be71cb9f733bfe2bf9fd99581cb56aef55b305865e333f52045eec4aec6ce7f6

Analysis

max time kernel
102s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/05/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e3d6d2d-06cc-486d-9465-9ef3bee75444.ps1.xml
Size

1KB
MD5

27607c878a76a47669bf4f1146202a20
SHA1

bda1433749cdced36d5a9cbe4f58fbcc0c847107
SHA256

be71cb9f733bfe2bf9fd99581cb56aef55b305865e333f52045eec4aec6ce7f6
SHA512

804ce0bf1758dc343d5135def17b486bbca6ce80b081718d5b3071d71c54f981413c96ff39fa5f81fa4e9f10197211cf51347ae790fde24acdd3d80b5753ac5a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a000000000200000000001066000000010000200000008161ae97b5f6e534a84074f2c037b177c37762d08da76bd45bc22becf1629d22000000000e8000000002000020000000ad7071c5b5516fcdba833e2928233c3746a1a9d8ce38f962d617c8548a3dec5720000000879d7c5eb95b52239b21c759f1b54b15f49ce238cb9440a4149caa3b766140d3400000004841f1d8a57f664398e8d8202d857794c3ab9d1d75cfdfde099206cb26bf3d2c8e2da4cff6fe860e05f3791b14df67f4072fc2bf74b56a93ee844bd9003dca7b	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c486c64086d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF67BB01-F233-11ED-95B4-CED2106B5FC8} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390819015"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a00000000020000000000106600000001000020000000e10859460facc419c0c025211338a66ed80882c5f0064244e9927d04779392d8000000000e8000000002000020000000e0c76d305ec7e811d1a4f4b159fb7e6623ca901748d4ac1683bb7c6665b554e49000000093b77f7335b682af9ca0831e154c90ab6bdbdfa9045de95c305628c4db15de69efd09d41edab3372fb0386ca74b1f0c772c7e0ba67ebb774d37cacc96420ceb38bc3493629bc603d837929fb1782bc53e128c633c6d5f9176f1195a1f24ecf3f374ee73b4ad7926288759b1000bb4e0519690a42e02b592450f00c5fffebd4fae3d2e3a4714453ac5877c082d8d0b2fa4000000047b0bc0c198428db8681e524755c9eb114fff4e3215ed5050dd0753a222d52ff07442f6c7d5a8c30a23e6fb1aa24b6325c8ebe2028a94aa51469ccfe8031e383	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
580	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
580	IEXPLORE.EXE
580	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE
1496	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 472	1232	MSOXMLED.EXE	29
PID 1232 wrote to memory of 472	1232	MSOXMLED.EXE	29
PID 1232 wrote to memory of 472	1232	MSOXMLED.EXE	29
PID 1232 wrote to memory of 472	1232	MSOXMLED.EXE	29
PID 472 wrote to memory of 580	472	iexplore.exe	30
PID 472 wrote to memory of 580	472	iexplore.exe	30
PID 472 wrote to memory of 580	472	iexplore.exe	30
PID 472 wrote to memory of 580	472	iexplore.exe	30
PID 580 wrote to memory of 1496	580	IEXPLORE.EXE	31
PID 580 wrote to memory of 1496	580	IEXPLORE.EXE	31
PID 580 wrote to memory of 1496	580	IEXPLORE.EXE	31
PID 580 wrote to memory of 1496	580	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\0e3d6d2d-06cc-486d-9465-9ef3bee75444.ps1.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e332db6c4b6dde1ca0575d619aff5a05

SHA1
e12dff5da74d3d0e985f30755d10cad848a3d132

SHA256
88f09bd3b8c8a5003527807a8ab278ee757437f4e1416fa4e5a35456c0bff6f9

SHA512
838b7042e3cc44a7eb666a66ccb2e3245794ece570ccea92bbcb4c6f7117edab02f98dc6554006b8e72956b35cf1caca63e4e0186d55c4c056cc5ca6006e4899

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e07afe62b9d4971156ed5188e9167b1

SHA1
21e728e5d6854acdafd39bf2f5e08c652915f1f1

SHA256
5768472512b4469ad3f5b25aa68b527b31f8965cdc4cf7d10fb327551e7554e0

SHA512
cf20fcb7b2e0c47e1d4dcbd1b76c126e8712eaec970c00b94819f0117fc00cc272630c8fd094e5154a4efec26b07777e44ca14029eccc3b47a112d799a6865b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e91c893f2ada8d48fa53eb3e3380069

SHA1
da225438f41a5f71e9722fb1fa3afd363a2f5ee2

SHA256
ab4dd9f4bb609ab9f228142aa7b98c7adef3f93d3a714b666111b2a198aba764

SHA512
2367120221ae0874ec3ced87dce567be84f33846cd32010177c2ed5cf895113aefc63b81dacd11ca0642389982bb56f1cf06fc4158df44b99b00f6ccdf9f205d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16943151f453f5e1622c2bdef03c5073

SHA1
29f3b548fc914996c45f8f4ab822b3457cb3d5fd

SHA256
b8903d97529ef04e4f238dcbea9eee628c94715a6138cbf32ee3618226638e38

SHA512
e0b6929d7d463d4277cae17631fa7f6215e2d7f45037ced0e98b8c2565d4eb1fc03f3cb1f5624d156cf61b35636ce9f68fb7f75a442e8042d554e43a1471e61d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7325316512e37024f3906ca7d091ed30

SHA1
7799f7bdc619b2ea69ce77c88bf39021d4c41a0f

SHA256
8e26baa2cf15132b19dfde624fd857d0e2463ee85067d84e607dcf9e3c6e3acf

SHA512
3e56d825070f23a995efd960030f86b6072a39219b7c7082266cf9763ac210cf8eb9c4acf18e7f8869697d862d44d6e4c9a0d0e092a2bf17024363bf4d51a8e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9704e177f012c1559e7530710b92a362

SHA1
52babc641c8fe227df18efd0f05d943fbc2ea97c

SHA256
1687d3c90b6decb99deed3309a058903a28a9235f26b49dbf75706c7d19cf477

SHA512
e723605755928d034ff83f4a0d0386ccc8cd7bf6fc64fe045de21ab0452ec004e5840d630d90a89905b10b2510fea4d5bfd09254f5afa269c7c1b13ab44a7699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32611a286a1b1e36c19ecd17590acb5d

SHA1
0699d687211ea26e73d16f40946767cc23aaf776

SHA256
07d71ddee249a961c15fe57de221475f53e24c16f6b03e1fdf36df9fea583b25

SHA512
81c0b37384552438c73b7715b69f2458a6c5e530f364d43addb2fe306f95ab8a7712c2d704eca59fe8aa6a865a517dfa22b59a4a32d949811f77549f9243ba68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e63a79f585f15df3893a16c3522df377

SHA1
10c71fa52a456895b4e09cfb2f763f8f3f356e47

SHA256
24970b1bbdc3a2f1f07fbbcb79bcb7d85ca5f0f408a3327a75d93887a0679560

SHA512
288790a65546405fd9b6734166dabe27ae1e1daddc724f087d618a5c035281afe7c37cc7cf495adacd878dfa6a8c270424bf779afb5b528b560ad2987b05e5e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4191dafdb410243cfe662d998f2227c

SHA1
de3f6ed2c4f03bd35c7e8b9bf141816e8bb5463a

SHA256
6801d643895dca324858652ef1e620a8ffbd4ffdd6352fbe458134e7b34b6ff8

SHA512
aae0b2752d1c8cce38733ef96c91b1206cf3605273d0ca1f1e594935d921716183d5ebf7e877be73d3419a7615137b4097449892e77f18926e48a22a8c369f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5025.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5232.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\12PPFG64.txt

Filesize
600B

MD5
9ad9aa546db5a9737d7648e947679edd

SHA1
d74c52ebc1e9ed2e22e519d9ff24c01456c8f7aa

SHA256
a7314dda1e81081e2c74ac9f6c8d98040a82fa0d2d64b838dd72db8a640c56bf

SHA512
91c82f3e0724ed911d4e990ac40924b7c2cf9c48c1b17fbde31193f715f5450b56414ef33270c945272efe9e3c9852acd4bfceb741ba06bb57b9b8da666e7a02

Download Submit