1174d2d36ab86bd52650fc086af7c2f226a55db34bd3d0fd966c0b6c070a4342

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FireFox/content/html/popup.html
Size

734B
MD5

c929c4ef17977667affa3fbf2308d429
SHA1

8981c4dedbb7446e817e20f206b5c9e174cc0074
SHA256

4599c1cb8c97f841d48a003f47e6ab8b7b8f720448129183c4499812468377eb
SHA512

1831fb44ec6c9ff32fe21386023d4f0229d85844b09ed28975b65e5aba6eb81c6a0f783a7e023f966cc90082191ea4d5df5c3f803f2764181461433ce38935ad

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433116935"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000b3e4b8ff07ae364c9f995628abb550ae28074c84baabd9fc0cb5b1210cbb4992000000000e800000000200002000000067cadbd94c2215d2d0f1edeab7e84c1868137335cf6c5931a2cbdf5409c2c55a20000000c5b14cf070aebfcb46056d451d787fb3bab1b88a3473619369cd56e8abebeb8e4000000028d85f48aa6f045d066c455f6e9eeabb1349f5a88e58418e61d2ba81fb20884b5de68f70bea7017106b6ebc4cf76266778c45a9cc1df7e4baaf45055ea1ea182	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ACD86671-7862-11EF-8252-C28ADB222BBA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90874a816f0cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000f61fba03d6be37c3565e3360069a882e6f90f87a6b82d522eae814db49d7983c000000000e8000000002000020000000915f4693fe94a3118eaddd24c7d8984b19ff20e32e4983c2bd37b94397f1486e9000000014a51f1df1674ea2b5e3a85ba68f1be19e38373a026ad063d7cfaa2f3c9391b9cc46ac9be73670723ab91a8563d6eb44656baa9846337cc5ed17ebf3b7b433e36be7b1880ab8b821bcc52072163292b1489ace62bbd24f3256618b1bce27453b033ce88be627dbf06e99f0b8bd4e9f3371986e226ff1687ab3702458bc808d2093f148222620dba7ac4a804c4436bfd440000000027c62bc4f8ae683a7285af868bce5c2fd4f2833286a017707683c6aba81895b71b66ab15301ea07ab05bad8ae4044be36a7508bb48ece285a62dc181530757b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2452	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2452	iexplore.exe
2452	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2712	2452	iexplore.exe	30
PID 2452 wrote to memory of 2712	2452	iexplore.exe	30
PID 2452 wrote to memory of 2712	2452	iexplore.exe	30
PID 2452 wrote to memory of 2712	2452	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\FireFox\content\html\popup.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9f24d4b45a84089247aff3df296fcbe

SHA1
a203c26a09400363dd72453a1a6b5bbbf7bc33f4

SHA256
1307f6739388332c9eabe024f05bb300bfa6db0ace5008633450149e36108ae2

SHA512
cc1e9ff33d511d83ff217ba7711d27d83cc02d3ec21694dcd762f648318e831d6ca674b9145e604f2b4e435b4e646c8cc16b6148fd93b11394445a77ca13fd58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb07bbd7374f4108c6a180bafb52a35

SHA1
7c264b154a2fd99948d47b7fde262231a082964c

SHA256
fba8a71532bf7c82219eee170478e563c8c061dd8f337f3b02e93641220d117b

SHA512
7167d6e72aa40cd79d8838c024a847712cf9fe109a4db21b8e5bf46638556af88c22789da9bf7e32062c84d65ce7bfe9fc4a8724def72e58417a7de855407211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13fa1cc371393c08256eb75cc517d978

SHA1
136c0a7ab5fe972c3b2ea6729513af4c58a42e7e

SHA256
9b6191bb9e01f474e5d002c00397eab6c3cd47b0dcba76ac7655088b3ce89ee3

SHA512
a57138788920eb6dcfaedce586bb55d8163e8352f6c4f572aaa48897907cb1029a1305749529698ce6adac5d11321a969b4e0dfcd2884ada54bab39bd04cbbcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39db0f7ac9b7c4379b7c033efd68567a

SHA1
4e994b33876bd257cd991bbcadb51cb2560badb6

SHA256
429b870d3a50b938f637603aec6596081086450fcd5621f7795148b934550cc3

SHA512
0efc4849ceff22ac55493c19d7c3b173c6a5920ac1d7d81bbc3c5b43a9440eea215838d3b6de47776bae64118a468ba78d0946331adbb9093a1bc72a87f078e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
732554b74d08d1abcffbbd411b117fa5

SHA1
90a18dfbe3061a63cf596dd782e03f9e9b3bf08c

SHA256
810563de70a2290fdfc0a16dbe0beffc12178760b9fb9848beabb20bb929dd85

SHA512
670f1b60cd48327504458d3dac68c7fe48ac5e4bc9ba721af3ab5e40baa5e4e41326f140bac822c4b2209eddc5cac39da69279acf880e7f8a212aace145f0d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8a5f5fb0750de66f26177ede4831903

SHA1
0afd8262b0fc8873b684b7ed565811de41624923

SHA256
3e54971a1ab243236a45691a0fa7e0e8a1671361c95d2aeafcf5e5e59ae1e251

SHA512
e6e7076b166cf7b912e693c78459e8579212e6dc6393fc070f2a6b4c4db6b5147942ea746bad3213e52698f52dc6523df97b7f40619b6b2b1dc5d7b9fd6c7b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13c44329a55a227698e223d87f048768

SHA1
40c4980f1d90a49007925a05f79cdb4c970e9915

SHA256
615bf6406f5cc9842379fd1e5e7f92d2840328180040b41011352071d4739f62

SHA512
c444527a7e8f1cb4b7d7a8e4d23bcf67a4d35264584a9cdae6bf9425f5cddf6dc2a8f9378132e081d3891813f57fea4a01e009993e47134ffb50f29abc64c58a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b146c7142b9473c720983ffb082e4c8c

SHA1
3e1ce49cc208e36193a1933b4d9bc6a7906a21db

SHA256
15bd886466a3891cf85d2495ad55b27dfb75317d4cbf4f44351cfdf8cef101bc

SHA512
650d5fc691e9eb865efa0d36ea303e55fb779eee1fd4f357ab96892ede21ab43e7d8f07b9e84a88fe302bbabe55d7bc2fe7968b4e012bc604a0d4b473f22555a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a281f7d80ce90d6580d4b7775a125c84

SHA1
948e4998be748ec247afc5027722f5d3d33301bf

SHA256
ba318a55b0e4fc3b2743f955594ce0b8e95d67769e030fc02c916d4669212574

SHA512
0a43f188d4f0831fe84320b57b1604c792e6424e2fac0dc596c53b8b6871c58f5f8defffd15b78d59091e98af89da1144b1ff82e0d44fcc2665d081ec1397e27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c2ece0b64ea7ba4448b524eb748c7e4

SHA1
9f01292c2f09f353a10b2c9d466e95280015afc4

SHA256
dcd185c7ffa88214b5af0206ffb206f5dfee2f07aeb66478168aed83ec48fdbc

SHA512
88f1a3b8a91d52629711c525223a696d69cc5d64337c55c9b217755048bce7558dedbd0d3c1bae0a246ee84938f3d6d6b48327ecc7f5f76573f2124455e424a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bbe866e9dd592ee3d07b0b334a10d21

SHA1
4d64b2a28bae79c9e18eec0eeaaade9faad20d78

SHA256
64327bb11c3507507bb44efd9ada774e70a1d7446dc4885f0d3a4910ee74d113

SHA512
699a350b4b5dcf558b6a03fc49fa8acafb332aeed96448a74ff5a684b682c8f8bea4cbd3a67257b1dbf1aaaa4abe20ca625c6dff0fe27a328943a8d958f2275a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9171c7d79703b13ff276eb3cf85019d6

SHA1
c79d0fc2a4e7e434336ee8ec54e3fc6a2dcc6d71

SHA256
8c0860c9fa2159f644760190e8d872ee8a7512ef78a5cf14974cf2bdff6a3dce

SHA512
169c85a641232f78c774a1d4c435d0d326e57b0108fe2455d42fc21fce6ee4e5bb938b557d676f11a0e2a71a564c20c4c380d542a46e39d04736aae83d2ca943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab9dd367bd54cd5cc5330a1398a0931b

SHA1
197b7b80254f884d9356af499038e07fd36ca606

SHA256
28d65d0ef9748c8424029a85f6afab6fdc6186ac5abf0c8f7e642e1ee489c4ea

SHA512
a0766b2db70353941f8568490892dc1cb6a6245a0129e65b0012851fb43682a75439c0af53465ffbc43b993cc471905ff15e8b9b41401fcf1f125e2c70167abe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bd444365a89407a438ab69e1f96b98b

SHA1
b4d51f16f9f6a33aaff80132c4021d1ba32a0b8c

SHA256
d3b708f9f324abf1f5a36f645dd726051fd9bba674f7b4d7ae9b60515eddfebe

SHA512
043913e9d5c5f7c7998a32ed87d78ecee80017348cf2c547ce91330c84753cfa17335d1a38b092c5c0a44b25db93d44a612d4afec485928fc2a1d70dd5d770a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de4ae9492430b72c19bbf57dcfd058e4

SHA1
cd340a908ad911f7f257d7ae9e2a0f4d378e44e9

SHA256
afef4172bfd67b4ce514684b4456f6a7a2686f4fb7312768849e4ab985d80eaf

SHA512
2b6647e969a33a4b4fa4967066dde624839d5b1e08ffa3853d9f8dc445477abd4bff486df16258035a25bc5adb0f45899f6b7c4944b0bde32a51942305a818d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fabb3a76fee93005373e2b7164ae358

SHA1
79a3e971cf58f895175d82cf67105877daef6105

SHA256
4e8803fbbfb6beea5c2ed1a37759bf2e6081858b7fe3179162861850bdd1a1c0

SHA512
983ed94c4a28954a0817169da7266529d4285f767d2c33945692fb12e0fcc028b3330d1db3ebbc564de55c62c2ce17fdb0037b32d3d6623c0104f52bc001a719

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
760a673862a3911c6369f93f7a3337f0

SHA1
e911ee120ecddd501bd6f83a6989e63ce0eb5e01

SHA256
8e51ce9c5b68fce7ca5aafe37afe4839f3d428c24af61d52e2c1ae4c3f76dc12

SHA512
d22266684d8e063379d3a2ebbcbeba536647f38d0ec2776c6c31b055280af866e9336cafe8005cfa88bdbaee947e52d11d932ab347caa3e049ec9493929662a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD96.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE44.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit