5f78db5c24a7102f4a099ea0840311116b430d496df46a65ce6adf296cf04f26

Analysis

max time kernel
129s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

twrpxz3.zip
Size

30.6MB
MD5

772bc5c59deca330ec39108b90fd6217
SHA1

7c83e47d39fe4c61facfbadd038363afe15d0a8f
SHA256

5f78db5c24a7102f4a099ea0840311116b430d496df46a65ce6adf296cf04f26
SHA512

a7fe746c97ba4418de77de0367198cc2cd753eeceaf6feb3e707f9e62d81c5c1cb9d741652d1452fe4351e32d9a8d78b56221ed3cfd87c18be17f1f87864ab51
SSDEEP

786432:4R3ae28lfvOu39XRpKDXwYwqf22Tdl2vHkY4:g3axmt3xRpkAQdc14

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000002400c316d8f10056d71d7df3e33406f22f279aa9d88df5dba35f75375ec466db000000000e8000000002000020000000c295365b71e4c6ad29f21cee4a214eac4b86d075911b1e6730dc39472005365a200000000edc780566d3a8c777a4874073dae364ecdc8bae579b3b48539cf6aac83e672e400000004fab6ba4cc1d5a9a3f223ee8271c4105dffa6e8fe9e46f1797ace5f97c6024ba5b1694e09b43261b87748782d06c319c0f28a8c534620a4dc38d89cf0c56694c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000039f100253067aa06c78170f3fbdb7591f25a00558ca60cc9cb8808741a249ef1000000000e80000000020000200000004c15c6dec5f01367ebd7a0ce5092a08986a372cf911fd9c1d8de42a0d3d0bf88900000001102e26f57e06138f9aed3a6be33452054dff2c724d58430241de41664aba3414680866ed3c161d078b0a373649c41610993bda72828f2e758cfce934aad144fb07a98144d3be3cdfe25f33cfc96139d2596db8b457e4f054535facd1d8ad7a29caa24c3a4d8c8db7f327b0c286b0747c90f660eeb38874464ba58c058375305c0b92265404d019ed74eb62c3acbe03440000000ec6ad60b7d8d3c3b12f8bd7a9add5a3eb07af5556fcb3e760676885be2e22194f93be8577d97a9a27be2560e113ee8787914a16d3a074f94d7cfd1c3bf046d50	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103d215ef317db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{886D35B1-83E6-11EF-8967-F2DF7204BD4F} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2336	EXCEL.EXE
1480	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2980	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2336	EXCEL.EXE
2336	EXCEL.EXE
2336	EXCEL.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2300	2680	iexplore.exe	36
PID 2680 wrote to memory of 2300	2680	iexplore.exe	36
PID 2680 wrote to memory of 2300	2680	iexplore.exe	36
PID 2680 wrote to memory of 2300	2680	iexplore.exe	36
PID 2300 wrote to memory of 2980	2300	IEXPLORE.EXE	37
PID 2300 wrote to memory of 2980	2300	IEXPLORE.EXE	37
PID 2300 wrote to memory of 2980	2300	IEXPLORE.EXE	37
PID 2300 wrote to memory of 2980	2300	IEXPLORE.EXE	37
PID 1480 wrote to memory of 3028	1480	POWERPNT.EXE	40
PID 1480 wrote to memory of 3028	1480	POWERPNT.EXE	40
PID 1480 wrote to memory of 3028	1480	POWERPNT.EXE	40
PID 1480 wrote to memory of 3028	1480	POWERPNT.EXE	40

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\twrpxz3.zip
1⤵
PID:1732

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2924

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2980

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\SendResume.pot"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b0d4e37680d56275029572060d0875c

SHA1
aad2d6de38426c47bface1f2e7e71071bf3885e5

SHA256
152b0c743fb0434eaee5f4ed1f4dc8fc288f767ce5c422515c67f0be4a3cb698

SHA512
ddce72a6a1410878dad1ee07381fbf27d4db0fad4305d3d512a42cd09a700b453846bc606344a518d2ed0ee1ed005dd0ae8b06edad781197332d4e5011a8acc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c302acba66615940f3b5781cc9588fe

SHA1
db8714feb0da33d0a961511c8f0758930d20e713

SHA256
ae96fc115e77988d41c9c04e7331dbc104a33ef09f4b83d2389861c83d5a2d42

SHA512
3617f5d4596bd20042f2525ed368fb0be50c4fbc3dc248653d08153e6f96d62be884670d291c86a2eaa9563fad4bb4dbbe496e5f740293e419f536d9351f4e1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5aeb5409be414ef69096a4c17ccb5af1

SHA1
66e33c2c56311e3470e952e888f30920bc470799

SHA256
54691f05b4176284690e4690647a34f1fbfa26c9ffb6686a2a6dae0acfaac621

SHA512
1cf7d9c4660c8cbda004a882ab81a97aeb59b064b66d3c576a603db262898ae107cebd60ef4928c7b7752802bb14e61b7f6affdcd4c50806d06e05325e5d02e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e1208b2f2056d540a5718cbe3096390

SHA1
5eccde59794b256141764061cc5a1821d2e86bb3

SHA256
ff160c86c29113b6e1fe4a6b6d4bb45cc420a54fcf43f519eb7623142167682a

SHA512
29f85ea58a782cbb0e85501885a829df63a4baeefca5bdbaa9025ea8784ab2a543a6bca7fde8e0aa4727e8a11652a7a61378258a082a6ee010d162ea13222756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
554a006b3cb983afef3231ce4e54c8a4

SHA1
6dce538cd6c3c4e4470b6b1f862af0cc0f3d73e2

SHA256
ad4ffa6e3458f732c849dc4dc43e0ee63da933ee2d7eb544bb536cd4dec4490f

SHA512
46b8bab96ff6d7843bb1409eea646e6b808b4d51a7beacc5ca85122d91fd3d4c828763535e2b83a2b6cf673fd434949bbcaaf7036e77bca862b35ae082661399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3aa51f962f9f396b77477db9a4170f5a

SHA1
b8b88481b9c7025d77566ee19f4237fcdec8f26a

SHA256
fc16a09a784ebc05dd5816247f0c2d635330efa76387b480462cfa439ab0de88

SHA512
6a1e2a9efff9b64d6cd886dcc4a633ea8f38281ce86e49285b545e67c8d1b972902356ba390237bf8512f82a0c3b6c033faf2c5cb497494b1f4357536f83618f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90b56a66e0122e02b89587bc8e03dca0

SHA1
ba5d6516ced9ac3d26f640b63b8b0276da7c7821

SHA256
14c7d6ba33e1151e51cca253ca8618084c2238c5d30544b576540c67a3cf7813

SHA512
f192e4671422d19d2aa9d1a736278000c6f6d5e7a0fb02d4ee9aab9fc3994976444bcdfe18ffee614b349d7a849b0568e897034341bff4bd9aba255a41f4c695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da9e9d1026bbd59a2918321f049202ad

SHA1
8246399fdd42adf441a5ca1500f9b6953a2da96d

SHA256
dbeab4c53f1dbe964a9d4e22eca0468ca52eb4482af8ccdca2fb8788b4db124e

SHA512
788117aaa340427924800fcba0fa7e06fc9fc62bde8aa4f664e42fafa1edc5fff2d5e9845e2aa1ac796bce18f6379336fb0eee2c6bf7ea70f6e92ad7a8a857d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dff75f73c207453f24d670b0b3b63408

SHA1
ac25a0ed2ebd61f4e2f734d27c8de171f8fcd056

SHA256
ee570fff1721535737ec7217202a9f004e5346de35258978254904657a8b02e9

SHA512
9e76f4d716b7ff4d1a72c234ecc12994684af3919621c9e3547a76004fba26080eef8dbfc2a5843e5b751009ac725bcf2b2298dcdb60991bf79f066500e9213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA25A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA2EA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1480-21-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2336-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2336-14-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

Filesize
44KB

Download
memory/2336-13-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2336-1-0x0000000072A9D000-0x0000000072AA8000-memory.dmp

Filesize
44KB

Download