be6424c75717ea73b6233777c2f8c4c3c98e48e13607f5ab049c1d8426bf1833

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/seemao/config/map/www.99read.com.html
Size

2B
MD5

54cafa3a6d69c189cf2df3978fbdd435
SHA1

ab34955f0a30619fc4faa49013902031d85ddc46
SHA256

e12a7e051731cf1dbeefa2142a8e1abb1eb5898e2cbe4aa522120829a5588dc7
SHA512

43e539801d00eb39811341d67327e0e8b7d97677e08c8cd14d501c1276592a80dcc0983306f292c702a7553d34bad9fa768cf9d046059c3a4b2a1a0a892f9410

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439505531"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000ea1453abc333343b2c328cf6941d9b000000000020000000000106600000001000020000000e2c198bf2a953f82b23fe1803d2987b1b053b765116d20db7abab39dc5eb2794000000000e8000000002000020000000fe811034bb19b38cf6fd05183d5397026e7696e7fb9f367553ebd8c33761590c9000000009270b363658716adf9d670dc0f248c37785bbc9af3e2d7dd3968171c61dda05d22248c026dd14d80dacd10c2f4bcb256753ac83e7f5e8fe46999b4464a68c2709d872383576dc25d2dee74dd002ab39eb7bb239c9ec54c222cbdd762a99190d423199409cfb96aaa64fd4f89a04399ff8ee27c19e3b51d5e84ae5511d100116780ec6bafa3e91c9e498ec4639d633a7400000000cd588de14ab7d3a896695b7926f510358343ee8e831ac8c681a993381209bd7e8387270c1a4e852deb3d7e5af0affbaeb0177cb18d158463d02a87293105603	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{47F40021-B27D-11EF-B4E2-F64010A3169C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0db6e1c8a46db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000ea1453abc333343b2c328cf6941d9b000000000020000000000106600000001000020000000eb76be50033558d45a43061a5a16e28fd5030e09be8461becd12dd057b409ab8000000000e800000000200002000000068172ae147d01bbf52160a10355f04f7c4bae5c6d6ba1ac57b4789d34f40cc1420000000e72c98b6d6503b1e35bc9d224a79439d143968c7cb83123a332b74b30ba56ad34000000040be2caaaf271d5161172132a57977d118c07460ba6099acc1248801cbbc54578bbbef3bee8f8e1e0a501861d7b7fb4735af82dcb7d5be8a23ae429abd9f57f0	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2860	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2860	iexplore.exe
2860	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2700	2860	iexplore.exe	31
PID 2860 wrote to memory of 2700	2860	iexplore.exe	31
PID 2860 wrote to memory of 2700	2860	iexplore.exe	31
PID 2860 wrote to memory of 2700	2860	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$APPDATA\seemao\config\map\www.99read.com.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b85fa6e959361e42aa898b67b28e14c8

SHA1
442481f758986cd6d091748d18553cac456d88a3

SHA256
605c22739c33262cacec72784dbae8ff482e3e66d95f61ec5795ff3846ea1711

SHA512
072f357061c7a80e95acc9c50bcce3104be54cb411743e0648692eb3cd8a547eb37cda5fb9a65ddaf29be59cbff99224cf5acf2a13e8fb376185e0c3e16b2af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df9a4f5c792c4782154b900a82bfd145

SHA1
3da773c774b96dc39d1bc869e71fbb86ebffbcf9

SHA256
359bfc3bbc740bb557585839678ad99c65872eef777e60b0d4477b3682f8c321

SHA512
e3cdcf5c97a1b0f3f0f42a991b306d6a6b929240ec30e05cb8a5bbba69979d83adf4897896a94668b16959bd52cbe39c70cda95909aafe7082fa13ec6ff48677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3de8bc113fe051e27296c48bb74f7a6

SHA1
f48094088bd34ac6e79007fecb4f3248a61257ae

SHA256
70b2f8f546234f12117945cf9926c1ff6fb8c11bc45f65b91cd04fa4a1ee11ac

SHA512
6842dfa0fbbecd05d3f640dba2fe51e34aa18b9cbc4165cc5fa341c69c65f1f8d5d64eab1f1b0e8e7824c9258d3be22a97bc7bb54a340760ce1f2c5f282da842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a50bc06d0e21e2a0d4a44f9919434432

SHA1
083117939b653e24f85894d0866acebd569a6e35

SHA256
8446c5a337fdf36b76e4a4450010737d57339753abb6b721b0d9918fb74cb2ac

SHA512
13812d439da2ddbc2487113eae3f82f169fc3a39ad76d560a1d2e709880d138f5d9aa83f33fa2c6951ce471b956bc0af036c64ba268a74d75d335cbc71f7c278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82cd171609a19d8d44dfd0874ba41536

SHA1
72fd867c463e1f672bd579af4c100b8b914af332

SHA256
4f4f347663e6519d5a06dc89c22992071a8b6e1e34ca15b7209c4d68ecf2f10f

SHA512
420f1b9780bd9c3b62bc80f61c269db8a9d384d5945486e030879c8929fdc9f5862042e9c0eb8eb46652b7ed36c22e9270087f761767b2958ae401f8723bd108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8da359873a6feb9dedc3339446c5358

SHA1
3d2c6b4cb881f8768ae8baf89599d00de98b1ee6

SHA256
05d3129a63e18ae69e07cd232d4c293d4bbd0d36cbd32f77eac6817577aef5d7

SHA512
72aa5c9a4d54f08859e42fc287715c81a853f27615a312c4de1245c4439221aef91ab03adbda4003a37a786f2923734a65e935f363db1ac9f84d37fe32081061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96c5f527e9d97dbab56a5ce0f3644e97

SHA1
54e20e081d80fa0f134ad4b282bec83cd9559b3b

SHA256
1815a008c8ef8f29ec30ad9e1b1c39bf4379153d2cdf74504649f7e148ee0eaa

SHA512
5b1eefafea77e7693f66d2e59378a038f2c917d8c876911f9d28109b906deef16e0245c6b3c71367128cd06bb603234365a1d90af7deb2a7b291719a2248ec7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe95a0c4ea6b3294c40bdc77ab9767c7

SHA1
c5f2e4ef38648bd77280af3bc1166fce223f6e9a

SHA256
98af7850ab37217c2dfb2552fca56c80cf983a59c3bc456a5aec7309effe1d23

SHA512
cb2b1133cb2d2d1ee5622efc518a7ee2a42baa65c3de763218ea0a3aa1443c1e7b1e754560e9ad9161de98b7734de9a05fc214527b1f388298bfdd1b45a80c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
692a33ec4bfc27ef0343f39213d5573d

SHA1
6d3945f5c452a4c3f63a3b9def634fb37901fbc3

SHA256
4d2490c6a704a8907e60eb4f43798c849cfd415d0b223e647baa7ac2ce232936

SHA512
1e215f320f12f0d286ea55fa160c3dfd466ae0f8cc7f4646d81b314b8f21775c4313ee30211fab89f85c8bafc7ff0e7c022bfb79fc23e67ce01eefbf928b8799

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21c3c9bf6f9de36e6a4bc1b4236da1aa

SHA1
0aff14ed916f27242201ffe9134b31f7858a1a19

SHA256
a8f217548bb022a6147e903555158665ba818c9de1a25cb7d6ac0ca1381026a1

SHA512
96ae2f121fa0a0117fd7819f3d08417b8d41fdb6dd79c96738bc7c1204ac619fe9137541581c088875e8685f33fa4b313d33925b1af2ff0d1ba799a223ca3b78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b73d00171aaf391e3c574daa81a1879c

SHA1
26ce6573fd4cde3f9d5645d238e3c08c8923106c

SHA256
3274231d1484669d7e02e8a91d8637d364a5e29738eb893d2f842c580011d2f3

SHA512
65b4154cf537724df0c3d9628956b994e48ea3886fda9b51d5c1ed39e622576f5d46f1ab86f4782cbf491822c6b975a855b2afe99228ad32eabd271616bfe5d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08ce421a49f53999a219815f0b17f7c0

SHA1
bfef81c6ba0af9b0f831872e5cb74c3679cb49cf

SHA256
2ba4b078e858b3a1405a4542d0ecec82552897a65c01737fde6e15443bf7399e

SHA512
6b9d08988c1a698e21c5305082a910c632c15eb135d67f47b4291236b81d16a8dc84752a5aa29f9c185e23fa565665fbceaad644348ceba5823257e9fbf4b5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b9a67eb41a60b3ef20a247f68c5dedb

SHA1
bc8386d99406403a5a1014cb41554b0b0260f130

SHA256
de2b5fad80dc15b0d88831480d34dd9cccf84563c3bcaab7eb8af1c63512f7fa

SHA512
41877e9dd9d17afbe3e5572868f7d9632cbb6162841589827fb57e15e406647d5a4a4e79e7aa3412cda542aed7fe723eecef657ff7578bac3a710dc16c1be936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
064c1b235cca8b2ea561ffd0ceb0f4a1

SHA1
9b8295d0379f6c806c6abab3d27963cab5956ce9

SHA256
60cd398677158d2e3a012496245fed80c0db009cedbe08c1b326bbe4d48a2258

SHA512
4ff35012022b4f69937949da3c6f1e99733772f077f55d00069d7f7938b040436380ee647d6b3fbfa20b1f30edae8516f0878bdecf800876fde91a3d5aaafaa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29637ad738183d738711c8d4f80a3d3c

SHA1
b6b0b3dd42602f903441bf828677e016e170d657

SHA256
6aa0021768f62e1afb4e75ca1caca52900b4356e39abc628d7a07d31a2d1c8ae

SHA512
d854685153c0d1555de526d04d8618ccf933522b8a45f850e3049e6470e4c80570f7cee9c08623ad32a2dddfd10724b831d41671ef35d6b8136b001c85d15f6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8836ee8cc98d24a2b902fe426b888293

SHA1
765b4870245c8b60b547b13e08c8e91b0a7759a0

SHA256
3cac3c16eb5995208e547db079c57537d1588535f1c18efaeeda9b214f7f1fab

SHA512
86a7962254d351c7814cfe508c56a747c52fab0fe0d1f18f084d3f9389a80656200647fa6f887516d548152616d2f480dbd25da8e15d9f685f4e7765fa14d5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAE5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB94.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit