7ffed006410533eb224d973145df159f6cb64ecb765448e0de4a0ecc11f4e8bf

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

account1/login/step3.html
Size

2KB
MD5

0ff0e849f1258d3279aaf4988d002671
SHA1

9fcc3c8919516416b4381c0f681bd3cd7fc03698
SHA256

32dc7301b2421357aace88035cb26c6ecd036c13f58d6098a2dfff86a6624bf4
SHA512

b3ec3c8a87e3cd9f90a6183caa68426a1e296af27bcd9d07d7088d880bf136a5e38c38f1ba14933dddc6e60236c142b7eb86b449adeb7da86975db0728b4568b

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 700e57ca4a0bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000434faec307e19b67e510d5dbcfccab7a55d5ca72923b1179bd9773da5020aa9d000000000e800000000200002000000042144179d49f302276d369e6685bd90a2817dcf781422f65c4cf32893476dde620000000c7242a694783d67734b38a530ae3cbcced66af4e9849b9cccb82c8dc54838fe34000000050d3545e1fa62e39e8e1b545bdb2c8810596efc081bc9f3974ad4b198346d753aef47134182ba1f3f47c9e8249f398d66d1374746a44c7e9bfcb4b741d895827	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5E08851-773D-11EF-8E45-E699F793024F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000ed6022261680518ed931d1ca3e459bf40a61d55f0ed96ff9fa6447cdba553e0a000000000e800000000200002000000018348eca0f44ad96f85094dbf08c96e47b45d527fb57d4d4ff59df1d33e8f1009000000074e374ed8bc85135311e3bd909fda99de91487c14f8ecd6cf46fcfa94106af5c0fc265e1cb2163c2bdcd156941c8c4e2f60b4f3474c9dc7757ec529c6367472c0d6277582ca0510fc4c908ea8e92ee77a54630832750269bab31812cbb9e7bee0bca5382d4f7dc708bc522e0c6ee98169b9339b91e948ab0437d7e797f6cb5f9dd842b7298d1f5bddf9b8bc9eea2098e40000000644140949ef6450dd45dd806e493af16fe061180392f805d70c6abb70f1d774e3a52d4b1feaf45ee67a185c0c290558b4823c6ec584a5408418c21914c33e39c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432991215"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2680	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
2780	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
2780	iexplore.exe
2780	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	Process	procid_target
PID 2780 wrote to memory of 2680	2780	iexplore.exe	31
PID 2780 wrote to memory of 2680	2780	iexplore.exe	31
PID 2780 wrote to memory of 2680	2780	iexplore.exe	31
PID 2780 wrote to memory of 2680	2780	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\account1\login\step3.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1380489cf156ccd2c74b6bfb5a031656

SHA1
306ce70d54c53173a66540c0142c29b8ad2a62cf

SHA256
33c62b593f6d77d47d715bde0e41843bb16d3895339480e9e7766a19634e71ee

SHA512
d568de73f46f8aead719bbb50ea01726f4919f0d7eb1195dc2a88d6b185c0a81c499a10231ea3943a400c4154519d3dfee8cdb933e1d2117e4a072020cd32bbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e4cff5eb07706d53fae1688dc534810

SHA1
b43bce496b5f2d69fb47f1760f9858ec4799a897

SHA256
527cb2cd3e36e121b26f913e96c43d9a10446c0083220e0c1f26681f6a1abbad

SHA512
7d675576a4efd4d2005baf987a6b32b00de10ef49c9b20e2cb8434320ef1b736d26cbe184e53c56247912350b5184557943aa7e18b780b928d50b7b3aec06e0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7472e2fea9a083103084345a880486b

SHA1
3dfea01b1e89e5bb9dc82e23b812c59b62896e62

SHA256
400d1f0280220bb19f0546a041878e9984bd1321c6cfc05cebe11706db98a6ef

SHA512
5a273f38159204233ed9ff2ae106bde9fc282c6e7e6c9f727bb54a80c4e05cd194625867e1aec5c1f4eaf6ffced8625114dac1fd7a6e0402988da694c6cf8b79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d8d86508643b9a3a609a9a4677e5045

SHA1
b27d150d464b3130ca8fdcc281ae1959d9a2dcd4

SHA256
06514392f5662d20f9185b9ab51ebb0d7210f15f2589a865d40776316204c9e5

SHA512
7ffb59811e61315a0e64c977f82f0543eacdd4d92fe178ab814d1a4b4a6f7b767bef33b91723db70dd2b7a9b37efbc8448708f9030202c04c894c54253dbbec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d04ac378d9a18222e88aa3213b93eeaf

SHA1
706bfc13aadb5040e9f9219298ad23c367c29f59

SHA256
3e8dd36d0aeb7a46cbfa07fabc28abe57bc7ab841f8601d53009638d26b90fa8

SHA512
37617f045071e8efc357bd9dddf9c2903e027c8c55ceb2a243f871b34c63333104af87b24275a62bb7812b83e75703a03b4e0aa89442c3d07a7546c7288acf06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cbec303052896b93bbd35e19e57e719

SHA1
2346191511147dc0cfd6a11649855d38b47acfe6

SHA256
ed38db14de84016af5b150f8f5da0429d832e36aa83d1e5be3892f17b2e750ca

SHA512
14a249549be8064710abb68fde4679b8142bf172c694c11c0d6dad6dba91217349d12a9b294e449222f536086971c310994bac598568b558a7690b11e0b7a5b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1303b4aee63ff074e5ec07db2f2127df

SHA1
e23d0ea47e932ee0094b26bfd89c66fe1c2c8e7c

SHA256
4f363fb791f779d0b25424c38d3b188fb88e65b471fe4abd98f8d6ec5b2db0fc

SHA512
49dfd346782182b5d0c5ea9a13695d5640f89bca810c0b30df8e411cce8d0abe9eabcb59ab6ab02c45fcc3e82845b0c079b615335e7156d6737014271119789b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b482a532dcc7a6915203486b3b5b006b

SHA1
fb85f37afd40cb24069e059a4c000c590d694425

SHA256
7ceaf738930d1042f07233fbd13585bce4c77e0e9906f624167f27c2e30a373a

SHA512
0ddbe5c05a1ce9dd10a2bbfd2d8ef8e28d3a8d5ccd7604db499015d65da24cd5770f899a3b553393af6936de9bd5a79547727129e7a82333d895e60a91e3fbbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de5186f8eafc865c6979f0b6a9500d73

SHA1
0353bf04465f09890c4bd5ca0497bf2ce0127b5f

SHA256
c0d887b39b7c16b3f93793594c2b93acbd483e261cb044f0265eb63eddfe1242

SHA512
286e60df6714b14523a003f616102754892cdf635d766d42cd9c076dcdc5bc7b2c4fb35e1b52706e41dd9205f6534d89d9f8d3f3c9e977faaa413f8010d2480b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f264c13bdf0a623e2e2a29635c5608b6

SHA1
6963b85d55972eca9736320b03b19d7902335ef3

SHA256
fda6158a5210a911e6da25138325b4b55b0e44d041a4130cfb65836aaded8b2f

SHA512
abb20fdcc4466cef42f4bfd64116336ac846c6b06ca6a1c997109f1d186d9bc07fd78b5bd04ca45b28d659d981f19bc72ade61b0729401e776d28c0ae6bb453f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e0d93604f39c7258ef0e29f5e5eeb98

SHA1
8a567e4600abc21378e75b9757716f5904cc108f

SHA256
8202b331e0d3b08ba897942fc058e81d15206bc0984585f7896232f42a8295e1

SHA512
1650d928da433bbef41aa4df7def395d600e23ffdb00e496b8ba8d64913391d6925e9032f1cc976955e5aa41e1990b377fa7b27444451982b382ebde9946adb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e37290dc76c3bc936d1278d3d59c38b

SHA1
f76152c09cdb73956c080dbf821111fd71955271

SHA256
6247780cd0f3b5decc06b7350f39c306ba164cb4520297bf431afcc8e957ba58

SHA512
85175afceb4712ac0ad7cacbc6f67fa5aac7056776c60558dadeee1e316d72e2ea2fd29ef32f48a494edf265f4882c5f8a684ebcb880b9fb8869da6f77ce671d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a05f11be7e2a570cdf963c63d864345b

SHA1
cc7897350f952b9439388b232e1294b81b2a5e76

SHA256
caf1a86ad29c5c8cedcd02138185999a15f10a39d4a3cb203a1d03d382ea6b44

SHA512
b32086e6f432a40c50eefae2edefe0fe10da7c35c07bfb093c1ab82e34bdd2e171d136695a10a4890f68f0fb4e2fbe4ebac2c3cc273b02e8245689bf627b4b90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3896114a084c3f31854dd35509534401

SHA1
c83d53fa2d4774ca26caff76fd4c364c1d303a30

SHA256
16011a6b9326011875a236377f5cb04c7261915d2cea0cd117fdbd8b06f7f4bf

SHA512
ef06eeb4ee6f0480665da227c691b0c0fc82fa98ef7ca208c74cd6c6c57a16d0ddf9865f5c6cfe6c0864352bb6780053c2a35c8b94877f62c22c152f978fd7fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f96657f78893e42c117fcca6f3a2e243

SHA1
22f6fefb442c01e47a007ae66709551e267bd5bb

SHA256
cba5ecb9246d2a6327bc34d330c560ba48ccc9057b759d6523b3742309828783

SHA512
bc322baf5b39d4f8aaaeb6b581cc35db508a5711c471f40d3a708a10c3ebd1c4fb67886a51c250a189ac4e8d0b5ef93c27fdff47985136818d3e70f24f59b7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77eeb16becca21a27126b590c55ea6b9

SHA1
abc10219bc1249ea25ae2ab9f46ff3852d11ac99

SHA256
0d5b78d961176d44adf6483c287e7ccf075ec9bd6a2d72922b7e020e50cd01a5

SHA512
a2b652b2f31f81b30406dc12e8e7da57e2a3f35839b540d1840542775253f6d271f47a2e2f4373be99856eac797ff4e419d7c31abff6d7e51bc079955c8ef887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab87B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit