cef9230ad3111e4a233e61b49ac977d4d25849061a90b05c3e7d6f308022b4de

Analysis

max time kernel
136s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rebel/FastColoredTextBox.xml
Size

132KB
MD5

70d49dec6a333f1d94fb1e77c663525c
SHA1

184b544e672f4c4cb9ed9cf010da568eed16623d
SHA256

f3f2e537065317b6ce66dac64042e925bbcea65f00561f9860b7172c9ca07027
SHA512

b78a3c4418a7c5014eb16e72f2113f00353e9e566942f7160067c826c47f1ec2752ae7ede796fc159fb9bae499d347f822401fbc4446e2556cbd680cd595c2e2
SSDEEP

1536:45SVw7sekyF7o//t3zEzacGE5xa5lIV1/P5:45Sm7sekyxo//xzEz3GlM

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435155846"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1C62C31-8AED-11EF-9D46-D6B302822781} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000004ef80e499517749b78287d7742570181d942ff6dff6c707157977e3a247ee1a2000000000e8000000002000020000000994a26e6d28199a377729c95813f7b8f398b37100fb30b236464ad56bfa417ba90000000588034150c2be11cdaab43a87f674663e571ae492e4fea933877de94a97548fc8d1736d8267a866f6410ca13142529cf769a463be23cb92e9caeeaf04caeea0a597786c292eb246b3790e87daa174bf24a61d24dcf43b404774ca0f888d63ba62aa75cea4b33080cdb9161b07edd17ec10e5c8018097642f11dcd8f1510983cd5af13421e6b9f89d171da56398c5997e400000008d058f515d22a1728cf8fe5bf428966331fdbc0a47cf89a8ccde87c13edfc1132ef4e0edd48a9147da364be5eeb9d7576f5870de7a860c20258248b62e8547ed	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000640d2714f5d22621796c23cf3bdfed3678fc1425f6fa274d474683098e9a1c93000000000e80000000020000200000002ee62b0adc375cae48092787fdc76ccb817d2334482177716972f9b6f06c74df20000000e8806201df0a22df7038806a4304b5d7a866dfafda6dd0026d2883c7fb4bb59e4000000066eeff25c670a12752dd9aa71db390ccbf8eafb18307d08da929ea724f4b17a8f0cdca50c636a95ee5a7f34a8438aa0bf43ae15f7984f4aa27edc11a0de7bc5e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06d62b7fa1edb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1476	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1476	IEXPLORE.EXE
1476	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2244	2488	MSOXMLED.EXE	30
PID 2488 wrote to memory of 2244	2488	MSOXMLED.EXE	30
PID 2488 wrote to memory of 2244	2488	MSOXMLED.EXE	30
PID 2488 wrote to memory of 2244	2488	MSOXMLED.EXE	30
PID 2244 wrote to memory of 1476	2244	iexplore.exe	31
PID 2244 wrote to memory of 1476	2244	iexplore.exe	31
PID 2244 wrote to memory of 1476	2244	iexplore.exe	31
PID 2244 wrote to memory of 1476	2244	iexplore.exe	31
PID 1476 wrote to memory of 1500	1476	IEXPLORE.EXE	32
PID 1476 wrote to memory of 1500	1476	IEXPLORE.EXE	32
PID 1476 wrote to memory of 1500	1476	IEXPLORE.EXE	32
PID 1476 wrote to memory of 1500	1476	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Rebel\FastColoredTextBox.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1476 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bafe7ad0a0936dde11a4685465ec2b05

SHA1
dee567c22386c221e3d4c2ca259869d44c748724

SHA256
56931ea256296e8a75efe82f629e759e74dc7283ef62aabf139da235ada5dd93

SHA512
c7123798c5ec3d85f679dc1e49b53b4bb84f64107bc5f7a0e2e9d17f1d263b142aac96b342e92b78715aa4a191e442d43a8e0a312a9a91e467b6ed9bbfd8e805

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e8382e5968dd6d45fa5fbf68673f2e4

SHA1
db20c4e1839be6ec045ff1d18e77cf55face873c

SHA256
8e9a1095f67d038e0a2c3be5e92ffb30142f27a5ef2aad523593285f8ede7cf7

SHA512
63db67cb8ff3c4c4fbd99dd2310183601b7767e74d8025bd29bcc9f05f0ea97a2e9c8f231ad64a5e31c67e9dcaf85d00bece2c85fb1cc944b462014b16df5b69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a1fb451a4ecc3e1600d7d109b394946

SHA1
0e09f90e1d8b2c80c9ea83921f7827ad4e5a101b

SHA256
8668bf3f92bf78a7d433d593d176c70bcb752f512b91d4fa7ae9b1fbe2908e56

SHA512
b4bfdcca3e225976bf19e446bae97bad516d7383ae1cd151a764508fa1b8305f6709d4abefbd3e9b1b8af61f51b237395eafea5188b24e35b64582098bf33269

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf5599a6cd9c06b5722ea6cc41b5b93b

SHA1
67ea100973b026b29d2cf93f3b9b7b6a9c86129b

SHA256
1926601bed6023070f11d60c6e835b4891c19203c4227b144442b4f3c7383048

SHA512
01c5ae260143a4d1bf7a77ef29e7e43e411f19230742fd6ddde8bd08f5668654c2af2bd8accedb36bfa5747d8c410d1807513f6f343c55492c496ac147198eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fc4d843eea36ffaf4513c2078d39328

SHA1
477090f689c185e87a264cfd30d832ad2a415e9c

SHA256
88caa9c7d491f7cc8ef57f6eec5d117b22437f1cd982b7a6503cd5a0029619ba

SHA512
98e8c73d677b600917764cb7c6ab32a770682320d7f5deda15b7c91aeb5a544c6f54f299ff7c7fcf5cb76c6207de8097b4d4ea284033d586e3861536cd23d29c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb398a5f954f33123f1a9c515fba9937

SHA1
2ee2e7025698bf1f811e260831ca1f474b975b7f

SHA256
c1db9303ce3ca668097ff64785721817f78bc636e6f88e66b4db3572392f7ea2

SHA512
dea15b48b3305487bfd2ccf4819133190ee6f1ac55d317b89f1f56881e3e279119ecd9cb699faceb05c1db5c42b0096a0a57b271b1981e521bcaf324befffe6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfe6e93ee169bd5865bffe3fa06b1dbe

SHA1
363abc6e7185973fdd3e1fb7b8983e63b66a5d3b

SHA256
28255edc634aea2f1605fcb77c3a79db4a87da15d634e9d6fc952478a60aae01

SHA512
581c1790b22fafc417da5bbe9771571f6c69f56848940f085a53e53f909d6f7ba1071485765b7e2c27edb99d87b7bcf1dc92bc2671a59524ade1deb1f8a4e948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d9ee45de70ca9200099a7c94082d3e

SHA1
b9f5e3b30f3135e71263209b9b736bbef65d9161

SHA256
16634411a2e2e115f8970e99b41f3da2495d6c8fca09b6525ec59b1bfca585c3

SHA512
9cb740c263954d81b4724689b755372cad4ad83df3fc04c8be56f5008dd6d43291cca516b90d323ad0ddfdf72ae3abba98c25770d9162c72bb335625b3ab6d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBC9E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD4D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit