2ad8902417ff3f3d730c8aa0127266ebf4551b07cefc43f64402c9678caef14d

Analysis

max time kernel
117s
max time network
138s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSES.chromium.html
Size

9.0MB
MD5

ae174699b663bd90d8d06c68c6952477
SHA1

8c76eda61d320779909adc541593b8e26b24815a
SHA256

c6737ef4ed9de369077718824f76c5e7026d0e39163e26af8606783e41c93e18
SHA512

3fb72dcd790464dde34978c9d0895376827f4d839b4a199c6e9fe77ab810d62b960babc4b21f6e189dc70147b5fb4334815730f4d1cdec05489c19e0725c2158
SSDEEP

24576:h+QQf6Ox6x5n1nZwReXe1Gmfh6k6T6W6r656+eGj/dBIp+:oAPeGLp

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004a01ac00d9a2649af233bdd82ee53e400000000020000000000106600000001000020000000a76f9526c34b4719988461a7af3c9e1084a36e3ea33c40d06b91213d87350a5f000000000e80000000020000200000002a9065edc5bb293fde6b143a60eb5fbf7b3eff4478e0ee0d350141bdf30dfc0d9000000084412e893bdfeac7dd25ae5268d5e42f94943ab533f1c1b7d521249478ff8c46eed82832fb95fa137818dd920d6e09af1d5e764dde75bc71fb315a91cea0626c79465df1be4dd93e05f659ea32c91ebe72b9b264770282754d2edb52318b198d7f98d9bfff11179d0a4acf9aa47e02f28e63993dbb358082467daeb4cc01e08b4c13fd0ec902d68df380d023b9129e9440000000d0cb8ddddd331a2ad34a1e1ce45e82e3a0f52e758d8dc20c85e008b41bf033b1297abdc0912026da74c47634dc4324771aaef5eb78665da2cc979e5c09de5445	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e48214143fdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438685177"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004a01ac00d9a2649af233bdd82ee53e400000000020000000000106600000001000020000000c6984f2376203bd7a1213af59efc8897a82b2f8178eb0948fc7fb7a9a643c210000000000e800000000200002000000090e391fd8cc7d363fe2ab949b88d37ea1dab0cefb33a2c371908ce72796f363120000000e1c5879136069e447ae30efda95abf0c44917717cda370e051ba8a505e4803874000000074c435c1556b80286c8d14ce2bba61249b9b758da45ae92eed5610b83d211a3b698afd334a4ca7f6a02dc7f38b3593b873eae236d4cd619e69370f6a0e7fa0f1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3F9590B1-AB07-11EF-88C1-C26A93CEF43F} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

588 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

588 iexplore.exe
588 iexplore.exe
2192 IEXPLORE.EXE
2192 IEXPLORE.EXE
2192 IEXPLORE.EXE
2192 IEXPLORE.EXE

pid	process
588	iexplore.exe

pid	process
588	iexplore.exe
588	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 588 wrote to memory of 2192	588	iexplore.exe	IEXPLORE.EXE
PID 588 wrote to memory of 2192	588	iexplore.exe	IEXPLORE.EXE
PID 588 wrote to memory of 2192	588	iexplore.exe	IEXPLORE.EXE
PID 588 wrote to memory of 2192	588	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:588 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
227d9064e92f920d649315f77e27bbce

SHA1
1e88d2bd5cf779a08fb41a578343105ed972261c

SHA256
f7aa7dde62bef3fcec6cd0a2bad39026e3c8795d4a7808e51fb0cdf848a0860d

SHA512
971f2d5f8672f9a555a9bc66bb4468817c797ebdd4a4fedc79f66a81d858503f470162d55f2fcd630cef7d7fd93fe79d981405c5f791acb60f1a79452200c260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c226bd5b9378df0776436587f92fbd2

SHA1
9cd25c0327aa67d84d3e4fdc14d81f6017d44e91

SHA256
73ef41290a4af3e9fd7b19379c10e2e8bc3bed667d3283929214a0fa47715c91

SHA512
027ee5e5a8ee96d9275ebaca1dd9627690504553e1f97f6475145bd3693040c5ef6f036b541a28890b39dd28c8db34e09d474fa4a0c49204b6393aa342bc6e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c42d8335d4956cdbab59e4ced8c39ed8

SHA1
3ff733bbb9f08e1630d13080db8e51eb63cd7805

SHA256
c707c7d7aaa5de59420942f23d7cd36951a6fe31fb3872f03925c11ddcc9b86e

SHA512
3824f1908559d66996b40e1fe1c964c4aac5cee49c2bc207ac06d705fb38f1760dbadfc86f7d39f327698a3200b0971e2fbabf8ef1917d6ec7f6855a90e1ee40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea212344020794531c0b72a0874c44ac

SHA1
23591624c07394e128edf927f4b37db7bc860807

SHA256
73a136e708721fe190a7f43a1e584186a7063a052f3f38bcda60e8318c6a0178

SHA512
0f9196549419088b7959875cfbcd282bde695f98577251da149080cde21f7e1a1bf994ce9ce0cdb5f6c00c740aaf7c381b7dce13b02162430a137547daf40849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a51c5462fd4e65d222730a85c55f2479

SHA1
732096102e3aed1a31e12c54e17a8b380393950e

SHA256
c777925bdac200b064e50ef4add14d4a6a0b1e123f19af2052668276c7f107f0

SHA512
9fd438ae6e400a586ef7cc9ec28687cc36ab0ef86fbbdf62055e5b873435c48916148f397388edb05ec707308e08d5d78522ae22657724ca4cd87763516c0260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4bddb76029135028a77d9e358ed0f1c

SHA1
1356abf82b3c49bcc34e2c735d9d4ae99cdf712f

SHA256
ce7c72e3028a7494a9b4f0eb449151dcd0d2fb7876f6eb8ee09647c7070fc81e

SHA512
955973a4aa4583db6093f97cabda7b74bc1668732feef1dc76007aedd74c0c5db22b81965844972bf228afeaa2d374acdb1f67840852d7e490a278e05b478001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
811540babd1462f5e34fdbdfaf577bba

SHA1
641b0b01e8d64b727bc9619ae0c25fdcc9b15132

SHA256
428e16d7d8a4003415ad62d8c7db4ff8c45d742a550800da8480c70485a75718

SHA512
07d51d5ccadb3c06d583ed1b8c99c3b39ddb396353c9055ceb4e43862af66e1fa4c4dbb2a897c424e36c48db818200a76236475d1904699c93a9ee399ffefce6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
032f23604b8b81ea2b4ac3b0773abd24

SHA1
91ac85269593ce5f8c5981c40912fb93b3854533

SHA256
f751e84afa42fba1e98e7d5794ec87ad63470182d705bd75c2904275126618b1

SHA512
333aaea9426de0e55c787209cb797f0cf01ead7145a854d2dba6ada0bc8d58d6e1c11b68a544ded297a7b889665b7bf2574512830df7edd66c0f4235e9b84516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
151d08f01f9aec97a3a037c16d6cbf10

SHA1
f945d0b055913c558be7a1bf7373fb8ae8873f95

SHA256
52eea559cabf8a57a3e453ea79014f508b9072d31f4af26386eed5b02f08b6f7

SHA512
4f04a1ee2eb6b3553054e7379e207fb3d5d8d92ad08853065b471480bd8ff7343dd95e04a95246a90f090ee2461554757a3da3e17428848931a4d7c0fbad5926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c98b0e3744ab11400268b414274dacc

SHA1
7173d5722bd95c421d61b448153b73344a710208

SHA256
f4670ce7df5a0ea74f8ba5706a007f42845952f026b43d2a2d74405f2a07da8a

SHA512
57ee7e8a05fab5e26979005a43d9aa63b92c85732af1cb05a12ae71416bed0c9a6f0c0519cc08c694e1d4213bfbf4758f015f8be0bed9f8b2ee890aa0e8e200a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c0a6b482c837409a6bf426824eb7687

SHA1
2a5932c4bd2faeb6887928a34d2561ee71fe3f60

SHA256
bb9750e64b157d8a85a8ead990a6f01ac0bdc6fce74337d4c625410d968358a2

SHA512
84de251212e4f1935b4e75f32f7a085c15f5dcb6c8702639ac4847365fcb3ed0ce0848830511a81a8dd32627251ade803e07bee8fbeab6d9635127bebddcf3c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c76eda37affd214d0c43ffffc20f122

SHA1
e5adde1a3aa5e03b67ef6ec72ce49032b87abff7

SHA256
f283cf9535c8d98e9c4870bfffcd088977242f0376639841ff20a211bb145016

SHA512
b70cb4d07f499c43584da235a763821c24121bac93846772953ee0bb3da77abc6a31618a8206a038813d0d09cc1b52b8c53311456525c5c78fb0a8de4658b6c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06f7c1de0e8379c50f471327d3aed58c

SHA1
bee7bbb7e7577837209037cd154860f0b6820220

SHA256
2ff5e4091606c3ba1a4a60f32118914a038ec29f14ed5fb4d035a405838eab09

SHA512
941a80f21dfa1f4b1253fe0c7ffc00b15e229df3ac9f69596307967dd57a6217eb78e79a077c7e978614f73deb6b16b67888f1148875b97b3f3b47ec6b679e13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9523144aee9800b2d057420565c351cf

SHA1
b29d0d4d97feaa795d87fa7416010ddfc86ee358

SHA256
d55e081d84b04f845c3200cd3a9f0690c6f2fe02918da4c3389a94a1e7e46e2c

SHA512
b9ebe26b62562968ad2ddbb014fb58fe1ca0d5acf348bbaec21cc10c4cf16b82f5ea7dccc9a892ec1dd8533115ed8fc3731d79712996ae10799ab083e750eee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dc0a596d496c0a41c585df39d5f3f62

SHA1
b6b4c02e354c5b4408de1910ed0913a572746df7

SHA256
f526810d46bada8666fe48eb4aabc942e3a092448ce90025d5a140455f8cb39f

SHA512
9d38fbbf96b9cf16e53f08c06aee90f84b60f445f824d5ec7152d369360da6f7c1fca76b750bf678a050b76efd4ad36633c5de18bbdf1d670385aa65ac2d0f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D33.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D95.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit