1f86cc19d790eb25789bb0a85cce0a248b1e09e925fabae7b9e3ea849566a71f

Analysis

max time kernel
99s
max time network
109s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

captured.html
Size

1KB
MD5

5062f9d1df3d8e0f7ab6aa60b9ed8559
SHA1

5a3f784811f44fc6c90f05c65f2293e2bb92bcdc
SHA256

2e085475431e6f7e08159fb76f80b37ec1c73c708fb26a60acb581b491cba5c3
SHA512

9b284a33645a8989403bd3676746413be76e0fe2acd84c28acc61beb5b058dc9f70c6bf6929a90281f876caf850032da2ca1b17fe4596c2506cfb0a667d47536

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000dff42722954f6a6ea45df338c32fe237a48231d78568aea9f0c5c3a718789a3b000000000e8000000002000020000000a90b34db530d35605772f5521e311b5a43ecbe4abf7508b8bd508dfa5d8e2da22000000085bad45ab42462e508133c40167f03d3a6b36eb678deb5359e2c630f07952c5d40000000d6b57e30a4323362e49c63e6a20e85b9ee4d3fae03d7eb64c9ec1d349505631062d281182aeda48065b640f952e23b9c7d48b4298ff7db4ddeac8b22036959df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E9DCD0C1-7FF0-11EF-A5E9-FE7389BE724D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb9000000000200000000001066000000010000200000001b150796e670efed4d34902a500acf66c73ddc9d79e305e5f0845b0bd929c8dc000000000e8000000002000020000000e371da973a3dbea25a6f2da960383553b41fe0cd1c1aba0422632f99e8ef29869000000046fe139e40e9f91518f86320bb8df97a2257ce42f4cc4c8ee11ed70593685984c87a5e1641bae69fc9073a8a019d41e1e74d20dd11c6c32330b526d8f9d8b1e0cf7713ec9713fb9a481d49b3f6ceafcc5cf92fcd70fea410973fef2e0a74d49d09e1e6a04012d627326b1d6f21d63cfe6507359260ddd42ce09facb4047b62a2f6ca55986b3b3d5846571c3eb054afc7400000000320fc7b7cc38e3e843dea8826e39f72931f8bd62f5198c5656b8209c6f42856e1363f269417a121021738d301b29301ddb069462cb1fdc35e9afc8214df0462	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c576befd13db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433947712"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2652	iexplore.exe
2652	iexplore.exe
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2800	2652	iexplore.exe	30
PID 2652 wrote to memory of 2800	2652	iexplore.exe	30
PID 2652 wrote to memory of 2800	2652	iexplore.exe	30
PID 2652 wrote to memory of 2800	2652	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\captured.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33ef44f637767cc5c7ea9ddaf3434ce0

SHA1
5059cc3a372db91c7aad8f7be8b385dcc930a508

SHA256
c1c549b706d1446e55a8f294150df9de064ba2550fc4f3267e8cfd9f644bb9c6

SHA512
01f111facba2a5c8853e28d14be64c34a60c986af3573841641be651213b5533d99969d36d063887fed7e90c3b39815f29ec668222bf01d45c6c2aa3874e2a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52e4adb9d90165f27a3344f3ae74d2ee

SHA1
4b82098ac9b58e33818b3f7bae27f5458d4ba34f

SHA256
a5fb1e5e738d447465cd82b754a3bd335cab5237206f879b87a2379156d4cb95

SHA512
0c08fce05739102bdb3cae2938a3275797219dd15ec9213017cffcd111a250918eef643e2adfcefabe330173e22e6321f9b826be43e78ae3de839e2d70b9e523

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2108d2e6b18886af31087c77a25cbb5c

SHA1
3af621c183e54d3cf05b186145c3f5cf442dcabf

SHA256
900e76410caa2b03851b35a7d8d867adca80216ae784a35b29ef2027a16ed940

SHA512
e448a32fac8132213654c28e357841bccf81ad10ec1a5a047b083fc4505dec6ca665f7f84fe0efda4a2a9997f4b59f1e8ccb30a30975019c56d8b08e67fe9e72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56a6bc010f965967b18163ea1f2475c2

SHA1
ab130d6062613c6835476deb5856d612ec5913a9

SHA256
6897c3b790f7914449dbe26488c5ee11d0bc745f02e2aa1d2044556beb5384ba

SHA512
e4c3af685064968013b2788ca48ca3b44c7495a6baba231ec1a989c6fac6be6e63bf567f6e3566c42574a2e4a8e1e6dd024de27179d553b5362bb54f0a77a3cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
260188f2b701c1f2494c2992778c007e

SHA1
91bdf3ac8468d13342c6fe7a3a52fc094cf66eca

SHA256
5770edb2e7017578294a57f34c83d8e349b82c8ab4243043f9ee7f4719299bf2

SHA512
a5eab927fcd2f10d73c21d3cec51c7343d5b995a5d22ef6bf5f56fab2f5e63934eb1c28af42680162e3bbe423ba390ad591901c5522836dbe837a75324bdfb6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fae60aa85188941414b1b18ee805606

SHA1
5fa1bc191535d7a70035216e8eebdf2a57be0f38

SHA256
17400946a392ec483a61de7571da469c191e50a002904d26224f70bbe5bb0074

SHA512
e43f2800c86e2063cedc74cf5ae7e3f12351a3bdf8bd84559432886ec217e55b8edd00352c9d9c0466fafef47d1d3537d88296ff2ea47145756361565941d426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6859379fd8055866a5879ad8f3caf9ea

SHA1
3db9154f7194e50e49eaab214448a60b07c36d90

SHA256
08e201ca2f4abd4fd6417515a31d177ba52a97d6e84a9a339d5d68c4673c263c

SHA512
88d7abaf9ed2abe9a05483be7d38dede50eb616219f718b98360ea985501325b43d58bd9d94ba9ccd18747fec714813172437d578a1db98cd437c55a9a51471d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b294e2fe3080428ea2eafb6743bf8111

SHA1
15879e1fdb7844dd4ee826ca9bc1765d01cb6610

SHA256
ebfd4d3e7ec22706d183f6cdc9152b95357ef0dec8985ccc24c9fa807d6ac5ab

SHA512
e3338e022a84749563389830b4bd75cc96ec44e2fb55b5a0a356e51c4ae7cb7e128e2b6fcec766c091f0cf6f722ec334ece7d7408eff039f520c0eca7fcf3fdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cc4bf725a4be025648c1593abaf9a57

SHA1
087df4807dfd403bc89dbaf06d978590aba556f0

SHA256
256fe92342b0bdee42213701688ee0ae9d5761ac3288d14ed45f46a5b0414298

SHA512
ff391285dfdc81689dd43beeff1eb83de6c5bf4a0f908a0355e4d88322461744cbf45177b2b36989e81709cacfbfca51b4d6225a472e420be796fb8883cd8710

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a21339ece56d088041c63f322df6e437

SHA1
873e8f8eb4fdb432c3bd29ff4e064b4a032a322f

SHA256
67563b7ad50486e94e4201d2d5420b56802d45c1093b0e884e4d14daca89c622

SHA512
7e5ac853b3734c57be5fb1714d45e34b7b6f106ef64ee6b1d60dfab67e2fec94aabb0d573a5a84935e11e1ea452715add207bfd537d03b202eb28c7f093b3f30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e5996cfcf9be9b3749e67b246bc44a5

SHA1
df9b1567f3dc00ed1c0d155dbef760c18ec55719

SHA256
6e2fe1f75340bcb3761d58acd7653c4af65b18f6ecddf88442daf07633a03cff

SHA512
ce8d29085e8511234ef4bea564c936091ef4668b393521dc74dd2d9a4e6797c441abde2fbd1b578550eab5cdffbc32a6a991adfe26a964829c4ba10f19f1c734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af4648ac1e09538308bc8b37859f92c5

SHA1
dd019e8823c49a6db8c92ee2a7eba99b2ccf0b6a

SHA256
17fd10db2e448150da4428e37b712ceebf01cbe59552aff629cb0173f4e30b6e

SHA512
bf245035d520ee423be07719dd62e8299d7657b00118384038ad244170550d01a769018f7c7c2fee593e552e31e9876239f9101e3a51793ee62fd2ef1dbc7086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2839a8c0e3f9a89f8bf8d81251cbe67c

SHA1
ac56d4f4d56a90223a432381784be0ea9fa80839

SHA256
94a2fe72c38ac74f9d4e0003b1a3cafb02eb50bd197ef6179deca60979850717

SHA512
97940c55bb9a607993fc05dcfb8b22a63ed2e52feb09b08e154a5a8083d9dc722022f29494d4c3be35bb145e0a6a8cef4305caa05275e8eeb88496cd0f1e3157

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFBE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD033.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit