e7ffcc5ab285fed3905a98b3af9fd30b1782f2a4560755cd8ac35a39908d3c10

Analysis

max time kernel
136s
max time network
271s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2022 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toc.xml
Size

35KB
MD5

e83a9f094a18ea295519cc3fc9a7908d
SHA1

fdd2245f93a428b2c87404888888964d0b0535b2
SHA256

86e053cba87cbb0a00a1e7a524edb8c054260eae920fd6b8d61381e2a8370dd7
SHA512

022a8c81959f27df013aac97377592ddde3b46d2b1819f1f1eb3e50647fe5f95d43295b80d06f5ea8511a2049827c0e85de2ded090887182d4d0a37631f48c9a
SSDEEP

96:K+DgAm4nUN8PU0tYI8UUsY5YoFIYLE8j1OslwCbfZrN8riUUN8wdJPOGsh7Pq9Ip:gcPl7NEATrKw+OOMfRYhH16JeCR9

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "375676468"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997527"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e65b2b17fcd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C926F33-680A-11ED-A973-7AFE47082869} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b3463b357228545b8c1fb18a974d93a00000000020000000000106600000001000020000000e07951379de54e346c20930d9a99bf8ded5af00586912e722d1df314edb017c9000000000e8000000002000020000000230bbcb5175056874147813d25d33de0b626787ba1265954b5a73534147b0301200000001c2158c885d77eafb19e1ed086e8695351194b0180c5330ef7e345379956c22b40000000786dff751b7ab8cfa44e878d2621a2ad90da63cd4e43a2a76ee8ad1d3001e927bdc6ce8e0797a33162b76d15f6b75ecbd201893d7f4395d8ae85154b611e2731	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b3463b357228545b8c1fb18a974d93a000000000200000000001066000000010000200000007a1a26e4c0aea6e7e1700c1bec48a0ea05f031df1c0426e52c6cb715fd89b78d000000000e80000000020000200000006087be66a1f4aefdaff6a198096aa7ab653176117c08c3a19db01bc168948a8e200000009f6412592b4ab8accdb692d11b006d3c23d66079da5a1c01cb10c7998b6bca2540000000aa77b5c8343ead28ded2038bf01b5e6b471a4bc432dd72fbb607f597c3bd0a87265cae813fde3ab8293a01097250aa35ff44a91c8283de03074a919f7aef8b32	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "689947540"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375627882"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997527"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "574167125"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b4732b17fcd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "574167125"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "375644483"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2164 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2164 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2164 iexplore.exe
2164 iexplore.exe
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE
2764 IEXPLORE.EXE

pid	process
2164	iexplore.exe

pid	process
2164	iexplore.exe

pid	process
2164	iexplore.exe
2164	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSOXMLED.EXEiexplore.exe

description	pid	process	target process
PID 1760 wrote to memory of 2164	1760	MSOXMLED.EXE	iexplore.exe
PID 1760 wrote to memory of 2164	1760	MSOXMLED.EXE	iexplore.exe
PID 2164 wrote to memory of 2764	2164	iexplore.exe	IEXPLORE.EXE
PID 2164 wrote to memory of 2764	2164	iexplore.exe	IEXPLORE.EXE
PID 2164 wrote to memory of 2764	2164	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\toc.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\toc.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7b35d09c8d594ddc91418302b68198a6

SHA1
74cd30ebe4bb6d31cb7a0b2987590f9ce9ff8659

SHA256
286981a655ce6984be66771a091daa1bea33a43cb7233ac74d2f43825281ec05

SHA512
a19a14c619d3ae1600595c4e21a1ae9112548029bfacfe0fb877ff0a7cf5d147370364444a044b94b69a088f58ce8035d42ef33d756f9afcb970fe2c32b8dd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
3865c84c8b156334e10cf5e055a7f131

SHA1
d6c75f68f0021d7827b50d397a25985751395bb8

SHA256
07574171476b6c2113d1b5ba5df5ccef9e78547fcbd031f83c842368ba618416

SHA512
870c1760be985f5450d21c8cf2bb1b45c02572d83202a7990a0f517ef5a6f769a1e6a2e41ed937d448c703f3e6287a683c4eec6993b49a3795b705dcc7d4f7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\5GE4TFTY.cookie

Filesize
615B

MD5
a8e0c8135e3ee0f3e9a4fce8b25fe66e

SHA1
a1bf336a1ed2d550a06dfcb83d7c2bcab4980167

SHA256
38a94feefaa97405fa29f8f7a62f9e81b2fdb6ffb16755f3a145fa925ad1aac1

SHA512
88d4b1fda69a188ffdbed87a6446654a99929e09adc36e4cdcb739c7f1e32b63bb2ffb8e299a6998dff3202297be476a0e57b709ae4db032d9fb8cff2245a7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\HU4H5MHC.cookie

Filesize
615B

MD5
2b24876037d93f38ecf72263b4f8c062

SHA1
1aafa5772ba057fc3238b025912f14fdcc6dd0e8

SHA256
0ccf7c9b8e2122af613d8d5fafbdaf945dc207a83b175365fa23d4ab583b184c

SHA512
82d1fb0817760fb30efba256020e1b309fb59ab4429a6537da651db26efe4b750afae812366b4fda563f4775670be0f4ad1edc97fabccbf0c3a86f7d91a197b8

Download Submit
memory/1760-117-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-118-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-119-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-120-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-123-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-122-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-121-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download
memory/1760-124-0x00007FFE97670000-0x00007FFE97680000-memory.dmp

Filesize
64KB

Download