Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 20:31
Static task
static1
Behavioral task
behavioral1
Sample
canyouseeme.php
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
canyouseeme.php
Resource
win10v2004-20240802-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
canyouseeme.php
-
Size
2B
-
MD5
444bcb3a3fcf8389296c49467f27e1d6
-
SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb
-
SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df
-
SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3043cae54014db01 iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{234BF551-8034-11EF-B895-D686196AC2C0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.php\ = "php_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\shell\open\CommandId = "IE.File" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\.php rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\php_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2700 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2700 iexplore.exe 2700 iexplore.exe 2336 IEXPLORE.EXE 2336 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2212 2320 cmd.exe 29 PID 2320 wrote to memory of 2212 2320 cmd.exe 29 PID 2320 wrote to memory of 2212 2320 cmd.exe 29 PID 2212 wrote to memory of 2700 2212 rundll32.exe 30 PID 2212 wrote to memory of 2700 2212 rundll32.exe 30 PID 2212 wrote to memory of 2700 2212 rundll32.exe 30 PID 2700 wrote to memory of 2336 2700 iexplore.exe 31 PID 2700 wrote to memory of 2336 2700 iexplore.exe 31 PID 2700 wrote to memory of 2336 2700 iexplore.exe 31 PID 2700 wrote to memory of 2336 2700 iexplore.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\canyouseeme.php1⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\canyouseeme.php2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\canyouseeme.php3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2336
-
-
-