be6424c75717ea73b6233777c2f8c4c3c98e48e13607f5ab049c1d8426bf1833

Analysis

max time kernel
134s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/seemao/config/map/www.99kaoshi.com.html
Size

1B
MD5

c81e728d9d4c2f636f067f89cc14862c
SHA1

da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256

d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA512

40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0659d1c8a46db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003981b55071f58b4e81b3f42c21c52dd400000000020000000000106600000001000020000000451bdc4bb8e9c6b0a2504c15efc74a64e22bb9a44db79e5311a10fc5da0fbed1000000000e80000000020000200000005b3256a7e536d77f455a49b1ccfdd2a12be845dfc78a65242e08378ab6330e989000000025c4806ce32ed99c6bdc494e2844157969820a9a94318bcbc0a427341086094b7772aec3a52a5a6a7c6b53a5dc3991617f8578befec2d12ee40192a00f6f0693fca86a6bbd9ffeed21242d91e16d9e3a6dfe18368a7f1abd916e4ff07d383f4199bdb370395ea7b41b82743c44593550991175276eddae48f3465a78f960ad387f495a1d7cc3c845fe4e3c66da82f13240000000fd39d5b245adc1288a6bd21421dc27b0e82600c63005c9f4a454ed55aee942734d96d0c3ea413dd5c97dc6632f5f838578421f0d0375605196d9b5d2f2293f1b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439505530"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47EE9181-B27D-11EF-A322-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003981b55071f58b4e81b3f42c21c52dd4000000000200000000001066000000010000200000008f433b2629968ac4369602503441e08fcecfbed3bd6b4b2584ad5c4bc020db7f000000000e8000000002000020000000e8d02b991db52ec0b8f03c1442d54c8a9231a2b65940187ee79850c79c9c15b920000000d8899529a49122df7ddb6a15ff53b8a408f5172e074300471b4e65eefbcf814d40000000bfa60d3a07aeb8ba7a1bb467b558407b41abc91bc007629ebcc60836ee1ab82964cc01916c534f1526090782d64e9af465691e6f61e87d2da3cfd54c707c61ab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2344	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2344	iexplore.exe
2344	iexplore.exe
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE
284	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 284	2344	iexplore.exe	31
PID 2344 wrote to memory of 284	2344	iexplore.exe	31
PID 2344 wrote to memory of 284	2344	iexplore.exe	31
PID 2344 wrote to memory of 284	2344	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$APPDATA\seemao\config\map\www.99kaoshi.com.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c95524ac847b0b6932089572725e656c

SHA1
4ce7673afe7884b8a7446d4931b2d6d0ad70acc6

SHA256
4d714cc5d6b3f9752b7dd925c54078cc5dba13433b810a086f332bab71e20eef

SHA512
1e324765fe82889d422d109d09ba5969c4497aab11a4952f3fcaa535380b7cb51ea91fef58980b69dbaf7ccc9dd5c57c4bd5b221d078c5c7b6113b67d4f9d3a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
889f6516f1b645b9fb98c76a6083ae92

SHA1
3a8f70778844408dc5d505e0be67eba8eaf169e5

SHA256
d07588d17361548aaa3c58cc1ed9e7394e07fc0cdd1244f3ffe3eaf39ca162f4

SHA512
555ba565d6beb5e165b8bb0e9af042e121c01aec7f4f6d299a047dd713ddf14a4cf7b07612306624ece80a20821b6349da3c9a5a8ed483d0321c2678d574832f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d865af8ba705d766205c0f9ec33311b1

SHA1
b4f67343299d296492951b13bdb625dfa2efe0be

SHA256
8feae1a5f57cfa0466f09f12bca2268b975a55828e4b0c983e1f974f789f044d

SHA512
293dc77224b9c4b61230dc1e40ad799eaac6ac58ace4ed4be7b29cde3e8c7ae4dd2e0b0e5aaa52f6ec3b01026e28bce4d4e8bbed3a9356fc7d0e86dc88e9f349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a89be6917d8df62bd89900251164104

SHA1
af8199e96dc227b402ffc22d7ee15ccd83816f88

SHA256
01f67410a37744ae3f0f8c9eb23e31360749009a3598841896faac017fc727a3

SHA512
923222548a1daf952280c0adc00e91880ae7f7986dc3d8e7c59cffc499eeb9e20f73f1d7283f4afd96a84550c44a372e43bfcb77a4b133e1d14d314ba61d902c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c2109e74ac9411cc5840701ab2b58a

SHA1
fbb72cc1ef623461b4e3995d3bef584f0aaca8f2

SHA256
13b7847974a632f890b3e8f591198fbac2f4a0c0047b6561912407353bb3d530

SHA512
d8b775cc18cc409ca0097c84cdefc7b92d5e98d119bdd3668a71d6075921de596760f8c49c0b39f0c44ae27fecde357717961c74b07903ba6834bcf9416077db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9abe923f77775d0934e702fb38bf10d1

SHA1
d0c7a67249e822e4dc0b569b4e88b834f559f6b5

SHA256
97c21d2247acfe1dafefa021bcd696aceee6f088c4dc5b88ffc70b1703bb393f

SHA512
949eb828b0ef3168cfb08c6e0a90ddff9330df6e2f1c467db744b9981b7a3603bb664af7faa8c0ed1a077cb12739b5df3389129c2ee5f764863e03e7b2d0207c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a771b14f909e361115a2f9c216f6245

SHA1
a20853190407f26acfbc2a1db7337481374370ed

SHA256
fdb0bd364f5e33d22eb44221de1b73ce6e7f69b1a4400e871f10505495eabc33

SHA512
50446105adae4380670d4f0ccfc01a190eecdf4eadbd3bc6319e7d1a124be843ca01d97e96a132d4645b26979c1a0247c3a478fae69fc2eef2f05ada737c0e8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81cbdb97bf65228d3f2d4297197fb5a3

SHA1
2b747c6c4c59517c4b14ca08161b3a2037f46d73

SHA256
aaf58323f2b30c17fd96e107c0768ffb5c498b87c571b667c1bae0ef6759a458

SHA512
8d9fb3e2b3463f7b2533cb46563bd852bdb4b811f51af8cae3105d119790e839d0dc2d37e54a22c8bae760c6fd89868cff0c0f5ae61675d9da0aae529712fc4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deb80e47456ff429900670dbcbe6d4f5

SHA1
e7d0fe6310a3b414f03172bd92843e8327eeb149

SHA256
c21d6a7339642663faa73b255955153fb199b0a6fbcc4fe332f46ac724a0821d

SHA512
aba9d19b51828909e4351e42cbaaf0e57151ba735d1c8b4c3b49a64ddb2f6efc41f26cfe40046139a00c56eb88475aa77cdaccba076fe3ab31466cd154a83f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
509429202e0bcbca6156b93395113f4a

SHA1
9f0dd8b4a923aab56b55bcd6263e74d5817d82cf

SHA256
3f6bb6d7d23e76852a60fb17ae925266955518f3cb78586488bb7a8464392c84

SHA512
8b48c5691b0f19067b15a11ad8eae504940d1b5919400a5f22fd0ca2e27191689a74b4e5729b8c459f8d6880e716565f5f6ee64bafc90628a98029106381ddee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4494540325caaebe5e32a412a13d410f

SHA1
f0fe20ade1a8fbe3b9c37aa512742b968c43ed33

SHA256
3d9e3f00ffd29feb6d383ec7c4103e00dd184caca0833010b57c1facec7bf97a

SHA512
9f069cef584b5006886b1b1ca032b503b66531489610457b172b56fae7929fc1e1d329ff390c10f55269e38ba54b10fb035c1a4ddb004ed86b1dd902b2a83f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25a581117cc970794dadbdc2eb07079a

SHA1
5f77e432c60976ed85d0ae8db197a981ffb460a5

SHA256
4af8a4c715102a8d0389cc1d95258b11038cd527c07f9c6ece791ca5b7d38963

SHA512
d49ab526abb5099b1ab3e1c1024f083af739f48e984cb65af2918fc21125160011ea2fc267765d6c21868ff2430fefb2df12cc095845b00bc21431459e0576cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1caabd6bdfd7fe8c352809e59445904

SHA1
ba08fa68782ef0627d6270bfafb7f793a3132a30

SHA256
995820757c89eef6baf6e23692a6a6416f26800ff0695a43c4897a6dd6701ff1

SHA512
314240910613c675ea690a41f295870e4797a54f3a8dfa9820e74713cd1b7aa01bd85403d0a1c97d483ede8d8a2d15dbb52b241953e50af403c68ff1669945b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8332793c1cd2a180e11bd923c570035f

SHA1
481e0a4eae4af2312379fbaa381df1b8c67abbb4

SHA256
c1ebde8d2438ba90d50f065f55cd38dae91c508bb2e1a8dabcc5fba7066224cc

SHA512
4eeff091d838966452b6e2674769563d975e7da8795024fe376dc212f12adeafaba60ef28c9bcd6f0af4ae9cbc54b0cd962fd60b6747f234ccbf88901503b3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFF75.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar37.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit