2e70ae7d9731f2e9f3c639609206d8883c8621efc7dea3a4c256875efe31642a

Resubmissions

29/09/2024, 09:48

240929-lsz47ssalf 3

29/09/2024, 09:44

240929-lqx7ts1hla 3

Analysis

max time kernel
147s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lool.exe
Size

27KB
MD5

60fb232d4620da65952911bee279a253
SHA1

a97ea8eb050359580ce2e468ec4f35b4dc4cf938
SHA256

2e70ae7d9731f2e9f3c639609206d8883c8621efc7dea3a4c256875efe31642a
SHA512

65d0c9a56f85a9488add41df3a2b86501c24cd2a1a726ee50a1c817f026719066ebf1747b44a222a1deaac025c1498aa8281ef218193f8e9e29d0a4c13bde9ce
SSDEEP

384:oy/AwToHDe7NsYRQGgoAqBrkxhCv9Xy/5RMyRwMqEiSvfnosqj3rX4Z:sxHDDYiGgOChCFXc5RtYHuoso3rI

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3432	PING.EXE
2072	cmd.exe
1692	cmd.exe
8	PING.EXE
4604	cmd.exe
2580	PING.EXE
4360	cmd.exe
4372	PING.EXE
4744	cmd.exe
876	PING.EXE

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "163916485"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\News Feed First Run Experience = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "163916485"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134293"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3524E2D7-7E48-11EF-818E-D2EB330F3545} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009bd7b3d01c72643a6b4d24d0b70957000000000020000000000106600000001000020000000a257194dffe1ab7eb48f17af9a009f87392d87bc8c41f776e1e2010a0a3fb5ee000000000e80000000020000200000004b10914e215b99d7c49b00b7f9b5ef6a3e84d17f5cdf1e14e133806f99a699d020000000ab201b443632069c90411e000080f7aed87e45a7f1de37c17a1f6bb3b2fee21840000000d1333b4dd3e3c0a115a1a51403ec63d4ec6cd81061b103b992038fca51e37ee5487a41d165acba2fbe8387f7cd8ff57d6392ebaa43f00c29a921215fb4734dda	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00264fb5412db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134293"	iexplore.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
8	PING.EXE
2580	PING.EXE
4372	PING.EXE
3432	PING.EXE
876	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2536	iexplore.exe
2536	iexplore.exe
628	IEXPLORE.EXE
628	IEXPLORE.EXE
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 4744	3772	lool.exe	83
PID 3772 wrote to memory of 4744	3772	lool.exe	83
PID 4744 wrote to memory of 3432	4744	cmd.exe	84
PID 4744 wrote to memory of 3432	4744	cmd.exe	84
PID 3772 wrote to memory of 2072	3772	lool.exe	94
PID 3772 wrote to memory of 2072	3772	lool.exe	94
PID 2072 wrote to memory of 876	2072	cmd.exe	95
PID 2072 wrote to memory of 876	2072	cmd.exe	95
PID 3772 wrote to memory of 1692	3772	lool.exe	96
PID 3772 wrote to memory of 1692	3772	lool.exe	96
PID 1692 wrote to memory of 8	1692	cmd.exe	97
PID 1692 wrote to memory of 8	1692	cmd.exe	97
PID 2536 wrote to memory of 628	2536	iexplore.exe	100
PID 2536 wrote to memory of 628	2536	iexplore.exe	100
PID 2536 wrote to memory of 628	2536	iexplore.exe	100
PID 2536 wrote to memory of 1156	2536	iexplore.exe	101
PID 2536 wrote to memory of 1156	2536	iexplore.exe	101
PID 2536 wrote to memory of 1156	2536	iexplore.exe	101
PID 3772 wrote to memory of 4604	3772	lool.exe	103
PID 3772 wrote to memory of 4604	3772	lool.exe	103
PID 4604 wrote to memory of 2580	4604	cmd.exe	104
PID 4604 wrote to memory of 2580	4604	cmd.exe	104
PID 3772 wrote to memory of 4360	3772	lool.exe	105
PID 3772 wrote to memory of 4360	3772	lool.exe	105
PID 4360 wrote to memory of 4372	4360	cmd.exe	106
PID 4360 wrote to memory of 4372	4360	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\lool.exe
"C:\Users\Admin\AppData\Local\Temp\lool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping api.synapsez.net > status.tmp
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\PING.EXE
    ping api.synapsez.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping api.synapsez.net > status.tmp
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\PING.EXE
    ping api.synapsez.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping api.synapsez.net > status.tmp
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\PING.EXE
    ping api.synapsez.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping api.synapsez.net > status.tmp
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\system32\PING.EXE
    ping api.synapsez.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ping api.synapsez.net > status.tmp
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\PING.EXE
    ping api.synapsez.net
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ShowUpdate.xht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:17412 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\status.tmp

Filesize
469B

MD5
f764f2536b37bda368c0740bc9fd3ce0

SHA1
d393892dcca67b54e654e42ace7725023dca06ae

SHA256
ef95221baa7f75c4af7620443d81fd6c20a922ff207db6a498769cf7a6ddbc00

SHA512
278333a8c5fa11ceda45bde9348674a2f8d83c7c3f88e458b58a6657b6b84ffac6de403460d4cc52f40067915dda27e1f014fd5aa8a656dcaec5fb19ef3df59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\status.tmp

Filesize
469B

MD5
193e56be38dfc678d357565df2b88b5c

SHA1
6c9815c01a6d3f26ecf81f05747c4671f5f45a1e

SHA256
7c12fea401a4f16b5e7389c0a3900b80db33ac09c0680b6189c66f1d0dea3577

SHA512
64eb062a0f595b6f38c2481a443fa118c37c9b1ef1f29561faa27100d3d3d26e3186828f854abdb989e828bbea6acd7f196f9fce9500fa2dcf856d4d3efb2c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\status.tmp

Filesize
469B

MD5
1c0c07560fb3f2fe0743c6d135afd63e

SHA1
2c9f484f88dd4f663c4feb121337366bcada8cf0

SHA256
40fb18d2c26ab0c3db56a4cd82b3a5fe175b95a05d74a32acbf94c34bbcc1f22

SHA512
d63c90b4d6a954f791604254802207c562a7c778bfad61d8304374f0e81586c30d3249a58827c3c8b098e4e9bfd509b6de0087fae684278fbce0c7c266227d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\status.tmp

Filesize
469B

MD5
09748a25755d54f56ad5c8231f78cc47

SHA1
8c967cbb1371ca7c9c32aeae48bc4bbb2b81e607

SHA256
f7d5dcf7d847ddf5d232f513944e27e422756e92970dba2f9220de4c25def144

SHA512
181bf0b811443d4cc46cbcc8ea56ef0b193b0e9ef7f4dd20ce0364c33dadc2c42cefcc992a4362ad479d64476bf5768ca29351bc574e59e599e7cfd58e6279f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\status.tmp

Filesize
469B

MD5
9f2e66fdb633a7b2c457991f981ca177

SHA1
ae06358cf99151077d8db8f2220c82c993c17ed0

SHA256
3cf72cfc927f5032ca13aaf9889f0e338e446837fcfb8e6b4993a5612942e280

SHA512
583b4cca97f7a69479f96133a64984f83796175d5725da4a731dd25b9ffeb08ca1230e02be238d2e2e58b1c91493bee428b3e07dfac488d3f8b8d781547c2ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF18DFF014999B42A.TMP

Filesize
16KB

MD5
9aab25cb673e17f4992df6c6cc98594a

SHA1
59b76e3915fc77bf39d9f4c3b1587e90d8d37aed

SHA256
b8e2b2cac8061a11f099a4c8f6f417e1a3d762ee7e6dbe70965f2a81fa2f858c

SHA512
41b60bef7f1b9afebd1cd2629183a4dd60c9e55890bda021eb319c9eeffbd5d956a9f68073c039d9e63fe873771655020de5cbe56d4fbba935404e1c271c932c

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads