49f23bba52c17eebb7e04e11d52042d8fee8098220a8283693bf7467e02fe674

Resubmissions

21-02-2023 11:28

230221-nla8lsge2x 10

15-02-2023 12:25

230215-pl5mwsbf93 10

Analysis

max time kernel
106s
max time network
174s
platform
windows7_x64
resource
win7-20230220-en
submitted
21-02-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win-api.xml

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b072e200e845d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383744010"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c00000000020000000000106600000001000020000000166ba41b5096be123e4301384316779a6de71349b4d234cb5fc0f14091bd2f9c000000000e800000000200002000000046a9882395fc138f9b1b70bbd4db68a375c4d582e4b7485fe32fe34ae17908a390000000a6ac8e5c3e1cec62b5e1dbcf7520c0ec7d1395c0df5194deda8b0060485ed9d2ba77ccb82a87a02b7035ba0943e3638162c46b68ed21a7fbd130a227fe2e2613731121722547a4f31c2a74528943189b6f851970a72718b3e7113e28141da69f94b0673dcf53fa87fd95db806861bf7a2be633e4d2a234d2751842157d961a92b6a285ff095df7ac5c6fdf4fcad3156140000000d6e71c8dc359cf80d8341148ac62ba697aed34103612ba57f4636d6237b41550834fac93b942d48bb9a4cd94459697dff674754b3c30b48126350b6b5a22ea47	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{288F0851-B1DB-11ED-911E-F2C06CA9A191} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e8f12fa8cd8fd499ff2c01df6bc8a3c0000000002000000000010660000000100002000000058f1b3bc72632f590fce896fab5248253955ba62728df082ee9ebfbf1ce2f404000000000e800000000200002000000056d331289639b7dc44881eede12c16f0def52503b1c7d47f24883ddf9dbca82f200000005bcd0febf976128d935ff41bfe052e2417dc0351bbecd71a245465e2e49260f4400000008ad426bf3e3fb462becf9631e68b1d3f9f7e76444b1c11fe9b3c4018806a98e3fc2eca9d23df20f58175b6c1577c5c20672e6a90da5d5cae6acf21d5c37773c3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1664 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1664 IEXPLORE.EXE
1664 IEXPLORE.EXE
632 IEXPLORE.EXE
632 IEXPLORE.EXE
632 IEXPLORE.EXE
632 IEXPLORE.EXE

pid	process
1664	IEXPLORE.EXE

pid	process
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE
632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2008 wrote to memory of 568	2008	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 568	2008	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 568	2008	MSOXMLED.EXE	iexplore.exe
PID 2008 wrote to memory of 568	2008	MSOXMLED.EXE	iexplore.exe
PID 568 wrote to memory of 1664	568	iexplore.exe	IEXPLORE.EXE
PID 568 wrote to memory of 1664	568	iexplore.exe	IEXPLORE.EXE
PID 568 wrote to memory of 1664	568	iexplore.exe	IEXPLORE.EXE
PID 568 wrote to memory of 1664	568	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 632	1664	IEXPLORE.EXE	IEXPLORE.EXE
PID 1664 wrote to memory of 632	1664	IEXPLORE.EXE	IEXPLORE.EXE
PID 1664 wrote to memory of 632	1664	IEXPLORE.EXE	IEXPLORE.EXE
PID 1664 wrote to memory of 632	1664	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\win-api.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d5adec780d703447ae1c6a9a798df3dc

SHA1
2f0ac71a9e45a777f49d217ea0a7f904cfa20837

SHA256
87dd76eb9a111bbc27b8cb377563164e4b9f2636b5b4d6e36129c00b7d41f26f

SHA512
022b18cb7eadbd7ba2706cee883ec062d80109e71b0da1e41c6bf59a23b6611ba78583cf93d11ba6bd9b9d8068f46498d426a4c633b3c46801b5ae522c9b90ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
433aaa81680b9ba2851811e810916a25

SHA1
8bbb7957f26e3fe27aecf838597346ab48db66cf

SHA256
cfea0942a17009d19462090c2785610be0bc23ede9bce0b89cbe5c1f0ed989e4

SHA512
ac11c5fc6c913888ee981789903bb59151846ffdac77c554a813ba2821e1ade35f6e4ce1f787dfaf51a40ff38c7d93799cbff96e296f6337f660b0fd8c1f95d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
bdc3fbca3101c5511376fc874bb6638e

SHA1
dbdbb78d9fc8b45995df043133b5409686b1bea4

SHA256
dceca15c9de1e22d3d008169db8a7f5a3947615a84d7ce42cdc453f82c56e814

SHA512
29b0a5c4b07cdd040ed7b6eb758fe0dfb0a333584aa506a3c28e2637bea2cb1bb9a1d9a90ed5c5d3f92661d9b8b3d29cc276ce5cdb9b20751623764797bbbae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e8722884f98a05638651df71f743efd6

SHA1
f12ae979b6851fd6020014848996be7a3409b19a

SHA256
46ca22a103d0276b195263c5143e85ce93dc18f4e7a95aa71536a17717585c26

SHA512
efde94ae8c5a32a22aff1ce08e5a5f6a69dafb7a21bfcbbb3161c18142efe5d3514a8f87ba8d857f8caecf0bac8c90709befd383d10b2656a3986f51945976e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
025dfadc5d0b2ac2ff6bf6ffc7974e07

SHA1
49a0fa44266b73c0122ddcebb6ce2e42b28d4c85

SHA256
bb8b0b8276fcb33158b03216354b855eb8b3f52e769757fe662b104e82ee41d6

SHA512
58ba13e17d397ab58561754dff15b8cc9e19bf96906529bd60f9f3a425bb240c0b6d425fa14468489b6005735f2231906397e35295dbe0eb5626889c2a73a297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dc8f1ea70feea5da5faad40488934d3f

SHA1
bd6e9610d47d446518da0767d4e1d2a864165c06

SHA256
7c86a4e7f4c8e2f71670cf9cb0c420e4d6783049816d80e9dec4082080655a09

SHA512
04dbdca91151c8e71f9daf5a3404daf296c26a9617cca0ef385b1c3c74a8d022c0adcc3dfd65c31ac029d00154d9255dccfb729e3b8709f676e4f4cf82487cbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
856158587e28a187c9841f68d1a01f7b

SHA1
955e1263883cd5c0ae50accb580423a3552c2da8

SHA256
340001e0fb8e5ebd8d3c8ce2921dc8d81f46b481ed086062e8384ecd45b51f04

SHA512
9dd8eef36b2514af8649bc8ba1fdef228e6d94dfb02e7ba6d8ef506285712454f0e123854df44a15a78c522f424830f1b2cf2a36280f0b02b83c872954db94b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab103A.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10D9.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0GH2LO7S.txt
Filesize
599B

MD5
147ed98293e246ebf2e909a6ad4b6026

SHA1
1649b7542b896f5be3cea08b43725c4956f65304

SHA256
55117cb393300fab7027f48bb8b94cd4bf672a7fc4e43661bae24c613b77c8af

SHA512
2f5459167b80cf5843599b510d04d4a8e53f422f798ca739f15f66942cfcfa91d9d50d030d0c6f761d697b6b1ba659ed066e8c0e23d1143a380f08c648ad9e03

Download Submit
memory/632-55-0x0000000001310000-0x0000000001312000-memory.dmp

Filesize
8KB

Download
memory/1664-54-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download