f2ecbab5dd66000000000e80000000020000200000006c6a1f580337c3a09a1ce909b3bf4f6d06da8faae68e08e0c75fd1d5588ed410900000004ed3ca7e43b5cf8b675ec6c2a2edecd344ae7ca1f42652c721517180e321e4c66221d1b6042ed18710ef0b00f3d0ea17607b4537780bd50a86d763f7103abdbf0b3571eda36d0f6e50f938061d75ef60d7cac9c68847ce73fa05d14ba55de695816868093d14f631da48099e34c49c3a247c205ffcda725f17733262dab0b467401c4cc27f90c2606e145ddc2da09ffa400000006937f0da8df90d32dc40111b525667db3ff1a57d4a9c7d84ff4c82e2319fc3ced3537a2a63312ff0a41b21a90e45d09be58b6e275f7fb299e756894ce538b0ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0B36A5E1-74FF-11EF-A1D0-5EE01BAFE073} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2752	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2752	iexplore.exe
2752	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2100	2752	iexplore.exe	30
PID 2752 wrote to memory of 2100	2752	iexplore.exe	30
PID 2752 wrote to memory of 2100	2752	iexplore.exe	30
PID 2752 wrote to memory of 2100	2752	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcf601e454cc0fec4a3be3cb17be1680

SHA1
c27395fe10057b508ffef18d54a32fcc7e41e824

SHA256
0d28df90c861beadc1f5b9fe92b4b80d4a57ad953cfeb4236e246c96edd886af

SHA512
658d7239047bb371e32c2b7f5c39c3599649f71ec8eb6a33fcd457c5c5f6b7137d1634e03a28bba1026cb9d461472574ccf84244560a6f269d527170ea7993fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b006357cd7091bf5c5341084219ece74

SHA1
412e84ecd29f8d65700f2343c64d66dc0dacc077

SHA256
dbb4afef7b9e235e3c6b645b3a41455b9dd1e88ef6626fc9ee24e5a77784266e

SHA512
74def8ddd2908eff562fe598580a6f5d19c9527db1ac27f643ba8a7765f4ec42f55a749af6c346e57372f1a818ff37847745939d0323aea5c6b6fe8f3519d21f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
757eb7faa922ea75fb6928f6b42748c6

SHA1
2a44ea718ccdf63ef44bec4eb6f5d5207322deaa

SHA256
64f539bdb5c834a6887dd30ad468519960cd7c40e249254285aad350c49d2740

SHA512
967b10d2c6793d77caba45c2d23aa3cb8c261a271ece3fc92f4c67cedbe3c7afc2f6449b845693dcf98332e819f828a3dbd89d013646e52863ae5239db1f24ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
816f59290d9bad42b7c2e9edca0fe8a9

SHA1
8ea5983cb4f100577daa637bd189799807430af9

SHA256
674d97ba82048ca6ee82dd8e6a6b79d357f9122035ad49c5f157d828179892e9

SHA512
c3276fe31c57c52d4da745bf6c889e63f583281a9b84faf9e9e6d022af5de0fb4d1c8ad34663de1026133c91a10122b9a7059c5eff07201af7ca7c2f6a759b89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd34d4f3f01978c901ac2a7e485be8b2

SHA1
69de05b391de8c45bd895c0480fe9e80b4257bfc

SHA256
7b2f80a23121c47940d549197b7788091a9da914a7e18938d36ceb55f667d09d

SHA512
7c7db76940beee4cd7050b6d36ec1a90b7b7b86b2cc46152986ad306c13820a2051a1fe19ee09af83cadd481cba91a151d8d93dd97c90203710f81d9b5e80fd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03b511a3b5b0163147a6dea9755b6200

SHA1
9277fdfdaeba7dfc0195a08709b9e9c5b161c681

SHA256
40d312f9aac551adcff22bbd360f5165929dacf692e02d0a26071a6598a32003

SHA512
5f505fc6d00c03fa9a006debb5a5f07a2d5c28e84f1fcdef12acd646c93129b5dc82379fc90574ce87089822e69169eead39decf482847dd70aa6d6307f7226e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bc0e7c98d244c00bbf42054f247a6e5

SHA1
e07d3f4cec47bb38f8cc0ec45ef59a29e48860d8

SHA256
a86f85b71dd969670082125c75b5e9804c9d4d4460116e59fb84a69eb8fb63ce

SHA512
b7bb7cb8e8dd85a7b605a58fb16655c7c07602278a573f024410c388bc584e60f2a53d1a3f39e87918beb8c4cb11f9ee389ea36439e7159f3354e04001e48fa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb8613db42b7a59a8d79486f3b7e010

SHA1
9c3db41f08b9ebb88a113d75f34779a5047476e3

SHA256
835892deb24abdc144ede60ca11a77dffeb8c58805c95b7a7c9b43505c3d4f98

SHA512
2efdcdddb983f1bf43ca6a9a564e432f59724b445fb989f57868ef40a491b20e39d15e420cef7657594fb974825d52aaca6db664a1d53af585a2b693a1589b79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44a43f9d924a79b23ce1685f997c352

SHA1
327c6ab3e2f677979cf41050ea4f0b9abd9b65a5

SHA256
770941a4e0244ab118573330775e29df236191c0190da15b2e5d9a364b24ac19

SHA512
e6de9003ba17a46e6417cfeee7ef06c5f9296aea9ce60831b0149be5d39bf72b630caae513e751d35139179cf6961092e8ed4c52615373f0b66584e3e16c7386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f58bd74b4b7253f968adbec9ddb9402

SHA1
e8f7037826fa3dd9547275ad5e8a687e8f30735e

SHA256
69e6ab506d9bf9918a27b5612ab0ac32afe57aaac16ca9145834a6c6cfdf9b1f

SHA512
996b2f298111e7de89aa64e23b9a81e8b7e04a89b9ba295e2f888cf5c25bed9580c1347218c7a7de0da079bceae1c0e7c636d8d3b0e3a5e105770ce1ec472243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08d31aeebaf13c1e3795c640e4709a48

SHA1
aa0f0442c6e79e485cabb850854046d99d1a6ae4

SHA256
b235d00d7392d848654b3106691041e1efd5a03c59acba9c7e9de4d0ec4d76ef

SHA512
e8c246558cc5cfb23772e9afb7bc9dcc3e79bdb3127c6e07b8229b6862cf009373ab979daca9382bb973c02a972ed942ea5efda672a50308dcee0f31daab9116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68610495c8d2dc39c00c7390e1eb570b

SHA1
e8da4f086099b5a65872c75ce42010016d51db8b

SHA256
8ad18d1ad412dd130277a3b4840a158b4e13f8155cb897fc05c3e49ef8c3dac0

SHA512
a799f22ddeb0b0df718bccd6441304e7515a9b320fafa1b9709adaeb1180857b7281f4b561d7de5ecfeff7ff0b63be902807bab6957d2d0049c91618eca21c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffaff5ef80102660b77337657038bc35

SHA1
dd2076818f7ea0b37b382f502c6a5f07c7229016

SHA256
694d19354131bcaee0efb4267f78912663256fbf226ce89f3bcb266c152db4e5

SHA512
00992093ba3b693b6839e6fd87a29ea85de9cd3bc0734347495d8dd234a4476eee763fdcf21a66c88cad8cbb982ff41c29c90f01c88eb2a4104125b69b52652c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13da117c247bcd6234b836d47ccb9641

SHA1
ce937d4d1e135c02548b3b2c6ffb3cd2db04d343

SHA256
b577845090580786898845861e204aed7fe8d91340d623ddf4b28eea1810e83c

SHA512
d7120cbbd5e865226fa80ca03f7eb4b3ea0cc60dfe0058739e93f4c8d99c0f327245b20bc7c50f282bced565725fce94fd6b3deca224bd008915b1b97ae52e78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcad416f6667c4e5d68d2b91a1caceb7

SHA1
01a539b3c8f01c7e4e0d0f2695220eb7b0f27f36

SHA256
182c1e3f21bef9abc29cc3035de8c29da3411f19d4441a861818e012c540c4f7

SHA512
12b4a091ffb58dbfea83fd56f1bc2b5287f69b0d1a3959f840ab793cc91e3561661ae35cc006442e7c3460d0e0565600351e46c1a624e5f04407e27b538c4a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA4E8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9DC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit