Analysis
-
max time kernel
1566s -
max time network
1567s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 21:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win11-20241007-en
General
-
Target
https://pezbelz.store/btk/xls/b1t2k.js
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f0547cbd5931db01 iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437175793" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0BF6871-9D4C-11EF-88C4-7A9F8CACAEA3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2480 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2480 iexplore.exe 2480 iexplore.exe 484 IEXPLORE.EXE 484 IEXPLORE.EXE 484 IEXPLORE.EXE 484 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2480 wrote to memory of 484 2480 iexplore.exe 31 PID 2480 wrote to memory of 484 2480 iexplore.exe 31 PID 2480 wrote to memory of 484 2480 iexplore.exe 31 PID 2480 wrote to memory of 484 2480 iexplore.exe 31
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://pezbelz.store/btk/xls/b1t2k.js1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2480 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5942ac61809e79be7bc80a1fbaea5449d
SHA1589810f856ff59a1042d53d6eabf468b890c8e6c
SHA256e0bd08655f3f4e6e0b883d1efece9a9f746c259b6de2f9459fcee6d01b874dc7
SHA512e07956e90b3c2f0785d64048ffbc54c110bc58e928df0aeed88eaa72d6a26cf787ceabac4c1ca3739187095b9d10be1d82203f518b817bbf24a4308c21f023bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56925c5cce35d5104de03ae6871f913e5
SHA15244016df8b07391b89fe67b5c0598db67e232a3
SHA256184308633ab8252b48ab49730385159f13b06c2367cf6ef1a72f73d4f81648aa
SHA512205145d7c7e41482b3aa9646b93323fd1d224fa870777a29468c0a6b5071f00b088f58e65dcfacd363a9d7d96decef4e25adf4f9496a13f282159b0ec6dc330e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d5bba3f9e3f91c944e19ef2f09d5c1bd
SHA1d4c3af5efb1b89dd754e6903b75aa1628fcbb4d1
SHA2563c95989e7ce73c5f12b90e0f15d3baaf1ad0ff36e8f8c9c00ba8cdf7bbb5f3f3
SHA512bbe7d2f5f1c40e8956e146112518443a88582fa7dea8f42e86b0d13eb56a6815db7d83720c12823823ffbb3b39649619d0fbeab76e800643544faa80f8e63c9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5798ca5a75601a513cd23f86f9d88c234
SHA12cdd12f0ca8a0cb74352a1aad62a1363f09a0729
SHA25686f91dd866ef708c0833a77d92200f290cc0697d9e07e39672bcb7c233a880d6
SHA51242b6ccaa329f7f34f5290897d74334c938c58fa17ddd58de2707269ca6017b6b8cec3c81f405f4a91ecf3bbb57e89421bc86a565d5ce165430ae0fe41cd7ea78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51cd6cce54bfbd21b29abf5d27e297893
SHA10121bde384371c4b212411b065d69aeb0f2b53dd
SHA256abfe4a5f0e851ad630840c4899742325f15ecf5575b31b2a55930425d2ef610e
SHA512caf328beab3966ab40b902f3b636b481aa07d417cacb845c7bc7bd8acdc26e2f1d4c885584b3170cb9ac2c4ab77dd826dbe2ee498fc9074a42e657b4e3e2eb12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551347d3bd52e7c2449f3ef255bb52ace
SHA139f9bb66d3f7426221d707cb54859d3803f07e8d
SHA256589dd9a64a95d4c015020facf00942c2342400f73a02275e33ba0a3b67954456
SHA5129ff3837b2b86588765d5c1027a5e623eb91dad72ddb5c8bb7c15b0bf5a2c8d512607f083cda35ba6244154a5d99d2d126bc7c862da9ce249a3452739532f8c48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3de4c4459f28a00a7a4d5ab683cb254
SHA1222d3e5f94afc36fc42c6f2895af6524990de73b
SHA25636f5c098eff470f1c3795a5263882182e79e7c035824fe098e6eed61c185a7c2
SHA51271787bc35bb556ff6fb5794218f8161ea4017dbe211cb925d7269e06c03d9fddc7b1ba2d83bdf2a104cab5bf8332a2326783211a36141b1648d2fa7731c2847c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba0ea95f7969887feceab32e3df3abd1
SHA1202673ef5b15e3336264740b905d55c2248b19c8
SHA2565f34ee9a3599d1f9eaafd7a516daf9655e2148729e89f601dc51e85aa0d28c75
SHA5128f8dc0b570ad6c4f2e2b076d1c490f4a6db72c177cbeae8516fb69c3ddb47add4cb2e29ec74f50baea97cd4797bc081921d0fe6612423641aa840aa22bd1532a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5980b15f65fe64bf2b42141255a420ed8
SHA11cada37474b62941ad9c56c4352e73ac921d99b8
SHA2567bbbe5926eedc136e694e9dff8daf2e1af3a70141afe5e8ab9f7158e6067d301
SHA5129294fc6e1b0d189268bc654ddeff03f90c41d4797cf27a6ef63848885467c666a322ee03d56a14d167914bd640861606954b279878bfd590d1ea2fdc95f909ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c07c9a8f5a92ce73add8e215cc81efbe
SHA17cd229d09e159cf5ab19b32afd2c111ea835f86b
SHA256e126c250e949c7644a81fa34dafbae201417d4620d8b150fddc29b1938cf0585
SHA5121cae5b7d276d24e57982a624db6c0fcd1c79eba43b6992203a23d64d511931169f7419f505fa692182427ecaf86fd820083cc7231139a101753774354185f7fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52dd93fe7dcd65f3db9f54a5c49a7663b
SHA109d53f8bf9db9120c29dd8e2fb5e35ba6ca1ed98
SHA256d39b49b5fc71ec0bc0255dec9d82957fbc07da106d9661d6f355a778bc1f91de
SHA51272926f4f51232555d4df4aa5e2ef9ee97697dc542ebff2f67a078c2cc8819fb9ccab2ee28554388e4e57a49752424de24fe87d58bd3e8d2245680610b928dda8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a730304280278a9220f58c4d7fe52e0e
SHA1cf3fcf303086669dcb1dd687cefcf18c1fa16137
SHA25632f3e33869df96dc6b5ac529577c046c894382f668c9c7dcba4e4614cc2686b7
SHA5128b52c14871bc9301708f34864d78f87f1e46cfe24b162c7649bc5b0d6fcc16b25699df88696ab61efe41745e07ebbc03a795ee6e0b56def12aba0febcf003ecf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ea10d013c1f636406df2f0fa4c01859
SHA1bf3f033ad1d8f7f3a6b4407aba0629692ecb9510
SHA25643717213458acca851324d041dcab8949783bb8a2c9d888f889773c010bd5a61
SHA5124cd1105a2e50bea99c537217f6200e479ead209f3ffd8cf200bf53f15af6c31b511b7f39c970324859ad5a8f4f53d449fdc471cdffc3c16bab8390ae87fb0f32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5081e2e6eb7b49bda0ed66499ef3de966
SHA13351ed4cddd51bfb432965ea8e47420b999eace7
SHA256568c2c58720a56d41823a1e4d6be85220af38343189198993bae25a71860c546
SHA512f1c7e5c19e7e481e5f1d6f569347297c5da643b9c38ea1400ac11076a419c50f5342cea40a89cf47cb5bcba63ad109066fc03654e525215145ba35828395817f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b