Overview
overview
7Static
static
3Release.zip
windows7-x64
1Release.zip
windows10-2004-x64
7Setup.txt
windows7-x64
1Setup.txt
windows10-2004-x64
1emu/878321.exe
windows7-x64
1emu/878321.exe
windows10-2004-x64
1emu/KeyAut...or.exe
windows7-x64
1emu/KeyAut...or.exe
windows10-2004-x64
1emu/KeyAut...or.exe
windows7-x64
1emu/KeyAut...or.exe
windows10-2004-x64
1index.html
windows7-x64
3index.html
windows10-2004-x64
3loader3.exe
windows7-x64
1loader3.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
Release.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Release.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Setup.txt
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Setup.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
emu/878321.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
emu/878321.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
emu/KeyAuthEmulator.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
emu/KeyAuthEmulator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
emu/KeyAuthEmulator.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
emu/KeyAuthEmulator.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
index.html
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
index.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
loader3.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
loader3.exe
Resource
win10v2004-20241007-en
General
-
Target
index.html
-
Size
16KB
-
MD5
7359baf2816e9ea45c34df81cccccdd7
-
SHA1
502ec15091c051802207d9add2e72b87b15116ef
-
SHA256
aff38217133c0896e0efd1f081c58a2b07559cd3757d567e5213284276915936
-
SHA512
1dce53e70d44a567464862dcd3ea9276248e84cd5b1b72ecdab0864385b8466c389f3511d137b9af66a64fba680bd6f92b8410e151c0b5a4e28df3d0cfccb18a
-
SSDEEP
384:EuovOXS/gsdAsXsBsos4sEsBsZsXsYs8szsmsususKsmVsbnvUmrsis87sasPs/:8vOXS/gs2sXsBsos4sEsBsZsXsYs8szA
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000053732e2eae32c5279e7a8f16ea36a48bec2d9b2247fb1602a90289469ae852a6000000000e8000000002000020000000735d979ecef007017d84e196fa383e59dc2bec618e96cfc612c437916631de17900000001911edaed1f6ccc229f84b837b501e07fc84e359d1ee719dcb1940cab1e7295b19545c07873417535e9322fe2678917200823c7eb8fbb00ec43933c87c91d5a50916e4d787b7ce6cab049eb02810ad42110e010854a3d4ec79b2c41ed5001ebd032999f1627fd9975a6e8a90e0fa15e153e0749e3addabd92c44ed863714a7241461dc8698d6d1e163f178c25e229fab40000000620cb084d8949f4acf708fc2cb99f26ef140635fed279eee18c38982282efdde7909cf285248b4e12bf5f6b4efad8d90367fcac161ea4942f159f6aff472b9e0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{052F4721-9EE3-11EF-8E0F-52DE62627832} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000003bb43a5bc619edf95b2213954ee0160170011b7433b058d851bbc814cd379e44000000000e8000000002000020000000ff123201df9e1f54fd97ea6e522831ec8f63243d1d8c93d3d80f1dc133e129be200000004573c03b93ae998caeb08629cc1f054e3e39301ebba8c2b6bd8dd5dd7212499e400000001e560628c78c1d1dc078759083deec05657552230cde8f152cc67e5283b1e4c699612ea3d8ddbbfc825892eee952d2857d2bb1335e35a21bac16cd2515aa72d0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437350227" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c7afd9ef32db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2520 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2520 iexplore.exe 2520 iexplore.exe 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE 2164 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2164 2520 iexplore.exe 30 PID 2520 wrote to memory of 2164 2520 iexplore.exe 30 PID 2520 wrote to memory of 2164 2520 iexplore.exe 30 PID 2520 wrote to memory of 2164 2520 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD527663b2d4de7fc19db022d30fe9f61bd
SHA136e08cba8075d34be4b7eb6b8ebafcd472928e2b
SHA2561a92ad192f6ac07f294f05035fe41a8f71ea1851f2daa85f4d1a19697b598078
SHA5120d1860663fb4a72c8a9f4c7912a88c834284299d2c941e3baa7d4530567eb797154ec50835d7b8df16c1ab2cee8bc225b2adbec671b8133fe6f3d278457304ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD520625e55f0687c1b29032333980aeee8
SHA197b294f3b73fedd5af3b4f2d1fddb3ef5e63b093
SHA256a481bcaf14a7759d197072e1ac79e45895b326d914155c5560cf6a9d3d10dc78
SHA512a85b1462a814e35e44ca622220fde483ecf4d345aaab9ab04e107a12f8c4b4b553cac19ea85ecdd8a2351e6bef7403891491fd43745645088bf81aba3e5d3f70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53483c832543bd4eebbbbddeb0b2ee49d
SHA195e944a20ae2d1ee76e30a8b14bd86acf5493507
SHA256fd12881bf1a98167b038ddbe509aae369a51a276922515dd675a84b1a27de9d4
SHA512676eea356079d286e193e78722f99ce6bdeddf5c1daf687af695c9619b13358588a978c5c0d8c2c1df1910059433add056ef670e3994846032aa29d817c9305c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3e3cf8b05bcb9f4535969a4447d4987
SHA1c870badc696a49db43dd161dcbf676ac9907fdf6
SHA256593ee36cf10b77389a384f7783639776af85587b51c5f44ddad11fbc1a432c3f
SHA512e8b0eb29626942256f813b40cd4a202ef604e51a97a2993d5fbd804450fa7c8a81a46d59a7db71a1a04d35ef3a38a6117134c420564a10c03468ae6ea9fb6779
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd8f50db1606060a6424662ac1ab3e5b
SHA1c595005ef19e61455b745141eb7f581ccc26729d
SHA25647a41254fb150f200bf1593569b2c27150a3bcaf9e6cf7dd54341a19f69b2438
SHA5125db9b33f267c2b0d8cacd8f632087d59db2a9e04014d736ef70577d75e2eccca753bfd04fb652833d4f437239402aed890129ed8b0cddca7d5779c754ae30aa4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e632cd8b525e64ba7cfccdf9e3d8eb98
SHA12b07a4c9e4a358b71df5f1d38d40bd58aa589e10
SHA256fc0f7847567c9fc057edab017d573042a68746f16f3ed0efb61a28aa8a6e7020
SHA5122f7b25b91e7bd8a5600af08da12fde3c169fd29203460ad891f81b37c587a0076695ac741b4c0e1a934cd555ca1ce492900577f98b3a45dae5a616245006e23d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7cd0fdb46463352a88956990c0f54af
SHA13b2251bbf9a67f92ade931aa858445a3f1bc34e6
SHA2563d6af690ad78149c61c8f8f7fe687b3834d551118b44c4094c5644a374144a80
SHA51210cc69788d27550dcfc1d95f61dee0f403b470bfda91928154124709375d37da79cdcbd47a776a1c464f1b7c7b87bc80adc4e30cc295005722c9216ded84f024
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb3b2a3602bdc5e34d60ae6ae7d2ed66
SHA1d6589fa89a4bd63f777f5d3a116961889ae1011f
SHA256c4ce1415f770680ce56ee0aafcbe75235b3d0096f3a47270f9d833914d1fdf80
SHA512febedf192a423eb21fdaed101a16c7a09bfb42b724128e7709f950ab22ba4a23b85224a6c47b75aab3ac89d83141ae4191d2fdd498314328e27471b47d6dfee1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f97f3b10d8df6f8922ad2c533195750a
SHA1a7e7f44df4d0d5e0d627951e5002a4aef94fb32c
SHA2567fdb2ffa9313fce20756ba3adb63fb200c46ca6379aa916a02546b0a0f73c64d
SHA5123db9138609e91871078c59a1ba0a43ae2e92d8eadd93d95da969a0c3d97aada7fd8422891033d080c783ed2aca6efe5a982496c40a8c25598a0aa14ecd61c9af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a8b404d947b48dd8928f5f933574ecd
SHA1a84d84e5b77e23ea4d87ee8b9f9c25e817059db9
SHA2569a064dbf4cd73d7ff3d24eef05a41ecdd2f2b402cf92173fc6f8056455e60ce1
SHA512471c53ae1d76a6eee23430a9796f437494a0679191fbe00369c0eda9232bacecae6c5988b7555460072ca0331a5e984879e45de14c4917dcb03ad7a7bf98112c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9a51467851b2e37655d9d99ea244547
SHA141f65618cc1febfd6738e2747712e9000929689c
SHA256158c284bfca346a53f648073f66e0366fd183116fe169f8bdbffe1fda12ee7d3
SHA512f683c4fe1136d756ac2ecb382bbdeb87ff43f7d46466f460bf7fbc2c6a95642fa3cfa778fe6a6f340a2d80cc99a5f878b195f00b327f6db362a74e6f4214ff45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528fefa38d30a294cf749d58200dc9246
SHA18041e2e73b5d3791d2faf2d2fba57d1dd8da537d
SHA2561e8ec488991007023eab822b0d6d77cc65613c1dd26fde4c83070654d32bb528
SHA512a30337df355980ac657dd9012be98223f39b6b76a5150d7f64e4dc8743e784840ad9a2ba4e7689aec668b821f07830121e6bcc315d16044be031a2236edc8cf1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513860806fa231933a7947b25926364ec
SHA1c57d10d428aeab0f44354643cea8a2af6fe31d22
SHA25680b9d91c4930c526183e2f0dc18f9f160ad268d99a210e6f0e6091d360008218
SHA5121a9516c0dab027cd62566f243506d5c0e3cd72cb3d6a8e9de334fe337b023a3bc495970c9202201744ff2af8090100da0ba80ae189bad6979078615b7232292b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af4ed15b8d7f5302813f4f7227aed9c8
SHA14a0403f22b5c90952e344c0f9c207e84705acb4e
SHA256f25a1bf72f364acca4abc03139706927cbccbe3e969e881e5db7720e595fd94e
SHA5129b098fa5a0b9e21a184bff8b25828a3f79d5e331a2eef291332c6bed51087b6f76b239eccd6596e70380c832bfeb228d91eaf2c67e56ea25adecd1771c2efa99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518a89fdcfc7606d5830e0c35cc199d0d
SHA163b73a2963487af06623e37a6689f9b2fd399531
SHA25672e5bec3a5ac3abfcfdf275c6de716271410690c128553f56d2122c4d620defa
SHA51251a8094d419eb1b0e5652e8f6f6e3bec6f8acf7c657c7b0729c35441e4f93ba642c0a294b4f858b419bec9d41b926d0e4bea8ec3d1aded5fde5e6b88f61dd70a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9459d4b64cd71cf382520831e46a63b
SHA1d993fed2f2cf540cd0c2f76ead9b5e99a675ae7a
SHA2564d39a55bced2fd31cd1e6dc457d592a625e0e70f4d630a983f58e62ebd0930c0
SHA5121919083806037d423f4d54588cffb72d7226077d3dab8302d64fbb1d71a750562c1ec78bfe0c02f05622b8fbf6e3ec17f389a78254463b9e61aa56fad68d6e65
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b