24b4ab604c01ad537704980ce0e2dc8f97ef4f59e0453918eed6de272dc93ee0

Resubmissions

19/11/2024, 16:46

241119-vabhkaygrk 6

19/11/2024, 16:43

241119-t8gxkatjhj 6

Analysis

max time kernel
130s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FACUTURAS ISES-AIRE/CON ACEPTACION TACITA/FE8914.zip
Size

1.4MB
MD5

be767bb40149e3f75c71dab3b0e299da
SHA1

c016761456b75713eaf003df8065a3c6f9f52ce1
SHA256

cf0854f7e4dcf185716d50ffe698c1b27fd19ee197b7784d8ecbc7590a288575
SHA512

74f9ffd9b4b0f4c7214fe54026561c8666e621143917a6ccbe2955f529d7b57036396436634788abf8bb48f9fd3d362c27d78a3b810357f6137968e216738e3b
SSDEEP

24576:kNTjOujHCBzrz3ugOtVtvm1GjR5xhrdUTFLtg2fgkajP29H/cj9RksI1cPyco:kL2BL3zOt/uknshK24ka729f0I1eo

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	7zFM.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bc9407a33adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000018b5f602001a1fe8525dde7caf767a66e9c7c7658a8507b7b05a397c462eff85000000000e80000000020000200000005d84f72304a7d762ae0b7a4251baa1cd753ca0acc34640563379d8e36eba7cc390000000f9ef6f3961205fc7d32ddccf82ecff44d8337424dbabec0ea5bf57f1c3cfc3ce2436b9b530416aa1e552da4b4b91c1621b35caaff429b054d7241f2208875f56c46cd8f836e03b2963677cb67fce039a5dc09040b57a1bc5895a3818474c5da4f6b0391b771b614e90964ac7c7db6b47793bc2f178443d43e6b64850a2c965cde0edab2c607f0b2404cdeb1f260895bc400000008b8dfecf40c1199c29524d14a66ae201ad92fd7673d1d443c7a19d4f3d5b35cde8aae4d96b92bf74d071993767d3e86e6f9110e54118a4e9bc5f48a0b722cf44	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{325A0BD1-A696-11EF-A88A-DE8CFA0D7791} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000089d922f75df97e41f4dd32a1a2791145d6534a8f51663069d342767673c9b0ff000000000e8000000002000020000000ede63a02b4b279894934dc054d52287e5f735ae2340944c32a0de7b6336bea0f200000002d85615575e2e2c7c7ef4aa3c1ec80a79ef894f42cb304ecf72f4d9dd2fae81f40000000ba81d2b6cb4ca8fba03e6a60307a8e59dd946b5adfc377cf74e4f771fe783fd29f12432592650a6eea2436e4c6da1779fbddefcde7dbc3a4701ab41f0f3b9e36	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2492	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2492	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2492	7zFM.exe
Token: 35	2492	7zFM.exe
Token: SeSecurityPrivilege	2492	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2492	7zFM.exe
2492	7zFM.exe
2096	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2096	IEXPLORE.EXE
2096	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2436	2492	7zFM.exe	31
PID 2492 wrote to memory of 2436	2492	7zFM.exe	31
PID 2492 wrote to memory of 2436	2492	7zFM.exe	31
PID 2492 wrote to memory of 2436	2492	7zFM.exe	31
PID 2436 wrote to memory of 2996	2436	MSOXMLED.EXE	32
PID 2436 wrote to memory of 2996	2436	MSOXMLED.EXE	32
PID 2436 wrote to memory of 2996	2436	MSOXMLED.EXE	32
PID 2436 wrote to memory of 2996	2436	MSOXMLED.EXE	32
PID 2996 wrote to memory of 2096	2996	iexplore.exe	33
PID 2996 wrote to memory of 2096	2996	iexplore.exe	33
PID 2996 wrote to memory of 2096	2996	iexplore.exe	33
PID 2996 wrote to memory of 2096	2996	iexplore.exe	33
PID 2096 wrote to memory of 2988	2096	IEXPLORE.EXE	34
PID 2096 wrote to memory of 2988	2096	IEXPLORE.EXE	34
PID 2096 wrote to memory of 2988	2096	IEXPLORE.EXE	34
PID 2096 wrote to memory of 2988	2096	IEXPLORE.EXE	34

