adf2482b7b36c11826486065f9551ca69742dbd70915acc1b2d740862fdcd106

Analysis

max time kernel
124s
max time network
179s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-06-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boost_02_effect.xml
Size

2KB
MD5

f45467db6500a27f2756cdda60947df8
SHA1

2ec869aa0e2c2fc3512857ddd351609f1d53afc2
SHA256

00afe2aaca87cafe9ccebf3d45c11b9017273c94b52f6e9c3c038c3cb1c4cf4c
SHA512

6e1d9401aa92a88d92d2cb75244125c7e06b4572dd88213627bc445a0df87b23dd5c26b48fc6c8ae60f24c3d764276fc1d271fcef2876828b2106fe3e7c80347

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cfb7bb2c9cd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393229335"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000056166620103384aaad1add862a8bb2b00000000020000000000106600000001000020000000f5c5fa384a41a3fad75dd758a8465b5d240ed30ba186c728e4c275d41b7915da000000000e800000000200002000000070e7732f8c51c821a028f8114932192d29196413f5c9afc1b57363f18385aa559000000049b15ccf9d19008b68bd5bd317c2f79032c179547c02a8d5b36c7f443599f00d5bd8d57d72410313c23c0216b08e723c30817bb5d495eea305356d3d23f89f0d8a5be42897d6dcc9aec8ab4af9b082f79c2193de2f1458c4742668568a0a8001b6d064de0a596a3403ec0b5bf876f8ce680595bc99221ef9e96a18508c9663be146f2e85c6a195aef61d1d6b5f71af1540000000ee75664efbda40efdd6f78b2d27de58cb6cc6b57d898e05fd15498738c5bbbfc15d75eb0c2971ca4cdc296dd17980aa1363d6f355961e8a89a41f8b0d8dcd720	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF8FAEC1-081F-11EE-A4A6-F2A4F945A9C1} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000056166620103384aaad1add862a8bb2b00000000020000000000106600000001000020000000c4c462aceca14ee2d8481eda0740d8f2a965c65ecca039e9af2b920554e49f66000000000e80000000020000200000008dd37992da4e5a3d35c078aee3245e677c20194712f2810b914d88f625efe33f20000000ae21ff963471bd1488718d48815e0305c5c11f0319031abe970487074fff4a1c4000000052f0aaa8acb74bd40cd78b3c41025386ee358548d561fe7f256ce4548dacf115582ae02c2cbbb78e7a9f3f5f25c73fb83c919a0b9b05d869261cda8da3d25c57	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1492 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1492 IEXPLORE.EXE
1492 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE

pid	process
1492	IEXPLORE.EXE

pid	process
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1712 wrote to memory of 1484	1712	MSOXMLED.EXE	iexplore.exe
PID 1712 wrote to memory of 1484	1712	MSOXMLED.EXE	iexplore.exe
PID 1712 wrote to memory of 1484	1712	MSOXMLED.EXE	iexplore.exe
PID 1712 wrote to memory of 1484	1712	MSOXMLED.EXE	iexplore.exe
PID 1484 wrote to memory of 1492	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 1492	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 1492	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 1492	1484	iexplore.exe	IEXPLORE.EXE
PID 1492 wrote to memory of 1608	1492	IEXPLORE.EXE	IEXPLORE.EXE
PID 1492 wrote to memory of 1608	1492	IEXPLORE.EXE	IEXPLORE.EXE
PID 1492 wrote to memory of 1608	1492	IEXPLORE.EXE	IEXPLORE.EXE
PID 1492 wrote to memory of 1608	1492	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\boost_02_effect.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
1f376017127f9f64c0d7d2c67e6f0172

SHA1
12435c8d95e1454653a869c3a3a09af5e1490bdd

SHA256
a31274f3a2f777799fc2fb442f2db7dfb0335678e1384e8b7b20d0fb412372f5

SHA512
4cdc3556439417fcae4aee8f926cc7f93fa2657d6c3e7b04b3a04b72f0a0274f217c483bdcb13c8af097e00b5594aa36d867ec591d68de7bbadd47c7e5b89b20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8d87bf88f994fa234efe6a54aa94fe1d

SHA1
59f585338e6b7c4f15b90a049321c5a74a640557

SHA256
29c1bf0bced93755ab94eefb37700107f08aebf620754744f763383511ff74e0

SHA512
175259c92e873e059ee386d9a9215989b4842b4461e1679cefee72ee53cbc62c4faa2f3da6285767a635fd1fb8bba864f4e50f6b3045e2afa1e782bf8c8a42ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4647afa2a03ecf157d64f6b85219b243

SHA1
e7f664587328f95dc83223bb2edf3378325ccfaf

SHA256
a6acb9eb97817cf7c08b161af869c7a03dea21bc50c026dbb19e1d4b5ceae875

SHA512
ced30cbfcc5e3007da175f4dd3d44bf7c931759d65872f66ecea8aeedd16ea16b7aa6022f8c96b793f661d003889fb5492ce69958c893edab02be30daf803289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
1ac57484f40424cc7590dfc889ef562f

SHA1
eed086cae0e0aeb1759e5872b8773ee008751ec3

SHA256
0878ec763c48019a11841a8fe1378916683cad2f2a738e36de3acb7419e7cdd4

SHA512
f836a5b78aceee2ef55023a6c327d927f008ac8f03cafd2c98a12702e4006e72c575ee997e67850911052d4259cd3ba8b1412c901703d97d39ca87627d3569f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
731b652e763a40c3e667db0a71a8b872

SHA1
4f256d9eab954a281464fc54cd3ab9b1251d1c24

SHA256
a6de8f6ea13a4d9d82db611f93c6c76c2e8a15cae7c73c7c56bfe52119e439e7

SHA512
8ce4ae9879f14636d7ff80a20891b39b2989a9dbd7918c0ab09e517d52807c8011ad1c5e1c7492737db305a7e43ac61fa52017da8025c1676659f931a00361dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
734ee59d07a4043629fd71fcf099c0bb

SHA1
9437ab3c8b65a036be0c2d1d59ec47df3bbaaf4e

SHA256
470774d6a2b25d84ffb70abee9fac3fcbd2db65a1f7b28694a8d05566b93e1b1

SHA512
b9406beb2540f5264eeb6301ba9b03d4ab02183dcb09ef563dc90f5b40dab9c10f0b5b5390f7ed200412356b4ce48c03fd245dc7a9daed72c18067164a7d74ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d89e30eb5727c5315e9dcfd356a80b02

SHA1
a9ae93775e0f1e91865dd4b008ac3a8fe58d064f

SHA256
d1b775d698fa40f225a894833058b960e49388dc10f0d01a3616caea315239bc

SHA512
a09f54036962e35ea26bcab9c20f3196045142a43554dc36073f60dd8367174c7ece61dbc5e32c53a7ae87722183f7bc8d385ed1c13f9834e9958a8df3bafd05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
fc63b628e1c306d13dbb2aab652fca8d

SHA1
7c18eeb5e773eda208593a27bac933535d6717c4

SHA256
cf8b661ae01c1afc3b1b46719563963f3b5193fdd7707fa314bb7515258cf74b

SHA512
234e10c592e335f0e139955d8443bade83ebae8ab0595406695649c6bd8dc6fc065b2e3e1eb8737ea420981802bcecfd00876f914ef755e29760ee12e6831884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
37b682d021265efd43cfca07ee4d5262

SHA1
8f4d6f7ac627354e9bb5c317baca9c1c3a71a585

SHA256
c493e086b7ff1cd2962a1ea7eccc58942e649ae4e7645b9aeef2c7da7f28d765

SHA512
f7eb09271d19322f659d504b3583bc621f8572c53f1dfde8bd9f56e72f373a6c77010773bec87d39d6a32dd583e96f7d4899815ba0db0eda310b644279acc992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BYN4WSI\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DDE.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E82.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7AKHJQTC.txt
Filesize
608B

MD5
043157e4e66a725403cf45c0c68f294a

SHA1
67fb97ae65635b820d5b2435642fd99e1be863fd

SHA256
c8a6c02b42170376ad2da256ad552dd9e919cecf4980d4d373ad8000d366aa81

SHA512
36815df8dd601b9e8d6156204bd81b488134eabcd30fa85032dc721182a3fdf499e968d565d4dc24e1581e86072ed270bd5972f1d7bd7daf750ce88786c2aaf6

Download Submit