708c3a754f66c7ea424f1853f6076fd19434f729efff1c7ca5f68c76648f9ca3

Analysis

max time kernel
100s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/03/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crack_HK/db.xml
Size

456B
MD5

01fb5a7568b821eb1e91a270b8b7d39f
SHA1

e5a73ed9622652466b25440ddc81dcb54883c249
SHA256

bb48eca39212f71af10838c9a906e68bcdfed94515ab8c23f9cee5c80c55005e
SHA512

9ec6a63982c9c6ee08b6979d77f428aa83cd32f36973fa830af2209f776e9ec9c504afd61ce5283c922413dbbeb8dae1a6bbece4fc3ec079464f96c6612341e4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc4589900000000020000000000106600000001000020000000db55c3c420257a64a149de16fec48483578f334294e0b805ad29fa85d9ad7857000000000e80000000020000200000009f48b5966ce5fcfde45ca92c6a78ae12e49a7b1969a470b95ae02e8ab8824c662000000097765b3b78e1ea94f5d078d7b3f2ae2e0f3299313601cd8373a8d422dd8775b9400000005b8c0b772176122df7463f15e1b64a7587387c3c291ba07be6aae37c41375f80b0d9fd1d3d465674cc535319255f4ddd6bcfbdeeecbef7054aad0b3a2328b6c0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000081f126f0ece9f2ee7c6e7cf550d738eb53697e186fccd7690cf75d07a6e03d21000000000e8000000002000020000000269e533f2a39056223ea07be6afae286261c50d664c84d5264bcb7d35faace0990000000d04e971ff49f95954f773b6bfab33a3e4ba4bd90270344cdd50bbcc02ccc80d3340b0cfafdad2edcfb265b06a0663c5124f6fd07eca8d6e6b8f7f1c9c08b31e8b5aabb8378a8b793d50feba6c3b5bc14e9ae8ed28235556eb817ee0495c031129ea5cbfa7bc6d248109849a76fdf0652784af6c7ef8671ca7931799163981439965e1df63ac614b2a56c9e9a01b959a8400000001e8cf88e4065ce20e2a753601c5e7e8e4a7ad201201d17b110a2ce0ddbe965af9400e367d5a4ea5a9435e391cc0d2ec80b5eca2491d6aef2425c245d4763b7f4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7910231-C01E-11ED-8FF9-7621D5A708C1} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385312397"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03bd5ad2b54d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1848	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1848	IEXPLORE.EXE
1848	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 700	2020	MSOXMLED.EXE	29
PID 2020 wrote to memory of 700	2020	MSOXMLED.EXE	29
PID 2020 wrote to memory of 700	2020	MSOXMLED.EXE	29
PID 2020 wrote to memory of 700	2020	MSOXMLED.EXE	29
PID 700 wrote to memory of 1848	700	iexplore.exe	30
PID 700 wrote to memory of 1848	700	iexplore.exe	30
PID 700 wrote to memory of 1848	700	iexplore.exe	30
PID 700 wrote to memory of 1848	700	iexplore.exe	30
PID 1848 wrote to memory of 1944	1848	IEXPLORE.EXE	31
PID 1848 wrote to memory of 1944	1848	IEXPLORE.EXE	31
PID 1848 wrote to memory of 1944	1848	IEXPLORE.EXE	31
PID 1848 wrote to memory of 1944	1848	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Crack_HK\db.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1848 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
542ac5e0a584492f5c66b60e9328ba0c

SHA1
b7573f0351ff308a7fe9406a342d3023239945e8

SHA256
ccea830d61d7b7084ead8837678deac701255431c8cb02d3fd1d27b1271d3788

SHA512
1a46d5824f953355bc42702689731558387d560c7732d5d5f9e78aff5accbf107ddc87b19340521121a539f211b9688b5d42d5a3d779f6026688db1a4a18aab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78a1a4fff69ed289f8d23f2eb83f65ec

SHA1
47cbe30aa053e291e3f77ef5d99062014408ef3e

SHA256
8b99acf288780194c9bcee2de4d95dcee78e7d2b41006db3cc17d8e58f49130f

SHA512
8f0dde85c4e5c7c65167a51537f51d314167a3a24e3bb81fbad66e69c1cf73b36e34ac6940d60b1c014a9dfdfdc2c1b169a8b4276833a1779dd8c56e6f935744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1cbcb6291aba8ed778390adc3c56a57

SHA1
324bc3875973f9d9d801efbc1e3c5f64b933b00e

SHA256
50a9a655bc9ea511e4dcd5179cbed7175b0fdf085bc0af50c9ad50b2801aaaee

SHA512
ce9ea3ba19ef11707207cc11ad77d465a09b06f7999105675470360b77553c217c950cf6a364d14ef8fb08089d1b5e9fb1b61c129338d82696de03015d4099b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0315a15f4f09c555aeba2fbb85e74081

SHA1
256ecd279ec6b9c0b532b87937e8b02f01a32317

SHA256
267236d41ae0404d2e9ccd5ad2cb03c5d306ee0178bf50b249b6f61651c3f4e3

SHA512
d559cfdc70301d1ca28137ae4f29b340dbee52d74d86f64e7f5c2b61557d5f92bab619b6eaec92c96673c067870d388012295fc1882a4ef2cfd49f1accdf04ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6566e61695d6b67bb10ab18a5b558f5

SHA1
4dccdf839dfff677f42dbee7ba38f6f8eab0d8ae

SHA256
f5b06fa516b1d3394a41a0342b160d8cad53955dd4f546a0f40efa44bea32f65

SHA512
ebb7b8f059c47974ea680c58ecf3c3cc3a5c84413b951eb28bc80d616b1a22087d75be6debce41c8d841e1bc32a85997a4400b58cdd7a8cd9acf3500fabec1bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9161f65f54b40c6c6383e5f498c79d5e

SHA1
f61e4cba7b13528fcce4c9a89877903ba90b2595

SHA256
bd4471272a0aada9217636909755d7841701d631c3a960831bf73b2e58e2dd3d

SHA512
86607488465b1019be2355781d86b38897a6ef2b697ab2497e17fe3c40eb274d5c267a2de633bc48f5c92ec3dde56ba243560208e29f02adfd7ebc7b5033c292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
405192015905b7b5ed422a0e881ec48e

SHA1
709bd501e19957912b4e085a075e1607cb169957

SHA256
0cd7eb9bf895ea6da15b9b628a47bf6626af1c1874ed76bae3f3d6c466e3a8e9

SHA512
5a7ed9b45deb825ff1e49e60f88b771e3e67d951503bc131e153e1e160bebc00e9b5fabcd1e8b25e8b202e7dab50e81d1cbe97cbd2515ad2443ee14cd508cb29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74aca48a840378bf03c797912610b9b5

SHA1
7c10b978a489ed3a018dc9f9740eaee70100a2d7

SHA256
29585ad6f6b55fef68a945a5fc5d034ea9131791564a70b37b9cc093a3233575

SHA512
d60e0b3938c79974715fc3ca81bea59bdbc2fe5b8fa24641ae79a27ffb18fbbe69c629644fe335d3a2b730a53730e38ccaf269c04dd9f87c0c3269918f11f866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DCE.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E9C.tmp

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F0E.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GSE3AJFL.txt

Filesize
608B

MD5
500901bb1d74237524ce9a2568227252

SHA1
7003202f6ca5074a1e42ce80498a45a70a7cd9e1

SHA256
a13aa468fc34d7f141359f2a251623d1b1ca317ab4dde5fa6f7647c710d7e38a

SHA512
c4b74df050ee45075e0fe1face385272e6046e57dc5e11d1d7f3be92b8c61435de421fc50f5446df2e4576d8c6af608be7f59844bce4650589f81673831f170b

Download Submit