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FACUTURAS ISES-AIRE\CON ACEPTACION TACITA\FE8914.zip"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
  "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\7zOCB903298\fv09004135880212400FE8914.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
849c6d70511c4e9fb678ad9adbba0eb6

SHA1
d6f23dd2fac1aa525bae02052d4a978074b5ac39

SHA256
737496f3a487cb2bee86d2f2371817b76c9a2ef55f87fb32ac798580830ca83b

SHA512
fdfd49ab4981f686cd20d67fe0f99a4d48af75bd7ca5613f4fd0068d3439c51a46c56d1306e63f7b63bd1270662d8f37b7f6aa816ed1852716250a3bae4a7218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0372610c7e628ebb5c8d0f66b67bb2c9

SHA1
a5584417f7c8177c1d4128768f1be8b9733ba778

SHA256
1733cbaa0a62095cb90d52c75840a1b0beed26db398d4308086011d468d777ec

SHA512
703c22f8c6b177cca7502552a7d061403f249efda5488c5b41d70cd503c2d7aa7db04280f0961a87dd28526d8b5a6407a6f36736f97f0f02caac5c193b990022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1c67cbef4a68571f2378402d9cd99e8

SHA1
089849c539d4dee753bd0cea736f0773ff837147

SHA256
45e031ee7d14620535512b9baa129757b8cd3ba5c3dcd1855859671a411d1988

SHA512
bfb95aba7ca9f396625a2a8d64258e11a6e26e95837e592f549b0f860008bb000570dc28851e4e3a8697db31b55d1b6ab982540635143b82a6fde4ec8e94c89f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c14b62e4801c21c10551155163f0fd

SHA1
4676c7b2e39330f555d887356fdae33edcbf5737

SHA256
faf214638d24a93dbd8df73fda653f3992724ff61c8f5902b9eb227894f94e2f

SHA512
77f1024c3df2021b017afa31502bdc1de50c3e5ba7ec5f87014edc1ecef9327f555515eb248f97166efd777b86f0c54372cba73a290ab1586c2c96edededc1b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ef784b29dd0311560cff73a7dd94954

SHA1
cc16fc41dc45759f1f2e5118d9c52e3426a72e9a

SHA256
660c41d72205185ab0b4a028560bf01acb297349eb926eefabf0a0750b06d664

SHA512
523af52ae1b099ba00824cd185c648a65fb31642df8663fbfb29a001e9cdce5bae1dae6ea0db81750033b09c05b6ee778ec545b0f102640f36cbcabcda6db449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce2a9aec9395ccbfd92f01ddcdb9e411

SHA1
546584d5921f9005a1d533f43953992939dc322a

SHA256
022de52232b3a6d7c2ac2c8b9662aa56a6afa1c535c1bef918fd56edaaf3349e

SHA512
3d9cf3982dc823fc319926f372a1a0f77fd68bccc1db059c5c2c85fdc343673d5f53a06b4215bb87890034c0034010a65a7607fcb699f66b30a2cf63e932c91c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67595bf1521f3927872d35d47e3c683d

SHA1
7e87a55473c798e1618bf5f14bc4378388ab79f2

SHA256
5b0f04c61b6890c3a611d2e202e867887715f2db596d37042f75388390705670

SHA512
2f8b38d66d05344f07b3e11598d70bb0c64d380a7060ed3591ae03f35b7af46bdf3601853184c423c27647ff1a52ecd1b2cd04c30a364ab846689801ee327a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd00afae6143bfcca85c2b5bb2fae59b

SHA1
987d9498d2ada26bf54d2c50cefff39687df15f7

SHA256
dbae331cce37cea3c23e1b02eb2951015514446e523520d7aeea0099e016dbd2

SHA512
9662cd101f3e469f22df6bf49a8cef7681748aaa13ca362dc8564f6fef5976ee0752c6b5463ed5290bcd5003397a98b69324e5c3413ae44580de9516ac66a282

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCB903298\fv09004135880212400FE8914.xml

Filesize
22KB

MD5
f3ab318ff6d26a57398be32a034f918e

SHA1
c97c0098cb77cab7db0e19bce85953309b1cb9a8

SHA256
10ea0f98bee67107087bcb7a6f8a03d7b070e3f587b3c29d9a18ec384eff4731

SHA512
75df09cc8efc59bd450b48241d76bcec7e034c88ae24b4cad03d9d7d7d66b34953211528d913b4e7c05686d638638c812f81c93013deede6268bfc2c30c60f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD839.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD8E8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit