29fd01bde813c1b971846a9c8ef0244709c02b67d8e9e6e3b6da0aaded49fac8

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 10:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/Failed.htm
Size

6KB
MD5

4bca38bc78f5e8283655b1dda3d81b2c
SHA1

b1e61db910ebc37bcbf4650d773d727b15fc8554
SHA256

16b03f64adc522298a636a117869d821379e341314704a4eb7e2263689e76d91
SHA512

6b4559f2f658835ca3a5a8772f424415838990fd7b22ce9452577c6f1e92c8776fe8f25e2747e91dcf59b390084d82bc48f3bfaafb242c3374b0e98e81db3509
SSDEEP

192:0BA1WBLKOIIMwFTsVEuuzXLtnMB7QfOLCqaNhp:0yW9KOpsVEuuzXLtnMB7QfyDad

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055309ffc80f94747836a39e0d5feaf6c0000000002000000000010660000000100002000000087e56215af24c4c745377fbeb5aa5237748f240aa32fd4752e811ed59eaa13e6000000000e80000000020000200000007f98e4773e1b2cb22da696256225765cc1bcd34bb63075534225f34bb5d8537820000000a9fdb9b126e38bc309a2b796905e97676ab7e7a9c6b30f3ba4ca3b4dd9a0b7724000000051d013ef47027eaa248a0ec53edd6c59160b94010ca6cdad3ae0b71a31440d45bc5420d825b2fa9359e8162c88b683c68d9020e2001459aafcae6ce37c2de6b7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00d039de9d1adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434676164"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055309ffc80f94747836a39e0d5feaf6c00000000020000000000106600000001000020000000b60ff3b75038ecf31acc28f88673f48c1ff8186d88fb05ff6e449693ba81b1d6000000000e80000000020000200000009af11c47a9c4c6fe5de5fa451c179ed19124017c24ee023bb7138487040ee3fd900000003d90152f4b6bc6d4e507d65196563a33d672fcf8fe6b113d77f6761bf38a2bd9fb1182f62e4c363d2a5c1c84bf118d97fc95cbb8fd2ad33b769bbd9aa229bbb73122730cc83c6924cd4b876c02c11caf838567fca3b81fac32773736a97fee3bec39a7d639fcbb4d289af82265f0d3add3fd1d76ca765fe8818b3872d1141a2edd5fc62db37d83d6b9b0ef07fe48c4d340000000e4f13c14cae6f654b72de7ab70d650ed5347b031a2ee5a483db316f68dee2a6297ffd48f2cfc80200b5e8606174d249b5020605dc1018b441c7bd10a2d9e189e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09B92FF1-8691-11EF-9D58-7EBFE1D0DDB4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1244	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1244	iexplore.exe
1244	iexplore.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2540	1244	iexplore.exe	30
PID 1244 wrote to memory of 2540	1244	iexplore.exe	30
PID 1244 wrote to memory of 2540	1244	iexplore.exe	30
PID 1244 wrote to memory of 2540	1244	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Failed.htm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdd2b9ecd802bd963d006fb965afca52

SHA1
6847fc83188d2ac3d14fa9667e2ae37c05c8457f

SHA256
de46ecb3af7b74c5b5b6eae018f25a00fb2e61b9eba72f1fbced12fe9106f13e

SHA512
42ebbd717b936ff055bb35fb8af5c046eb43e0a7bcecb7b2131eb0a72780af0072b391ad60aa48547f4f5bdceba8b1eb455accff6fe9b8467f2a5372c629a526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fda67bab562a8b299fb8707f863598b6

SHA1
b13817e46488eb955b6ea31fd35c8e34e4728b87

SHA256
8fa2a3b4ac244896ae0626e7104ae417989b384c3cfad0a31bb67ce00cb9fbc4

SHA512
0f79861d21cd0775c677b1a4082901c9c7e29c81afddf974d5f3932ce834b2c859a4fa8f4f2682419f477ea0474a540e7562749e7439d413a91d23f90f272290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61d5b134ff26f8c5844a70604e224cf5

SHA1
52f4fa533ec2681b735439451a4d1081fe8a58da

SHA256
e5d5ab63304e07ae8031824bde39cad2e31e8486cdeb47a19a226267d14f2363

SHA512
c08d97a9213a6f3432e552f46b9588f729237c4b4fff05f3df17e15ed207f9e83955de2fa7669a016bea6df58d4b0f551429dd90f8c18d9d7babcc99eef20f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a59e98c191852cffd36a2761bbca8b5a

SHA1
04a40d2af997f01c0b706859e8f763599b8d8f91

SHA256
3a471c34627447378f6d7576cde224ebc186ce145137d3ff056815282e98ce1f

SHA512
4839c3a620a0ce7a674d3c37ee94eab52cde9292257cbe8bdf4700dbfa031d3d5958dd04c580e58094537e0bf7b26a3c4e73c21983a6648dc7a00eb88e758c31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dfc64fdd6eb426e94079d45b4f3b1e5

SHA1
07c43cc33d32dee78761c6a83aec8e46a47d6a8d

SHA256
ffa3dd9c354c36d1aec24d9dacf74af5606f0060bfe600cb4df292a2b59048b2

SHA512
087992a7d21548b3e1c0ba2ab5ba41f4ea8b7e04b5b0b55ea44c1412367e7fb6febcf801455f8c706892d01e83746ae448fce602c820266b8b99868fc68f8d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecd3b7be133bb42bd61752eaba8a5dc5

SHA1
87309c4989c7cec79fc40a5c5188624caaef4a81

SHA256
a80bb4a0909b1bde6652437b46779c0d896d52d244b46e154fa72991cc848295

SHA512
7d90ba0f3a447ffebfaa1dfd04baed501190cb90dc78aae8f846635a96bf57d146a078b4fe3c27707db1eaf99b42940426c093421dc11bd6fff8b603bc0bb44b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46339efd444657c12c04356180102f99

SHA1
e5400c9969493d1e5c1ccd836544e34025d1d617

SHA256
d101cc03b6b8988fd853416f6c64587cff63dfdca984c68fb290a36f15d0e2c8

SHA512
c8f6666299441c26cf802670e07d0f7a1205cd4523b5cde27f65cb01cdc588e00709ef8e94b0f83b3ce02865b99a8288e1e00ee692d7f234a6c451e30f15fd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbae8c86524763d4e4d5c500308a7daa

SHA1
25f66867fd00b2e21d1fd2748445d5ab987dc62b

SHA256
17c2109642c15a3edee097901e49805676156ef87504923a259c7eefedacbfd7

SHA512
2dcc3fa48c241f99c0407943d1c3d89b04f1e36bbfb5ea5e05ec6281fdc5cdd62ca3db25f40024ad25d2feb3e956e2f194ce4b485b4e6a61a9fcd3414622da19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9a0d03d2411d9a07922db8cf0cd7c6d

SHA1
88cbd44eb40a67f36d4bf778a2cc14d4f6627489

SHA256
90154802bc83ec59a738fa580852bdb59ec1335cc48ad5a7a7f91ea86d9f1318

SHA512
eaddf3f7c70b95dec55ed17c2b54b79d6bfa04814f382de31ed1692c60f0ca5631f779e97fb7836b929471829af163a3a6c3c017e35e227b56d4946cc3f39af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e18263ef1f5d3fa9d545c04abbfe688a

SHA1
ae94a1c2ce31daa964b3922a160d3527862785dd

SHA256
84917562322935a1070f419eaed25918a3428f08e0931113e34b6ba98aeefb0e

SHA512
87292d64b7eb546a438cd89b16a674805427f4293abf149a673f7ccb2bc2e6fb13b068c80f991cf825d27eb0a1d8cc3fb82dd89c77c8be5568780094c7ee7b2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb922f765f2d2b883979648a005eb398

SHA1
e781f04e0a31a13129c31f16b424a3e2bd9b48d6

SHA256
308f16434e42cfeba2496230b8ac5803e6bbc1aed818357e4225b838ad5cedbf

SHA512
51c82915001fe96ccccc5b361fc8fdd6f1d7efd437935b6187df8a3341ef3c653f9b9dd95fa390b0a1c1e468539480e1d6126852685b45c3f57a8be22cb1bf2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884158513e2dd170fe7d8444c83bcbfb

SHA1
c4bcae7a4250eade0e687582c2126de76d42210d

SHA256
130af0e42c77e2ac1622c1bbba7d0f01a9aa4f7e3bf243d34cf6b5157b08d192

SHA512
d72ef405ad94561da7093192d30358678738dc9017623526473fbd33aeaf0196e10e97df45c49c4548f23ca3e0ed1a997559b7782687326bf9a675f2964289de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccc7bccbf2955edf89431ed5fa3ddad4

SHA1
1d94299a5c5c6d3adc14af129591579c69410343

SHA256
6617a69aab862cc8b9a5aa46e9281c1c2305ef597196666b973e7a8f471bc6b1

SHA512
e81f7bcf656993f9e1cb68663055946940154e673f593cae894e21cc57804225bd55c7dd2e0a9f7580ab74677b6e4d1737de02c525f8ed8b4c1536e010626139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fb0d5b372310cb2d07d170b3ed78f2f

SHA1
451b8d70b05b935a6e7e71601ffd690cd022ee79

SHA256
ec50ef145abe70ecdd9e961770f0dfd13424c044c63bbde600b8f714ef823cdd

SHA512
7b5c0264408d735ae292d9b841f02bbfd379b4e8fad9ffce401d7a61b8003794c4c462aa1db2c26a0aeeb7c0b076659f283543c6eb00e199db623491d6c0d7c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fbf21911323a0859bb76765f6295cd5

SHA1
612eaf789e5c32d95dbd7acc4f86bd03367e5e23

SHA256
9d2d9a4937fc861f8481381e68e71c59004342b0ff0b7ca04d029eecbae20101

SHA512
505a5510b9f33d2538413e585f70e1febbda3c71e4c92429f6d2921d412c1b1bed06d67aef8611217333b4819278ec590586f737f747f7889ee59e6356edf521

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDBB1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDD5B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit