4c4d3d04b830b66d4a8c17fcb27f2e4b30b96f63c128308776478bf7ee8ae377

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-06-2023 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clockLightTheme.xml
Size

3KB
MD5

2235609a58ada82f2110d941341a720d
SHA1

d3b06251eb8f131034ba1ea3b0db982cb31bd813
SHA256

d89ab1d4bc636a73d64ef1d8976d517f13449a11af28d70e88ca3d0c40e114a7
SHA512

ff7543b27941add4a92579f1a55f3b40a16cd8ec8cc43b678b229be38a3878267fcdbb80b040e91132fd938082c47e6e237f62ac3903422ad9499cf7164228d5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393275115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f02054979cd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000717574cddccb27499ea15e3a9552d03400000000020000000000106600000001000020000000c0db3f86438c55583ed7f1ae8c50ed47506465de3166c73fab4d7fe98d43c9ef000000000e8000000002000020000000fc36d84fb2985a1b7dee43ec80fda9678f38e76210ba024571b3b847e25de168900000004f6583f372bc75f60adee73e3a69e4707c72a67f247fcfff1802ebf9fce9957c969f03f0ae9ab1b63813dbffadccd42a45a13fec145dcfde8bd8d9b33949a3530b8d6bd2d01b91603111761b1e6f7adb4e2498f7ad99325a742e07e2b7a49922184fb917b0153a2d90d0734e942d69c8901f2b270170559f9ff1fac712c59c063e8102ac7311afa62cc3b6749855c603400000000ea925ee0cba117c0bb5c2c6b6d0fec949dda230789692bbe9d258f386dd4b8fc0ba5901a48a6b346fcf4f4f9f1c2cfaf0bd620ec678fc509bbe77ca0a60cb6a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CE40761-088A-11EE-8E52-C22C4A0458E6} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000717574cddccb27499ea15e3a9552d034000000000200000000001066000000010000200000007cb3051ee40828f04cef77861880ab23775d659693b35d45c7bb2ddeca623f89000000000e8000000002000020000000a78f1f937e77ca51d0df1be176edcbe09118da4c7d4c0671e6926185062a7150200000006784a91027f65e49c033eb7873541af9eccaab2431d1e12a12e2481174255aa6400000000a15443217855bab8bf384e04430bbfe5057e34bfc327a24efa626f3580aefc26f41ab876c7e512fb6742d3afb111d72a91d8875187235b3df34635cf1823f98	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
556	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
556	IEXPLORE.EXE
556	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1528	1188	MSOXMLED.EXE	29
PID 1188 wrote to memory of 1528	1188	MSOXMLED.EXE	29
PID 1188 wrote to memory of 1528	1188	MSOXMLED.EXE	29
PID 1188 wrote to memory of 1528	1188	MSOXMLED.EXE	29
PID 1528 wrote to memory of 556	1528	iexplore.exe	30
PID 1528 wrote to memory of 556	1528	iexplore.exe	30
PID 1528 wrote to memory of 556	1528	iexplore.exe	30
PID 1528 wrote to memory of 556	1528	iexplore.exe	30
PID 556 wrote to memory of 772	556	IEXPLORE.EXE	31
PID 556 wrote to memory of 772	556	IEXPLORE.EXE	31
PID 556 wrote to memory of 772	556	IEXPLORE.EXE	31
PID 556 wrote to memory of 772	556	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9058d3e018331b2bc0c91d22fff24f5e

SHA1
3e6537569232647575f2b6b7c37c12b349be766c

SHA256
447dc505469b8dd95acc17788698d6a3869ffb89c21ecf41f83922dd1d30d9c6

SHA512
687cd953d6c8b09644505f6b9d8c2999505047eaabfe749b996cda1cc34cff8d64f910775607c75d6fab8c782f1383a214cf932ee8ceb45a5fb8b03cc97516fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
aaf2acb5388bdaf6d5ab54559407b6a2

SHA1
182cf47b0c6094d7317ad3046403627e603aa88b

SHA256
9d51ade0593a9604cf11f4bed86de9ddccd0b5e112e4f2f754a4b3d00773d3cd

SHA512
f11d6ed89a50d5cd5e3a424a166693fe26990793d2636daa09e7e10aff29da48d54d05be651c544d0b5c774c2d552396b7c148033997f280d0beab5e6b972821

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f0e5f05d8799953c3fe53fcf9a0c8fc5

SHA1
5e16b78cb04a227a974b6ef78c172c4d8ca6858d

SHA256
b5f4ca2b9ccf30427afe16dc84fa992e0c2d1e1f765b9dd696e7b1b88ce6c792

SHA512
503c429370274d70012677ff13b838fd48c26c0bc505add987ad3f35bf97a54a13b921dcb46fbd1e6ce6946fcf43f68266e7c298fbd039b18c178455813479dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
78c9547ac4181f6b25802e20cdf42491

SHA1
39db7ce07215ee47437557fbb16aafa9113c92e6

SHA256
ba8c0782b79df7ed9381b7dfaadd0b0d3498671c65a09ecece1a23cd525f259e

SHA512
77a888c9fd7906e0a5eaa573f8978ec9ef4f5c642bbb2e324bbd59b65bb85c875de6353c12807c51696f0103b5d812a11b05d7c1238671ddcc7d0031af4f95fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a649c47c5f08de5d885ba386db811a6f

SHA1
504f5576cb60d8f6bf2b3a6ac4722d726a0c15ae

SHA256
d7429e8d756ba0573d88fc56d59d36b1bc893f41698362f29b08d04e7016792b

SHA512
adb74941063d33b7dcfac1eef77eb47f8c8cf16c4ed86fbc70766f3fcb8eb6f1757f29d95c0fa4cac9d30a6115f021e7a6aee628b90d3422b53e137f60ad3ca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7e914bfb273a49a821f9a96578d9c4a8

SHA1
f431f7f8027fcec675fb837f518f99063061e16b

SHA256
15a92976d3a41a6ca378c78fa9e8826175d0fba1da9a5e9ad346bf891b6a4446

SHA512
7ef5daba342a34624b8f5a7a0feeb6a98aea9c0164ac5453f8230d16cc42171776a9e507303ebc656ec781ca9f006de601c4d59974b7e760f4bb0d2dc79a084f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
044824e7ffd51c61aba60dea804e4dc6

SHA1
ae66daa6e8109d5097bb5be3e91229462b4f4621

SHA256
693a28da0833fa8302c9ed016025b544e3a34e9df85aa6b4fbff8afecbc4ed97

SHA512
8b0b4d9b93c49296163ef7593b1a6ea8562968fa0c3f6cf964e171c8c1128bc265ada2a22dffe87cb5acd09203053dfa566d441ef28a53bfddf777847bed97d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cf1395c960b4820802c2e75477f5308d

SHA1
b7bf293dd3e1416eb98b2687b4110b83d9e2ea8c

SHA256
5b13bd745f2083d9b1dfb26f987234eeb7b03f2f511e7adf2145b349bce741a0

SHA512
0ba5718a064d3ae2e67d20f158517a007dc990aef5053f8241d9b1ac97977d78b5d8b5da4d47935da21dcb3a025f1ba95e61ac8c48b23e955578abe802cc108f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5796d9b8bcc4ad9322eee3489e3efaa7

SHA1
964b2c33311e2cdc47f33c82b4a76d8b519672f9

SHA256
0956db9ad7eda3e5b767351eea0062330ccabec66a12d860047db472e78dcf35

SHA512
4f083d7812c50b0105d7dd5901388fc8ad13774a910a50997022db9f4c281ea04eb5d615fea23a0c0c7ddfacde9b4dcaadd7eb40bbb86857bbcd8bff07b6c10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QHKTFKHM\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F5B.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5221.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BVN5JY49.txt

Filesize
608B

MD5
741dc4e781cf870486f165705b646c9b

SHA1
a02fcb62118e02ecc5c156b0d583c3ce87227b76

SHA256
cb37734e2a9ef7c9819be0622c3d2afb23bad1207b185f1715fc77cc3127f922

SHA512
cedf3198e23b305b9d08225e35183ca7b75f4cd0243db3f4f969d33d56b8b64ba9f8bd67a842fe3340948036ecda4f6022f161c7810c8bad77ce8b8f9b2763fe

Download Submit