Analysis
-
max time kernel
1558s -
max time network
1558s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 21:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
https://pezbelz.store/btk/xls/b1t2k.js
Resource
win11-20241007-en
Malware Config
Signatures
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 100cc8b85931db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0B0D9E1-9D4C-11EF-B36A-E62D5E492327} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437175793" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2252 iexplore.exe 2252 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2252 iexplore.exe 2252 iexplore.exe 1692 IEXPLORE.EXE 1692 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1692 2252 iexplore.exe 30 PID 2252 wrote to memory of 1692 2252 iexplore.exe 30 PID 2252 wrote to memory of 1692 2252 iexplore.exe 30 PID 2252 wrote to memory of 1692 2252 iexplore.exe 30 PID 2252 wrote to memory of 2352 2252 iexplore.exe 33 PID 2252 wrote to memory of 2352 2252 iexplore.exe 33 PID 2252 wrote to memory of 2352 2252 iexplore.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://pezbelz.store/btk/xls/b1t2k.js1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\b1t2k.js"2⤵PID:2352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD53593b504fdfc2c7cb6e92ab42538d3ba
SHA1a0ed7e68d43ee7bcd689503e114acd268034e569
SHA25646350c35c92def874371718604979ea19763b280c0f1a7a4044cf38573469708
SHA51207eba170924ea0b49a5a44dd394f15481832280e960c242da35887af3dd2cf52e6ae4fc37f29c446976d07ee0ff7c7b3c6de45aeeafba5062189cdc77778a159
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c41e36009ae91b7e176bbef2986de0a8
SHA1fe1aace26c23256f3db7e36338cfdb71fa6af8fd
SHA256736c30bcbd691d3b8dd88783524c6d1d824b310c1a98551de0d561aa342eed02
SHA5128aa0998c97f59c538ccf4a9505cc252dfc71d5706af440f619db70ab4905e3a1d049f4cfe751508019d4e9dba32e37003c5ee920af15154ef34d79f9c841b797
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1a3ab900daef6bce879f4cec44b75b3
SHA17b8696db88806070465e81f5a0bb04c4f0501310
SHA256da8cdb572f6ff011ddbe6f0bede1d000cb83d06e2d0ac7a7d7ac4941df4cc715
SHA5128a665d45f57a252783bd851f92a99acbb96317316cc29c8465c0ddc16bb7fb52cd06ded47fcd0c8399eb91ff39517999ae2da89c4ca2a0e06f8d145a6e463550
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4d2a60cc60d228bb9260af60fae46a3
SHA1033e8b2acfa051aaecb94c982ec5434c925f055b
SHA256776dddf43ae9157630da4d8bf2b2731a6f670a0c21e10d8a3cf57cf1119c245b
SHA512399b75d7f934e846bcd7fe9c21f9493ce7b7d736659843fc9b9ff34caba31e242cc533c97720c68ae532928f551027283e7b981bfa9598e880b7f0b5e4affdc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58156e190f86b2412de5da8dfb86a389e
SHA104dad69274e2c9fa9bc97bacdce0fa085867b3ac
SHA2568b1c545abece21d2524119b64ab599e37a31ff5236f82e1e8d3a2890166ef3ca
SHA51269ad0add113481f5504d0593ac82eb99cd48e399903a9c4a18f992c697b77e08c0d3a3b0d3f2be9eae7dd7ee50711aac123c216c07ed2d310dcf4b494575f115
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a84d3324af78ddb609ad95ebbf172b19
SHA10f191d503e0061a35490fee1128159dbea09f048
SHA256c816ea092d67aa4d01eac10d1a4f0d018ff015014bdece7f90ce20c3dbb3ece8
SHA512b121f7e914c306fa38026eb2ec3a41e65fc8a83dda0c2da3ba6adbf6a62eaaf0cc3611bfce7e750226c8daa572dc9efb34992e82dfbb35aaf4d75614db7cc7d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1ae14628d587ecd560e01c3299496ec
SHA1df45709f17659aa05920c1657784f63aeeec1b16
SHA25640df41f73917cea6498688e717b6bccb4cc0a9a77ea0565e5e480e7af623a06a
SHA512316fd393b86cb6506b82b6149572951316f8ce20c8970e98362f5907bf3f002c1a733b35026dbd815f135f359878855caf92193c16333c6d3982481c2dad5b43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5393904d987541976d80c707f8e8fa5a5
SHA1fe0b5b2123f814c86b140d425e64135968ce44e9
SHA2562c9d2999c07db0d1b9ba058ffa7887192149486932ceb3e5441059210c1df1a4
SHA512aa01a1876dc03660d09546501c0dcfbbcc9acd367368d981d251f56dc78456463c4b753a4ecbdca6335e94dc56d6ae267fa1ad8e6bb672e5f400161bc1d1dd75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551ef4bc9cfaca7ca16648f58debffffc
SHA101a11a2b1f2967e1b8d177db87fe30c272f4a261
SHA2560ce63662db31b6ecbc6d5c4b661b8e7fd7badf320b710063a796161f0a926503
SHA51207d7bcd80eeb92ad9f8544e5fbce3120e904367f2fee547eb6ae520a1f6271ca7d21a1cefa765b9441b6f8febbe6406663b495b0f19fc588ac4efae3c726f8eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5018c12ed7b54544962927dcf12a5a94f
SHA17ddf952cdc88afeb7eed289b1c5cfe9adf42cca9
SHA2567b4e00fe77bab964330a3a39fef2e18b3380867d6b6099dd307b6e043ec7fff4
SHA5125009e4dcb3a666f907f67151eec888738788919a0ad27fbc649f153c7fe582a20161c174031f56f7712094a46cf42539994c9517457c4b868a7c2ea97f367573
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f43e2beec620ce33635de3a58f1efb13
SHA16ca5b3a7301156dd9e85d35aaa7e49adc0a5c891
SHA2568f65b14e0d45911d1efb2c65fdeed451251a18517133fba525fb78601abcea70
SHA512ff32e6b2e81400a02fbbba5c0eade583f6c3ec00a88af9906a56f5949a43f8e5b3437235616cff703937a1006b21d9c24f2c86802c395c3edfddbcb4a1a7636b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a41540f31e18cb9c1ff136b02a9db50
SHA179daaead2fb4a06b69bd05b346173705b553bea5
SHA25610226cbc068669e1941aef4e126d86b9424862d85e187d95073498739681cdc5
SHA5128ffccae13ef1eba9202da8329503a6aecefe32e3996a42fd965b872397c0cb53ba5fef540ee82f99c82ff845aed07efff06935578e4851957f1669b143fdcba9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD590c3fb97255c90db2f6b4fa4751b3018
SHA1cb3355f2a9bc5e1c06ff913f81e27825d4c4e4bd
SHA256802edb279986745e656bb08ad5663098ae60b618ee14c754129dd660e705ae41
SHA512cc52e8ecd46f9036107876b490ab36ace7f1dd18dc173f5c1ea98a75e1fb5c22e86b84d3239cae0b6aa41a985cc98141e8f3597920c9fa41c27aff21c935b0cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\b1t2k[1].js
Filesize34KB
MD5eda194399aa9e3b72092af56c0d2ba35
SHA1342897608e5946fe92f0bda9a678ccbea617bf22
SHA256c169980ad958887a4cbd7eda547c14f37a466b65002b2e44a969d631c3634bed
SHA5121e9e0b5c03e5e26b11655c0954efa8a0dc63eea541a9fb19e3d325377691d162248beacea907ebd9a0fb15312f7d6c9be3d0b6ad2a391e44526cd7a00c676c33
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b