d3f984c264fe320731d92c53d314159c28fe813fcb9b5ea803c959e9ce4d46f4

Analysis

max time kernel
101s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web.xml
Size

18KB
MD5

5075af18fe1d2b5f9555d5cc68029814
SHA1

56c4c47501664bc3bcd54be505cc3d9f7d0761f5
SHA256

c4cbddd4fd9347b58cc5a72b36dc4ba1ad2bb699e65869d05cd3fb9865f0d824
SHA512

dfe8ed72b013e67c3cf0622cfe7d14ffde97a4d7132ca6690db5cf2d347f3535b475119b01984923ff6c3f39b8865f857c67ed465c3b0358e2fd06bb0dae0909
SSDEEP

384:lJJuAr8F1mJ1ayCk5+H75YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbEJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392507869"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40be4b21199bd901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000014c1d8a93bcde84ca8df692f323d43d1000000000200000000001066000000010000200000001472b6daa17c61bb8f20caf3980a7656151be7a9ea80fb49d862cd98dc4b42b5000000000e80000000020000200000005a7432a34b38d71c17becdcaaad876d95d22f55d5678df080a397fd40eb0db299000000033c01cb0c286be64a135f87d77019850d81471088e239cad47dfe2b7eaf8e004d554aa4864d6eef092826a42ec0e90254317e935980d90bc47642fa5ba80814084a9f9224be5869fec8c5557af562e82539597266051d14c5098fe564d0a04550a6be767de16719fe0eef613b967f12a3f7e976a0a44078a765ba29d7cc5a1a075a70482cf342839e94815b17b1a34ec40000000009e41391135e15027b338624f43a98600bbcc627680ac7408fa87aa98fd6e5f9a1350affa5f553cddb53ffabd276a9e2d5f4f3e3b377c9d922da8edd67716a5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{46D01CB1-070C-11EE-B29D-C6A949C40DC2} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000014c1d8a93bcde84ca8df692f323d43d1000000000200000000001066000000010000200000004fd770e5cdf5895645d3e3e96394cb05cd00541de470466d4679c1905c313d3b000000000e800000000200002000000094ec98c45dc88e6b7bc511ad0a4e6f88c2a57d52735407abbf4e9f10b1f2f2e4200000008b35c4349c0f80e9f52d2b8455efad85efe674b454c52204e9a31a5477075fd74000000075258534e79794d70e740b1bfec27529eaf4f3963f06cbeb62efccaf32f9ddfd1d19d82d25dacb62f68f2af8e6fae777b0fba922704e9831b2acc49da74f29b5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

324 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

324 IEXPLORE.EXE
324 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE
2036 IEXPLORE.EXE

pid	process
324	IEXPLORE.EXE

pid	process
324	IEXPLORE.EXE
324	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1564 wrote to memory of 468	1564	MSOXMLED.EXE	iexplore.exe
PID 1564 wrote to memory of 468	1564	MSOXMLED.EXE	iexplore.exe
PID 1564 wrote to memory of 468	1564	MSOXMLED.EXE	iexplore.exe
PID 1564 wrote to memory of 468	1564	MSOXMLED.EXE	iexplore.exe
PID 468 wrote to memory of 324	468	iexplore.exe	IEXPLORE.EXE
PID 468 wrote to memory of 324	468	iexplore.exe	IEXPLORE.EXE
PID 468 wrote to memory of 324	468	iexplore.exe	IEXPLORE.EXE
PID 468 wrote to memory of 324	468	iexplore.exe	IEXPLORE.EXE
PID 324 wrote to memory of 2036	324	IEXPLORE.EXE	IEXPLORE.EXE
PID 324 wrote to memory of 2036	324	IEXPLORE.EXE	IEXPLORE.EXE
PID 324 wrote to memory of 2036	324	IEXPLORE.EXE	IEXPLORE.EXE
PID 324 wrote to memory of 2036	324	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:324 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
23e854c9188956b20ec32ef71c9af310

SHA1
17fb71fa16aba0dec1c7e227c15c5285301afe9f

SHA256
357809e955def2016c63c4cab8ad5ec4a43e24362c69dcd3b457044642463541

SHA512
f2efb66fc112bdf3e3324186e5409b330ee7f9e0ca7dfb6c3aa7326b070956c8f7e2113460f4048c9d15e14fe3c99dde7da6803903ffe01dad453f47479b8d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f4f0e4e85a484349cb4622040d85dad0

SHA1
e7be59a130f4918c17441746bc99714375315fb0

SHA256
c3f521c4feac46200877dce0cb079ecf47be7754ca84bc5354028b52fe740b0e

SHA512
3ba40b5fb2afc136016cbc74c8c07503e2fb1be3a88a8ca03432da9550054de93cf79202ec55b44ea3bd0712af4c68b587765d1b225ffd2acc233163669145c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3446ddbbff66fa4bc044921cca276042

SHA1
88ebed48f0961ac6d352461ef525ea93b3b40493

SHA256
129107d2006bcfa58fa78c4483ba686273a6ca289eb615951eb364c5156d6235

SHA512
f4f88b61231636cff61b87214f99da079a774cb7e60034ec334881548e0596b1b29ea50618041e4aef1cb5b0103d4ec27863f996325d1efa722063e333d7fc8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aacbbb4819109ca7864083e4e0c01d31

SHA1
dec09437d3e645f5d574d2f0b018a9febf58656f

SHA256
8bd4701a4c75fe9940a9a9423682b688f48d0bc7fb2e4d02489e5f3c0531ed6b

SHA512
e85b45e8a9472105dc5345c72e79d148f685ddd5dac249717318b286e7fb3352e6d70bbf131af7276025d97dd1ed3bd653e4562069776113d0ef02e62575e6cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
00ef84079edefd370897b98dc00695bb

SHA1
52f9308f8d02f05c883b860817b6d5d260868af3

SHA256
8a1b3e5fab7674d928b87611c048be03bdf52c64923dec20c127df506c25fe0a

SHA512
5def73b2d5034367a4a729b7e2a40cda0eea20a30582f473e351862627b724bdc41bd6cd60a2486e5b51cd2e278a2f3277cf8fbbd2afe7ad9c06ebb7f74af102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0d5747f73a23075bbd1a5ca7a2dd695f

SHA1
246e1429ec5b3edf61a63e55e40ac35324cc2975

SHA256
f37e815ee00a55f8c7cb7c7075e09d3dfc8a0928a159da35fd8d058309e17524

SHA512
25e833f8711b15648670d8e54f255f90fbb55d42c7e1958b0641431dba0a2a016692882ea02344d65035eaae136bc428634a2fd3615d0f5baaf9f18bf8864301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0d5747f73a23075bbd1a5ca7a2dd695f

SHA1
246e1429ec5b3edf61a63e55e40ac35324cc2975

SHA256
f37e815ee00a55f8c7cb7c7075e09d3dfc8a0928a159da35fd8d058309e17524

SHA512
25e833f8711b15648670d8e54f255f90fbb55d42c7e1958b0641431dba0a2a016692882ea02344d65035eaae136bc428634a2fd3615d0f5baaf9f18bf8864301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c606dcd26d59340d3447658e900e4bdd

SHA1
16bff642c91e103be7cc5639e0ebd30d546589b6

SHA256
44bb405cf95936b12121ba0f9403dbb22f2e57c4520d67acf2ce422683e61056

SHA512
fe84f96f95c89cd2fde9603c94482a1b72f4f0704e8e05eacb028f1e437ca33624b8f106fe8fc5fb55670da190f9f96734cf5e27d982b5d0feb213646900c725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
27326f4a1d52d76700cfd6cdfc7c2716

SHA1
cee8b3576c6c5a6757bde1d4983378cca6b20d67

SHA256
f916bd8bdb93aa2bf83b5c4f395eb815b08a7adb011a4cb0b5e3647505bdbc91

SHA512
bac02612e117bc5e3ea5e7e9ede5ea789084745317326d7812d66926db2850e4fdc4724270285fbe542d765814541310e635e74eed732a81392be7ca1bbbed9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab145F.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab14E0.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar159E.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit