5328d5f480f89cf93fe4f578facaa9622f36e802c436ed20b9d83e11b98700d3

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/Exceptionless.Wpf.Signed.xml
Size

1KB
MD5

37125212f6c1a854285080c32a21aea8
SHA1

ab58c4e0fa53f93fe23f17f132a794ccf296f3fa
SHA256

2175df5b1bbd41ec159e5b51cbccf03b8d9a09bccab527182072dd01a2705ac7
SHA512

60996ea9a70a961cd3fa93b89c8b7b2fb56a3a923291744f4d4a9ec6863630fb06c95ea365011ede389a73abb4454a0cc5f704fbc16399d3600904fcb16c4cb0

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440550332"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b94a6f409177e0479b5a661aa7b0fca300000000020000000000106600000001000020000000a3c9b4c9e47550146a271a3228f0795ccb1c37ee86dadbac62ce1484618c42b5000000000e80000000020000200000000306c02f5c8281b4bf5b9a3ddc0acf576d321a397d5e1343f580c32b4c37f92f900000005580645df7878d4a535939c326e507207d936b2452a854d2010563cb1053e2bb73cc77ff6be5f03bb4edd58973370cc307a64738eef202ead860e4f262e69a359d0838f770ed5f4b5f48b6a2b269c46f396278796deb2c290662849561002ccaf953c60b973a19fca2d4a1c93b5802f7aa80a7d612aa09e42863ccbaa8592e641dda304951fb953b6b5e1fd2b7d04764400000008aad6003d32701d11a269a1c59e195c7ad3080c6d5ef828e7e3836f4be17163f1a68442cc067064b19569e662eb723eaad0705830d0762cafe8370bb81cb6345	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40ed3ebb0a50db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E69F0561-BBFD-11EF-9527-EAF82BEC9AF0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b94a6f409177e0479b5a661aa7b0fca300000000020000000000106600000001000020000000cff202ced7f43c2f8aa1a608b4dc7894aca2c1f01d465200ca09a0161dd6aef0000000000e800000000200002000000073a39f0b43c0276fb9fd00bba6aaa992aeff3e228c2cf03596c2c256d477faa2200000002da2d152314c11d157ba53f9b0c5f188f40652df3c8914a2a208aa24f781a9404000000065090474022b572ec3b2785a003508b7d9c33a46e74be154ac2cb5394c886772c934f8caea4ab1c45a7ac50446aa442124b5125a301b024c30ac0dcfc84601b1	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE
1604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2788	2648	MSOXMLED.EXE	30
PID 2648 wrote to memory of 2788	2648	MSOXMLED.EXE	30
PID 2648 wrote to memory of 2788	2648	MSOXMLED.EXE	30
PID 2648 wrote to memory of 2788	2648	MSOXMLED.EXE	30
PID 2788 wrote to memory of 2744	2788	iexplore.exe	31
PID 2788 wrote to memory of 2744	2788	iexplore.exe	31
PID 2788 wrote to memory of 2744	2788	iexplore.exe	31
PID 2788 wrote to memory of 2744	2788	iexplore.exe	31
PID 2744 wrote to memory of 1604	2744	IEXPLORE.EXE	32
PID 2744 wrote to memory of 1604	2744	IEXPLORE.EXE	32
PID 2744 wrote to memory of 1604	2744	IEXPLORE.EXE	32
PID 2744 wrote to memory of 1604	2744	IEXPLORE.EXE	32

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Release\Exceptionless.Wpf.Signed.xml"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e0d459549ebfb06f96b5035bc5b2b97

SHA1
4c14ed715fccfa9e122bec07b71ee7ca8c7f4296

SHA256
4be76bdb157eb00c2c6e2057af14856b61a5ac4bc96e4ec354a30c1c9aafeec2

SHA512
0a6f884bd36a3a29742239072bfa861327473ee567f615b03ea8246043cf9e6b25eff8be32b8d04a8adf2af31ea9ac2601b6effd553f56c1f000a108acbcc3d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86111f23ecfc0d6e037d2f485e976ceb

SHA1
43b261a4eb796fbcde1181b74cf12608d212a48e

SHA256
2b8022cbb45e9591b55862850a897e0d5a186dc42f3f486fa0aebc3260e27be6

SHA512
565a15f3328536a886a56ec39eb700e48baf41d123778bcfce15267818c109dc0833f88b9810ce106ccf72f187d774fb010eab0f01178eb91650cb9facd7a947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61696e909ec0fc6086572d4373348e0f

SHA1
db9a0bf9eab5e75cb9d294012b1f61b1eab020a6

SHA256
0b1344ad65dfc71c1bed54b5eb74c091661aa485032479f2f61a3d2c3fdd75e0

SHA512
612efc32c75fbd24ab45249de6a5abd15c9dffea55d5fdcb86e5d5b1477c6d787037170d93e10f40bc27c32e111695a3247ba2328d5beffa2f23be7893bdabf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbb7d2483c23984de7edc6395b7f2431

SHA1
27e8836ada29afc280b8aaba4cfb59f0b213bec0

SHA256
be897ca6749d0b75b381b07995b6a9b7cf7c44977a6c342b832e4bd9025d4676

SHA512
42f3e228120bfa84adbf44b342b65f24166cd6f09acdcd36598737a1026de4de8e155737f14761260a332e6284478ef6711739c530b59b0a79ebd193f5ced676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46dcc9a18dcb63c9a0b32b914651ed68

SHA1
7d9188ac24543d3465fcdedf4ae6dc45b0bd0bc1

SHA256
bc7564eee4d6f5d23630788c0b4d26ca46f8abae408a7af67d7bfe061a3a0fec

SHA512
443067c8d0b8992d293d7579773e33424ab4d2ade5df617680f651381911c9383267e275a83bf324b94a8a88ee7093e7eee57b952bfa9e19a975c562d86b174b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe11d42e597b0e5c9458620f0d5a4221

SHA1
223c7bcaf040cea317514f44944b02eb5c98751c

SHA256
04a96a52729a72eda1897e9c0d0e44492083b3b02a1c3b594e3afec00cc6433e

SHA512
b699195008594aa5158b34d1f60547e1995e915d50c20ad355e8e8b2f5cbb43cd59ec8fe2e42a081f7d5271570225c03852edc2709fc1ee05dc4963f4d3d35fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221823bae187469d1e931206afef700a

SHA1
930260b834c1d556458cfba89d8f1cdcc0b6d623

SHA256
5dc4822022bcd6ab9e074f7d1610c15743c2b28218123f5943913553aac74c8e

SHA512
f6dce4ed998413b2e358e415ece6f0ac7762c7cc79a09b47e7c8afa88bd28353192e2f97e5205f6e5434e83500aa109f9418c7619fc9e80a9450546ac81842af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0518dadb3a6bf70839f99b0803c62d38

SHA1
444a504fae4d719322e067d72c86cbe595090faf

SHA256
8ff4d4e63ed01b6540d67a1008ba539fe7fc3bea6cf7474e576fc8ce901233bb

SHA512
fd35c98ea47cae82a9adc7e3ac6224c290f9c8399293950ac7c1d7e3b4ac4e649839b83189938db30c953c9d9c71a37ef3290052ead09eeccc0513dd5fee66db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70782a1324efc5b31e34b12afadac887

SHA1
9725e41dcc1235620e64db99dbd809ab6a32828e

SHA256
8f14049d521b2b5a6665c153605ff7872a0e202719a681c6080a047faef7a428

SHA512
0e6702a2def1049cfdb9b61b559e42083a60149128d00252d057a6b4f3ac69ec0ae435a2ddbcd260c0973fd12cb8ff0820a3c6d407f42f84c1c44dac459e39b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
954f4099b3ec67a7d83aecff56896b4d

SHA1
5a5aed1f2b83b3fdd833df54977cb8651260e0d5

SHA256
055eb41862e3d17d6d53510c9b399aee10f3c1744e5d1313b3f5966cd9c43e14

SHA512
c0399a1ca28aa8d4a85f31a63ac05956083ac2241a8b0690e6d93cb05099c985fa05d750098f3939287e7ca53a76cc20ac8360e219008d91458c1f6af0a7c4c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd85dff54ed8f14404bf2055fe419119

SHA1
1339c71f3cb289d55b0bc46a0b867087c9a946f7

SHA256
1c4ef5496e4dd523b46cad75464e70cb88f640b307678566b4c495719fb61ac9

SHA512
d4c4bd59c8a7b15e9e6cd882f33def6ed0816d0152508fa4e7c6b70da8eb7cf31945a92615047af3aaa9e5eb624c29be28f88b6d38442da1935a1667f6524606

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c3a268c4cec8d21288ffa05bf6a9dba

SHA1
2bce30a56769adf751b5a1b991bc981ca013ca9a

SHA256
10e4cfaf0bff6f9a3e3e4a75200b69474b157defe581c8f864e99af97477e50b

SHA512
e3a583f2e0145a45b7f7461b481514799716e61a133add7bd4f231d0446eb46a7e10bec04af3a33d113b0e4fe777324aa4b0a8522a89c071c16cc4a119d62865

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2b1054d39454cf1dd000cdbb8313f92

SHA1
75901558a0ac9605d8b9be9f738b7c802962df7a

SHA256
5fcc667f3baa4d464bd6b2110c53b6c6adfea14a15ee0ea4d65c64c08457ff5d

SHA512
9f885dc2d841c60aacc884c37e322cc5ecccf8a22441482d4d481a7cbbefe5bbfdf15ed9a4bc2ee6e47994dc43ad29adeafe372bab0c5bb94b8ade7400ee92ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18B2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1960.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit