be6424c75717ea73b6233777c2f8c4c3c98e48e13607f5ab049c1d8426bf1833

Analysis

max time kernel
135s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/seemao/config/map/www.360buy.com.html
Size

2B
MD5

9b35dd1fd8fb2e8ba4a972122aca50b4
SHA1

3e7f8dfde6fdfbe8ac9722e701cef405a9236330
SHA256

eef2eae2699d81c58d176a9a58d4bf183df2acb6844b9eebf1cc60ae460ec50d
SHA512

dc7fb0400a439e7de8f851e28c48951459483089398ce3be6596f0abb8545f27b0b35eb901e9a3ccb7177e70fbb19276d4f885258089e8b4ddfa2e10facc3c1d

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4760D071-B27D-11EF-9E7F-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7018fe1b8a46db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439505529"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000a43b3e9bb44c8499afaf310aca74413000000000200000000001066000000010000200000004f97f557896095efb08c1e90e0ed42c6783e109414d29568366105d5ca23bfc5000000000e8000000002000020000000bdf53a8f41788b1dc39a097c725187d1c78f7afea1ad33e95bff3c906a66509e9000000011a77a81878a05f8a72707229aac372aa774e995686f4aafcb86e24cc1330fdd1892c4aa533dccd50fc2ea317e39e8a44dec22d00040d97b165558a296dd264719e2f804d27377310aacb5e360d89847092fc901a7bd616f00741428f22bd0f17f82e57e0a89c3bdb38cd0cb6b6f7e52ee3e12e545dd725d9ccc173f67731f6599447486ec00bebca0e6494c8f4bc37e40000000b3141dc266f12a2c21bc1fba952f398ddb489101ac804ed1bb4b404430cb769a1cbecf43c75da76719169ed2f7dda8719cafa81f542f20e5cf27d8d763657523	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000a43b3e9bb44c8499afaf310aca744130000000002000000000010660000000100002000000008c7b5c36653edec4488318b54be26b583f1994a87ae734e026cf2493ec4209b000000000e800000000200002000000047aec3660c2837d5a88ec3cb3c0000269ff56c07c3bd86178d49fcb1dc24b3e12000000052fe3d027394d957b352469960cc07fc3ed39b53ed7554a25a74e8713b3f16e240000000928c0c076d20ee01b8b1979ef783b62cd3bb83dc7c7198c4f46ed2af059d2a510a49cc10487a36a41bc3c381072b8354b33f1b812831cb42fdc698710fec3006	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1868	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1868	iexplore.exe
1868	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2376	1868	iexplore.exe	31
PID 1868 wrote to memory of 2376	1868	iexplore.exe	31
PID 1868 wrote to memory of 2376	1868	iexplore.exe	31
PID 1868 wrote to memory of 2376	1868	iexplore.exe	31

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$APPDATA\seemao\config\map\www.360buy.com.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d7eb73edd4ac648eee81833a200f17

SHA1
e61d338fe83cfd9bf17a04dae532a6bd91c6e408

SHA256
818a540093e2a23654e78773491eadc7c1e8013cc1084e38566d1228aa3fa363

SHA512
13d02780ab13124d9312775ae1440c0c8e5f2c8707cb29b300f40443b14aa93de3022eff4550fdc50a99b0adb98a13cb9f5647ade21c58d153cb09b4c8865461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0935be699c2c81ce63c5ecd20511ad91

SHA1
34901b984f546a0b7a62bdb6f2859c75a1ff58c1

SHA256
4a2f271f5782c57f000deadbd78cf4d422fb0d4ee46b1a664b2532acdfb8753a

SHA512
5ffab691d20b444df24e14ac9fd80f30d5f6543c740f97c8fed93efb579a4422653509e9fdc3ad0b35c3dbcaef5f754a6288d0d2ee78fdc6006266f392a36d50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20969c3fe4b58476bd3aa18e0155ffcf

SHA1
274e3bc533f30c3fd93aaba75d28cd32d4984e06

SHA256
ebef29f310e7a80e2f2b6fbcce5cd6d76cc04b8796c58f289fb7b0982696cad2

SHA512
2786165bada7c47a46862c4331eb07a6ded6dc23f60560156308a4acfa731b0d8ed5b6007c92be8f4ad1dfb3bfeeeac46b0e9a26ea6ff07c6955ae8658bbce3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feac9a0f176e3949f1dd29e7665efcd2

SHA1
21f65fc02465124d616d556208ac01046c5a855d

SHA256
4ef8064c88501a0282b65b8b556c0c47a68d3b377508d3dc47438a7eb8600bf8

SHA512
4ea243f719a3f38ffceabc50e28dc67805a33ad950dd20b836de80fe8c167d99a51f88734b0616f8948113de69dc9bf9d66a91d57d9c9ebbe4c6c506285f9ef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42055552ba1d8819baac81975e7e9b99

SHA1
fe1cce57b90df41640655f46bad873b8c2b0bd07

SHA256
f9caa0459e186f6a5e7133a91719122651340131387bb573621effd8730d8c9d

SHA512
01affe37d67213afdde7059679787607dddf34218929e1dae6691f15e0000c5f783417d5a3d53405dfb273414b1f029c96105d2235dbeecf003172f1d7736480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
254ec7476d2e60f2d499406b85ea2b60

SHA1
0d6f0ed8da0ee571435b855ed7802309241d6448

SHA256
e1bec4f7150ff4b6f32cc6ce5b4667dfdcc127bdc0103d1daf18a49eb83a9a35

SHA512
1f268e40af0129ed9a358c18ba0f9d3c520f1be910b8cc43910b147df840069052f19a9dbf5f978b0ffab8d718ab1f1b1c9a51ff060c021d928ef28c2176ba60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dac04896aee71b2f01005644143ec87d

SHA1
eeb15e76a3d2a344c4d81e0d866e1f937542c986

SHA256
a83f86df5644ef699c2de769693cb90f4c80d6da7c5abaf9342625fcc0524010

SHA512
ab3c0fa654c8be8038031f010e673467df179f5ea216a80c9145bcf2666490046da62e651429294d9c2d947cf4446cc98f9b71bf34879cfbe1cba29528d59e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7ea88734ad6c4907bb8e3f424b29014

SHA1
000855468e408d951f72dd3ad7c5388d0e25577d

SHA256
3371a7759a461016b0e9e0d1f695bdf439bd0105a4424c7b213a845d39b07366

SHA512
212743c5d74783bba1dcec09e02f5adc73f3daa69a723b877bee07358bf6be3bc0f1240d3ab7b91b711b700f73b5a9610cd314f497c15765d12731ca871ba6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62878f3eebda2855b6efb8250401eae7

SHA1
d3a995535e186dac17af6461146947a1aa54b620

SHA256
3c7e534b782d9b1dac31ea373daee8a8e0c36ebdadff29bf77e55a9df2f6ba6d

SHA512
4362fb20ce851ec73b0cdeb35f864b6f321f57c80dd4bf2bbd27c23a2c0d62720eeeece2160183b1d1d5134803ed07ec2e9229df299df695993e76a2071e4f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9828861d430627e2cd06fb2a98117d3d

SHA1
9f0ba4c1010b8fa1d8d61c58184b80f33c48ec31

SHA256
6cd3ceb474bce5ada77ea7db0744aee5b6036a67c7431eb4cafbc213432f1a72

SHA512
47466c996f07e755857898c795b9005dc95d0f848d993fa7dad2ed76d08be92cd7cdd625a555264e576fc03b3b5625d4cdf5eb44ce2025977bc50490aa66c23f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41547c884aede3daaf12e0a5a9f81bc7

SHA1
a1275dfb75f4637d7ecee794628741413c6b1313

SHA256
16b3622e51406eb4d458f68dd4b77acc4ee77532a5e45b9058d175ccade47509

SHA512
c4df41e51e27926ef38a907e099a46226fceae7e1fb2a6f82440d49026593a9d34bfdecd90521281f9ec27dfc38a6c583128496a9787330ea4c97bde28912292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bb3958df29cde7f14001642f8c0c0de

SHA1
416d783838377a64c6c85d80dbb80e002e20c99a

SHA256
5fe61588291fd4a0886d41cc2385c39694191f7d5a6a51d5cb3ed7e998ee463a

SHA512
0825585ff2121135d99bd052632e0063cb453892cb4cef998125f10c73565eb01b2913878ab0b638a12fb9b8cdd7c637cb2e6f67a366903ec8cf01fe14650ce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b5fd34d2976080b0f7040788c57c043

SHA1
c76842a6c2b4e88ddfc2855f23da12161c9fa490

SHA256
ee807c8345e9ca2923b8e488439a1181babfb273ad82778771eabb4afebd51da

SHA512
448784d68346835be596ab37da838528c60dbfb9a5e5c4fd5cafb200b38ae21c15a86ad857622be9511632ec10aade3ec718c6be8327508ec2bfa83fce71daf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
685c25980f1227169b0ce3232577885e

SHA1
decf55dce252d53bd6b93df5647728673a6602a9

SHA256
945f850ae7564eb6a7ef4040d043eba1c67dc534f2d0aea6cc57de51a767a2e1

SHA512
1696256b8a97dcd1a143dc95b6d39e5d87b0b3b3db5c7e037877404e82770efccd2496218a84ccdcf592c31e7944cc9f45baa80cbeac25ae6cc6310fe4dbe29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3a695012fe67a9a70826158e3d9fd33

SHA1
f1325119c51cae3e7ccf8226488dc43946a710ba

SHA256
52e8670f4a72c227c1e7a913b47d61bcf9512ce313674f848df69c4ad15f6712

SHA512
d28e3fc4eca7e7ce952421b12675bf70d68847cce5d0f922785c933d56f6f5742d03505d469c630ea661e06497873a4adcf4b5e85667dd8ccad3e25aee337f0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
423c2501cbdef80b0d1bb5825df97ce1

SHA1
73bd889e42879e9ac10e7b5f92d2992ab6455344

SHA256
ab51766ef4a90ab5142a01814e4788835bf60e93c1d92d9b3e140ed018407fbb

SHA512
151a5da174b0c5816a4fe37a7c08e5e318264f99ce9e754128dcd360212ce604ded1005824d0ec791f63ca846ecf249860656414395683a8ba24c5c7477e5e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab976.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA05.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit