Malware Analysis Report

2025-08-05 12:45

Sample ID 230308-lmrwmsfb65
Target cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml
SHA256 7051272374b28001b457f586c12e83a4e3324f17cdc68af06aca3d3bed02c05a
Tags
emotet epoch4 banker trojan macro macro_on_action collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7051272374b28001b457f586c12e83a4e3324f17cdc68af06aca3d3bed02c05a

Threat Level: Known bad

The file cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan macro macro_on_action collection

Emotet

Process spawned unexpected child process

Office macro that triggers on suspicious action

Suspicious Office macro

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Script User-Agent

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

NTFS ADS

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 09:39

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win10v2004-20230220-en

Max time kernel

115s

Max time network

145s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.zip"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 104.208.16.88:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win7-20230220-en

Max time kernel

22s

Max time network

87s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.doc"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\094022.tmp"

C:\Windows\system32\regsvr32.exe

/s "C:\Users\Admin\AppData\Local\Temp\094022.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WRzVwkmp\bLyMZs.dll"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 midcoastsupplies.com.au udp
AU 203.26.41.132:443 midcoastsupplies.com.au tcp
AU 203.26.41.132:443 midcoastsupplies.com.au tcp
US 8.8.8.8:53 mtp.evotek.vn udp
VN 101.99.3.20:80 mtp.evotek.vn tcp

Files

memory/1692-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1692-81-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-80-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-82-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-83-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-79-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-106-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-133-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-160-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-187-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-214-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-241-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-268-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-295-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-322-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-349-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-352-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-376-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1692-403-0x0000000000640000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\094030.zip

MD5 e4ca5ade365a549639456e7002246f22
SHA1 f07d577919e7a34eda0e55d2b249248384da4b0c
SHA256 dc7832d51eed30c96cb7ea377dc59753c1fe13fd7745a3530c95422ca1e4d760
SHA512 caa1d75ad6b8acd990e6ec0fa4c7a39b7a55d7c75394ef258ef1ea9a18e8c6855cff261946d5d0985d981541a343cd072b5d7a5f72388ccc5b683e9ef2fc7e26

\Users\Admin\AppData\Local\Temp\094022.tmp

MD5 1557a4c53d8aff5a54446d1583a1adea
SHA1 b9d1b3db08a931da3b014e34509e21a0f9937f18
SHA256 7a1230940384c0bd4ed88271b69199c8c2f955a6e16100b8bb07ca7b6af88894
SHA512 11f07702e74785a5dc8e0e1d9635e7f7bef48c13a0f1909d1a44bf45aedc840f4f9553d8fd53d039a775191d24764e9fcde9df67ec27398fccca7ea9fa49cac0

C:\Users\Admin\AppData\Local\Temp\094022.tmp

MD5 b92a5ad2eda2b86cc23f5ba3073d12b9
SHA1 02bad075709052d89695ad63cd1de9b387fb5485
SHA256 1caf1e6087e1b90fb3b9937ae7d6c667c6c20cf2663dbd226d1184a41d4edc8a
SHA512 eca9a6249f21f8296ef38c47baf4d78d06b484fabceb6c7a3f6b9f30ae6591b10b7fac1714cf5b302b299500ecaa8b072eceafb1342aac42e334df5aa8eecfc3

\Users\Admin\AppData\Local\Temp\094022.tmp

MD5 b2071905e0368d2032f42c1f623717df
SHA1 9361ba1d15f21ffba765c8f408ac544d63a65d4d
SHA256 17592b849c9aad6f0a67b07ad591db08c357d392f43fc149b01cc5ec0649059a
SHA512 cec274f566720823d314330080d8cb4bf5921634c121acf2ec36ce93f6d19fb90e12ea65757d9a7960e2b5812c45af38ce84202fea7c1d9fd45a31633a0615ca

memory/1220-847-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/840-848-0x0000000000130000-0x0000000000131000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ec0092800a0dfb05f51ce86a13716c62
SHA1 4d0b346c8d6a0fa6b69b732eef1106adcd68296b
SHA256 0353bae2fb100caf995c8d530a72d4f49dc86a75ef0867e5d83316d08450385d
SHA512 33e3572a33c6c63ef732be662ab865cc9ef99f694a8f0cdc08db6b7606a8526004e6f0a553109015c9c28d14045e8dff9e7ecd1fc92af6cbeea9c4ab3f084a87

Analysis: behavioral6

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win10v2004-20230220-en

Max time kernel

16s

Max time network

159s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.doc" /o ""

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.doc" /o ""

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\104024.tmp"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VRAJJQQJL\yWjhEe.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 191.88.109.52.in-addr.arpa udp
US 8.8.8.8:53 midcoastsupplies.com.au udp
AU 203.26.41.132:443 midcoastsupplies.com.au tcp
US 8.8.8.8:53 mtp.evotek.vn udp
VN 101.99.3.20:80 mtp.evotek.vn tcp
US 8.8.8.8:53 132.41.26.203.in-addr.arpa udp
US 8.8.8.8:53 20.3.99.101.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 254.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 8.238.20.126:80 tcp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp

Files

memory/3800-133-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-135-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-134-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-136-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-137-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-138-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

memory/3800-139-0x00007FFD1F7E0000-0x00007FFD1F7F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\104030.zip

MD5 e4ca5ade365a549639456e7002246f22
SHA1 f07d577919e7a34eda0e55d2b249248384da4b0c
SHA256 dc7832d51eed30c96cb7ea377dc59753c1fe13fd7745a3530c95422ca1e4d760
SHA512 caa1d75ad6b8acd990e6ec0fa4c7a39b7a55d7c75394ef258ef1ea9a18e8c6855cff261946d5d0985d981541a343cd072b5d7a5f72388ccc5b683e9ef2fc7e26

C:\Users\Admin\AppData\Local\Temp\104024.tmp

MD5 407ecc018ab4b48fedffc6a0c7afb3b7
SHA1 f20e7f4ae374a23cfe4be7aba503105997d188a6
SHA256 685b22e7220ed04b3e2aeef8afeb52e22529a105b9efe00fe84c1675725fbfaa
SHA512 57bc8331df71a34475bac5a2de5db0c8a1909eeb4f573e9dc050a876ea95a7ae30fd1b53a2f7ff5fea62f545d82f46cfaad920d8418beb93d8f8117e9bc95d1d

memory/4660-178-0x0000000180000000-0x000000018002D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\104024.tmp

MD5 407ecc018ab4b48fedffc6a0c7afb3b7
SHA1 f20e7f4ae374a23cfe4be7aba503105997d188a6
SHA256 685b22e7220ed04b3e2aeef8afeb52e22529a105b9efe00fe84c1675725fbfaa
SHA512 57bc8331df71a34475bac5a2de5db0c8a1909eeb4f573e9dc050a876ea95a7ae30fd1b53a2f7ff5fea62f545d82f46cfaad920d8418beb93d8f8117e9bc95d1d

memory/4660-181-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4284-184-0x00000000006F0000-0x00000000007A0000-memory.dmp

C:\Windows\System32\VRAJJQQJL\yWjhEe.dll

MD5 123478feffed2d5d5ea3fcd65bbceadc
SHA1 496b0d950d187b2f32783f5e77e0ecd5710d0d82
SHA256 e47e2c305617a64731f516059a2e5f64bbf85693649e30d3f8739882d7756992
SHA512 6d9cef4449b390ba5be000b287775b59ae654138783c95d298a9dbc7817acd7653ef6b2b9017af9ec17cd7b101dcdee923303cea56cc371dab9ad98353eb9f31

C:\Windows\System32\VRAJJQQJL\yWjhEe.dll

MD5 0ddda937ce91f2d26ac5df03c19c4f77
SHA1 2049f06bd7cb4f4d33a5e2966035ef9dcca4e582
SHA256 0c37eb5c62f73ab62e003344f5e0ead9e3b74dbf3ca90d79a65d6098e513d1b5
SHA512 5ac8d65081644c35ddfbbb66371746b6142739e0222470a29a2f58ce4caa557386b3d0d81ed94639319744912e08bb724fb24be24f20faa9789ae9762fbd743f

memory/4284-189-0x00000000006F0000-0x00000000007A0000-memory.dmp

memory/3800-218-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-219-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-220-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

memory/3800-221-0x00007FFD220B0000-0x00007FFD220C0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win7-20230220-en

Max time kernel

145s

Max time network

130s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-1.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000dd4d65878a6a28d409e64cc6fc27550c6a8ebaf7ab087d742fd62586b41cadae000000000e80000000020000200000000af4692dccb12179db9f9b3a4256ebf78163d5930726d4cc248e6909b039809f90000000528decee7c79cdae3a11a650d2e960f9e63f3043c7e211850b60a4756bf683adda9005c929872968110ffff5ed86ca96ad2136fd6595a87b976f0753c164c7e6575475cc12bed17bb7c99163b95eabb2b6deda4d4e6e65750276605f99ec3a2931c4ba86d8c96ffe9fa8b1ba352a0e065a7a6c12dd831972d8af9b7dcc096e221797c4eb3d18099df4ea00e7e4f829ca400000008bce71d03823a05429175d4616141adfef83793682af48506f64f411ada4f383d8198dbff0e0ec360dadda02cde55465c4014db57953560bc738cf32a1829421 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97CB1F61-BD9D-11ED-8C02-72D88D434236} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000e9d70df86f10dfedd94e401fa4d6fc02099f993129e39b1c76185689894adf17000000000e8000000002000020000000067141564837e06b172a41679f103a8312dc913d770cc7f3edb18ef5f15151f5200000007dba920001005c1b774cf66fa351c331d8b4dd3b6f7c39413091f56424ef9e4f400000007a922bbf9f5ffbb1dd901d890787ac327d58058fc0e6b6b3cd041aad41422647a9bd98ffc4794c8bec0c19031841ff00b41add3ef051829f474ab03641cda05a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3027686eaa51d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385036982" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-1.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1372-54-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1416-55-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5506.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\Tar5636.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 401f6bd7f6ef8089fd3a3426362cafe8
SHA1 5bf597287d898ae21b2054762576e10d543c1b1c
SHA256 ec093796aa8eb5f138895013a3422ba083a18fbf43e239b3cabaac086191a1fa
SHA512 fe18a0bb840210be8c7c5e0faf4602a14c9c4abfc7bd02a95e47f30caf0ffcd9cfd3d5f65e9972b2edb634783f7042363fba02228f7b52003d152c1789169225

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c7fdc138725ae3e186c620cdb7f0479
SHA1 e5bb01e07cd50413787b8bd0c5cdec016d7000b0
SHA256 9002dfe36ba5ccb5ba31e3f15157bc22ff33a0a645eb9ed3e16ba8cebb5aa8f7
SHA512 89698e125fb0e271186dd21c683467e86b7fccd0957a619b80a4dce3985f4dc33de91fd9e87f00ee21d6c20b489b5bfc919ffed4e59c65ca06b974083309fb1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b02ba92828b88879ddcf2c955c04d361
SHA1 a485b8fc3bc9b427cd486a5ee274d227be115efb
SHA256 a6cbc0831112f4025dd0091285db91f813d08494db6b58711decc5c956a9a60a
SHA512 a4f6f22b17cb971d0161ac0eccb2ffccde14cdb400c3bb1f4f8f234054ba149250bdf5bf79de91278c13a051169ae863f3c378802a784e57e290a0520ed0c4cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2eb4e2a8716eab25efb090c0af7328f
SHA1 bf9fc278a8059e2a8a7fec3f589f4dc2152a692a
SHA256 0c72dbf410f66bc97f2105afda37bbc1230909ba3836d31307f01cf4873df906
SHA512 c70ce29b9f699d073e5642367bcdb1797ed1c3016edde6bbcbb86217ac5c21a59ea4e112d9962993e9510436356cf8a4e270efcf4eccc07370e6a7016da535df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f6c1903f44aecc27e7de56849ead20b
SHA1 8fecc6a2e2195333125b4d29dc59f0cd29a75be2
SHA256 c6e6181699d5196911b65ce83adb372067089384704fb2b5f3f0fd475f02a027
SHA512 3b83383625ff0c8421657a844639db308a310240bc45f2909ab5db3132e518dae65694da3fe154da476e6ba5841210b056adabeb1b0bf52f6d0940e4fe5dd91e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad156bf871587e0e28afd8758633279e
SHA1 3c66eb778c9066bce25d27d03efd6387256ef11c
SHA256 c2ba8a6a69ca6252353191e1b83633053a100afb036b8a18da1dfe536593cb4b
SHA512 2d01a473346915f7fa08f2990415d87e33a05df2a774d25889ddbe639e911c9a5819e1172355b5071329c9534bed0d8d27d03cadb5304ecfcc5e4f80c306ac07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c6253d8b13299fde6a15d248620f6d1
SHA1 a837377f612e7a7a4f94af141f9bb57868da96d8
SHA256 a422dba3b10ec0d2b491e03d6605e86d3be6dee8dffb4233d593a06f923eb09f
SHA512 87c04ac6e96bc068a5a779450d6d36358ef017112e090b950ccdb502d536bb761ebbd38733f828375e3b69834c96f8e5e9823156cb30edeff6243d58e48e51b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51f206dd36b1ccb3a0fb2b5cc2f579c2
SHA1 b2d4023abaf30691035217e56c84b830d00fa7f8
SHA256 baf24273fac423a961826d2d3b757b7e35815078ba1d381d86b7ab62ccc8f433
SHA512 db4b4436e2d09c9b9048d59076c24857bd1c89709f89a37849b560bfcabd79f3cbef338bc8134703d994051494da51c8f60c5e6a720beafa0186f34d2e09b346

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NWZEGKXZ.txt

MD5 65b65878736b8a2e0f75a55fc264bf19
SHA1 e7435af065242bb97aa10b2f9eb949cbf5d8a800
SHA256 177f2c166de2b31c50ce74284d6eff5f1206b433054bc9809237c348ec2a0b43
SHA512 61e97c0204330bdcdcad6a90fb7a24d33837b1dcb7bc262a6496cdd7e534750e75741817097929c84d150475dedbd4af8ebae6bd81628143d4573bff0e8f1a9c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral8

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-1.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e040d56eaa51d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9849C051-BD9D-11ED-ABF7-62A6D96D5571} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31019434" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a97000000000200000000001066000000010000200000008f448284ee40df6e6153aa05261ecbeff909d29a4756a1a23901880f7a70b5b2000000000e80000000020000200000006a095b2b95566e3abbf24dbd9b46a872a52554cb837fa859d86005e4da1c2ee020000000d9ab6102779a67611c296c0d2fddaf5b5942d913ddebd3dd2773c6bcbb2df753400000008cd715002b02021333e2078cf9b964d34115a93926ec39abdec9feeafa775da58a5599c7587db8893ea7b605bf187a4b611dd4834e1a8100927c5a6e3eb08668 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1831970698" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31019434" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1851191768" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c9f16eaa51d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31019434" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000675316f82fdac74aa8f3bd7995064a970000000002000000000010660000000100002000000015eeaa414b144a9cfb94c3efa08435f28ec3b76246fd4137b204853acc6f9fd9000000000e80000000020000200000005e6ddfb23b2a5a6f9d25006b8db40b38a15cae1211f92d55dbff646710ac9d5720000000fc8518fdf2dd7e38d34af8ac8bf7a18f071f4a9ed295f3c43abfdee30c408d1240000000f70f24a4ec5305fe0dd8e619f17e20abd74deac18538de324bdb470c48ccb72b66835fadc3107a4722597f4d9e30c8fddd67581b248a850cd8655ff58e88d39b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1831970698" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385036984" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\email-html-1.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.130.241.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4HAJQ22Y\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win7-20230220-en

Max time kernel

109s

Max time network

31s

Command Line

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml"

Signatures

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Processes

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml"

Network

N/A

Files

memory/1680-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 8cb407987f2c646270ca8e879d4567a3
SHA1 9f1c885f565dde15cbfe9b22eb3766353b7b10ba
SHA256 05bafc0c52224cfb1b527fff939ac1b6c2be5c81571de927ee9525e43adcdddf
SHA512 d1cd8c9efe531fef469ec901f323acff42340dce023571b217b3fec3736bc4c63d2c8d5c989395c855724f8da7e3063451db69850b6dc98932bdcaca68f27c41

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 42a6a8b0b1ee43d74504f40cdbc1baa4
SHA1 b08a63e3f221ed3ddc2370d7467565077f6f325d
SHA256 dc6912586448aa415bdf9ce7574dc4f344e1dc0c70afbc0d06f12663a8c97b0e
SHA512 e974decab6e05a69052f6dd86a67357ad41695171fa49926d3e8051a1e4b09c26e400ff97e98ab083a9f7a1e5c06929266738da88ce62ba4a52029ad3dfe9788

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 42a6a8b0b1ee43d74504f40cdbc1baa4
SHA1 b08a63e3f221ed3ddc2370d7467565077f6f325d
SHA256 dc6912586448aa415bdf9ce7574dc4f344e1dc0c70afbc0d06f12663a8c97b0e
SHA512 e974decab6e05a69052f6dd86a67357ad41695171fa49926d3e8051a1e4b09c26e400ff97e98ab083a9f7a1e5c06929266738da88ce62ba4a52029ad3dfe9788

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win10v2004-20230220-en

Max time kernel

144s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml:OECustomProperty C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 143.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.189.173.13:443 tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
US 8.247.211.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.247.211.254:80 tcp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-03-08 09:39

Reported

2023-03-08 09:42

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.zip"

Network

N/A

Files

N/A