adf2482b7b36c11826486065f9551ca69742dbd70915acc1b2d740862fdcd106

Analysis

max time kernel
100s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-06-2023 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chestOpen.xml
Size

2KB
MD5

d0c6d566aa6535fc9d662e220b23b781
SHA1

2ffc88c379c988e2bb47d7975a96f32480dc302e
SHA256

70703ff38592e071018d643d5a74b5152940613235f7a7c674725269d9e0af80
SHA512

1b74953f3cb443e4ab5d24eeb86cfc49000b15b1a253f53d64e28ae013e0ade48c158a29040335dc473dbbe4741cbac1d9c61c4463ad701ae9ad7af19a43e16a

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000717574cddccb27499ea15e3a9552d0340000000002000000000010660000000100002000000074abfa1f3ebea0a63709b878fed20944fc6f264d1d27e58d650b6d0594fb6c88000000000e800000000200002000000053db71ee3c69f181d74703b952127bfc10375e4d40cd493f49989a274d54ad482000000057b49113d87542483afd12d40a6adf63a22fade8dcd45d6f3eac4fc9e21310f140000000131bd079a8dad1fd2c3eacf5e4f0d68181cdd304e8c4e5d80adf3aeee200e095eccec6963557bf401a96e7b8bb2afeeba7f746fb05fa875740e47b17b0910896	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02fafa02c9cd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C85ADB31-081F-11EE-8E52-C22C4A0458E6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000717574cddccb27499ea15e3a9552d03400000000020000000000106600000001000020000000b8be7eba446c5995cc40aac714d38f8dbd8f31b35f30f894d240eca9aa1c687e000000000e8000000002000020000000a79f2559c490b0f876626327a3a5ad1587b1df414d2ce21d985d568083c276be900000001e48a3d58e92f778a0382e9c9619f73d0b2bda0942bd1358cb73edc97cfd18a12b915c28c80f912cfbb34e2bca4713f8c83baf6a5da08b4919dac86353f1f35c5f7439dbafa8f6f77b5f68327b5a97c490c3f12b5fe76628f54f97c7bca8441cd4b794775782fd49cc390bb5bc8cc31d75f5eb19a24e223ed868f518490e4ab7cfedbd1b98a5fdf53359663195986f8e40000000de749b2455ebad746c51496f0ed23c735ec03c2715fdc32331765322bd30154391785cc7f413f144c192c7b3270a3ffd0ffb5b983414e9a457168f985f1f007e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393229284"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1548 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1548 IEXPLORE.EXE
1548 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE
1532 IEXPLORE.EXE

pid	process
1548	IEXPLORE.EXE

pid	process
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1248 wrote to memory of 584	1248	MSOXMLED.EXE	iexplore.exe
PID 1248 wrote to memory of 584	1248	MSOXMLED.EXE	iexplore.exe
PID 1248 wrote to memory of 584	1248	MSOXMLED.EXE	iexplore.exe
PID 1248 wrote to memory of 584	1248	MSOXMLED.EXE	iexplore.exe
PID 584 wrote to memory of 1548	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1548	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1548	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1548	584	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 1532	1548	IEXPLORE.EXE	IEXPLORE.EXE
PID 1548 wrote to memory of 1532	1548	IEXPLORE.EXE	IEXPLORE.EXE
PID 1548 wrote to memory of 1532	1548	IEXPLORE.EXE	IEXPLORE.EXE
PID 1548 wrote to memory of 1532	1548	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\chestOpen.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7a6540e4327a0c3ed7ca40c46fd729a3

SHA1
87465cf9c3d50721eaa4ff0883f12a849cf746c0

SHA256
9fb1ac4d29a792b84b3d571aaf02177a8767347835dd8ac49f9aa7d881c4b999

SHA512
177f98be266090568df88170059d1ca1fae437bba26b0b8003ae8ca30242c40b63fdc568e221c05b89e5d42f8b586bacb17678f64a32c804fccf94f40ba96a3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a2c5f867af93928b7eca47cefbb05d47

SHA1
0601d465ed9bab34aedc597d38064cbcb1cab651

SHA256
e785cd2ce31b969bc8b89fa28c4884a4acdf8ac5de5896802c7acc7970f22dd1

SHA512
581291ed848553f274f596d9b89802ceafef2bfdc288af554a77d87f31f2185b32412bae2d05c612fb5fe341bca6586dacc438d7951a2f5f90c618d251387304

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c73dde297b308d5423b7a54db2939caa

SHA1
04001f0d5a2b925e8aa126d81fd2952fb9ccc82c

SHA256
90ebd24750b462cdf77a52eadec44d2f08cd0d98735c2df7f6f6d69bdd736234

SHA512
0ab1ed3d6ae775a4db441990c15ea112c726d196d88c1a20e20205aa9aacc88696696d7248bca3c8b2ae21d7241c7a6292cc450ea867e6bba0b30935b17462cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ff4617a539586c8a957c67ed116445c

SHA1
d132e6bd57102283452015eef3b5597e6ab0b366

SHA256
d79d29715ed37ab9431cf22b4fce51dea68df2b08024d451dbfee2e05c5d4b65

SHA512
62f15f0680252b6c0d50c6375181d1e38fa885a6d46b792e6d4b3990cae065264d98b5568d20b835c847c23813db6fb697e836d61260c98fe7dd31ee1ed9a4fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
742d5c41e5213ceae4a1899568371e88

SHA1
6ca55d93d30fc736282f14caf46e4f105b886152

SHA256
2912fb8ae4f0f935ba5aeff80303666155b3f42c5fc66e751589bda8d8071b06

SHA512
121aac90b315e333a2e00df64db8d6dc6fb73d2bf3d69038e3a72c2f8d51ef0c6a96c7733f97d4346a3ddff557b2567417d920524b09a287df034824821d9728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3c67138c31cebcd885116633c9933f12

SHA1
2da2d88c1b22ccd3f0a1e0ba30192a3329e06df1

SHA256
589fa1e084e07bd1592ea734a36044749b4170521c3b04737b5c600f18c23553

SHA512
006a3c4b66b5021533aff8dc5143c57a9fd833dbe979cfe61afbd6289749c93ef0d1322ea3162aadf728c808042865978a3713f4f85b06a2e7358ccdfd1c7bc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
53c78b7817aca0808c82f0fa13038d47

SHA1
15ab65d6dc39f7bedf61bc7f19ec61132cecd8af

SHA256
4e9d49a9abd6e7e59001c497a47c0353dd6a204c584c04c2a11ca02d558b18ae

SHA512
e1df9157b0a82678ee2f901f180ab3dc38acfbd67b1de3187a7631115f3b07317afff629ec227b0dcaee5b10417baefcda79da7dc4f2c3e0323b2c8c1a61b3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGZY45B8\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6221.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6498.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3L1QXYSH.txt
Filesize
608B

MD5
fc04f2180a3d4b89d7432f73943c3a09

SHA1
20e351fde7a39b0b66fa5c1ef19367f93e251edb

SHA256
815b3dcf05388577e04420561ffed599b91ab7e6598f09199a02e68f484abc5f

SHA512
c3bda6440202104156ea22e5814576254d3ec68571d98d20008bb91cb536dfbf4c1a1fd7f9ded65ce8f36d2e117d72c21edda0b37455aaebe6fb91f9820523cd

Download Submit