43ee56d9325525f211d0b7176e842d8feec0b6a64a7c0ac1bcbc5ed246f53251

Resubmissions

21/09/2024, 14:38 UTC

240921-rzwcgsxcke 10

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberV12-main/BlitzedGrabberV12.exe.xml
Size

319B
MD5

a92db228102d690d07828f71a4171b70
SHA1

e7ff5e84a7932456df217e4775ad2c4b54f95521
SHA256

d4ff8811d9ca86df9fdc62cc0d5395947683456997a0599dedd3606f9eda3d44
SHA512

0018e4c3d88a74a35682a5c46bff4bd8887d717fad464adfc31eaf8e69859b4406b1488e2e483b41c72195b00580e9b0b6b1eb3495004542ff728b54a64e7472

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000323aae02f667e1764a674fe3ee17a79588214faf3297b31adfbc455ad9a11078000000000e80000000020000200000001c8ebcce7dad974adbe36f096808c7efa3ea335bb98c58ed3e95d910ef6cf4ca900000007686bb35b19605170503e18fc64abb69cca2a970eca7c3a44e491c12144e89b51de613adf9899c1dcb6f1bac76ac15240fc27ca5169ce8cbc27753ff38e6368f8a03cdbbaa654a11031887ca0223ca8fe01cd361f93df1a0325d9fe3ae8bcfe5c997457d4e4343e51d46d8a4080919cba0c937e4131008f184d47a7261e1c13fb4afa633e84bd4cb4a2fccbeae508a8f40000000a2a5310cd2007f28a60cd71da29326e081503129712ee58967faac3f20cce288e71d2ae6a5d9c09c5ad791f431b11c3c7ff09283981b36d85db08bd4255ac56b	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433091390"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703a2e05340cdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000054282d1fc4483bd8cb8a4a06d7ca5f287a36da9deeb62e0256f87d3053c3a616000000000e8000000002000020000000c9f993d06d08b431ec8b73220e5ff20c7250ad24f810f94c1913f366997985e320000000b70588d23e8722149f56bd7825423f186d8e3ef77eeaba8c8fbf61201c0852fa40000000809fc5763a6920e91ae3216e8d5f2c8e04e122edc5b13a5405dcfa40eca2ef5a2c52b47355435d13fb1caa21b98b63537a2a342843420934a91d37e14e7c7105	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30A610B1-7827-11EF-BBB7-C6DA928D33CD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE
972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2132	792	MSOXMLED.EXE	31
PID 792 wrote to memory of 2132	792	MSOXMLED.EXE	31
PID 792 wrote to memory of 2132	792	MSOXMLED.EXE	31
PID 792 wrote to memory of 2132	792	MSOXMLED.EXE	31
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2132 wrote to memory of 2052	2132	iexplore.exe	32
PID 2052 wrote to memory of 972	2052	IEXPLORE.EXE	33
PID 2052 wrote to memory of 972	2052	IEXPLORE.EXE	33
PID 2052 wrote to memory of 972	2052	IEXPLORE.EXE	33
PID 2052 wrote to memory of 972	2052	IEXPLORE.EXE	33

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12.exe.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:792
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:972

Network

No results found

204.79.197.200:443

ieonline.microsoft.com

tls

IEXPLORE.EXE

799 B
7.8kB
10
12
204.79.197.200:443

ieonline.microsoft.com

tls

IEXPLORE.EXE

883 B
7.8kB
11
12
204.79.197.200:443

ieonline.microsoft.com

tls

IEXPLORE.EXE

827 B
7.8kB
10
12

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbbc8f76eb4cb1498975101c6ec0933d

SHA1
9f8f9adc27bb4fd89615159baf67216426395628

SHA256
e115555c4fafebdad2450066449d6b423138c6f76d5b3cbac5ef6555da5b4d72

SHA512
086229d37b8afb5c685fcb6890c3fedbedd6a69781da10f90f7e49c2fbedf11fbc726823b4e43d30a363e6f2d1ecfeda718789ee4109f70869aa352ed0327457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
592a577474c7349df4ae73f2441194d7

SHA1
cd9bf3cb8ba3d4b2894d06550b3658ab4078f587

SHA256
ae947695ac40c55211e618f700e9f8e06609e86733e41cd8a700fbaeb476199a

SHA512
29e2c110a4fad2773bb539b493a49417e180a98ac5551f46baab312a3ce3c1f49004dde4341fd2daa223e2f713c56217023e10cd6402efdad79f86b7c584154c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d1c330c290e4b8b40a87732d36e1e8f

SHA1
5866c14bce069fe818f7bc07ec33f60f58aa3f6b

SHA256
03a852ed63f6eea139636184b6d712b09a1dc0ecef77102e011688536ad17c7c

SHA512
ad73c1a581858b3bc146644a8493b6063adb5b65681948a8670d3475fc13abc2e3f182f29075ef0786f9285194805f2c85c4d9a97f7476b7d4a9ed26fa8c1045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6fdbcea59cbd084c9ef28da5dce26df

SHA1
1882f4ad0902f1c181488294b3b65c847d0c0908

SHA256
22d0b2d05f18dba4ce0313857c61af1b167aa484a419d6b1881faf0dadfa8de2

SHA512
82ffaad74bd96ef4f92d6875081ef5864f027c0c762e4e41fbd27559a89b81ffd26865fd880f94d8a398bb89e4900e2f4c9790e134c904639d59ab51738aa392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit