4c4d3d04b830b66d4a8c17fcb27f2e4b30b96f63c128308776478bf7ee8ae377

Analysis

max time kernel
112s
max time network
163s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/06/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stella_wa.xml
Size

9KB
MD5

4ee3c0dc45185231589902397c7a4c38
SHA1

28a4882e91c2bbb68562fd9373efe43d24dce3ff
SHA256

8fead4d413917d70a317375083a0cab7bcde24530fed6d9eb39de05bf14348f2
SHA512

c22274e0cfe22cddc65f0d258ec623360ba34d8ddeb09a2e7c88290d949cb20f76cb6e8ba8f02c7f5ee7ef4ab551d2d61f680c1dfa0b9acb30143f76d908eec5
SSDEEP

192:OCxf3sWhw3hysJPiaJfdvLZacjO/SbEgle3iVIept8CMei3ttdLx7Kx:Oa/sW63hNJPV9VZvjbj03ISpei3ttdLI

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073bf152a39d20049a82fa893fd80f8580000000002000000000010660000000100002000000076e71c0289e3d817f1341575f812143920b8a6e877cde04de92a159d438fa301000000000e80000000020000200000001b60cfa962c3e9b2fe805409d00a194707787d78c1a17c803a304e7ccc674185900000005fe6f5ac514331803f60b218e660d254070125b1bcd4eb965da300c660c4226a06518e450ba6a96e5a68fe2818f6e294fc405c82bd0d3aad37e18eee759e330fc2cdb90819b4006cbdcd6234fd9197b06a6aefeadf8caf1643483927eee447c27ed1e1efddde6f6304a0a4399195ef12083ad8e17c39069b7b9a4c806aa55862047ab67439ef7469d263d89cc86172374000000022f235cf293492182b89d59277e04e813de5664616d43155707509dfc5090b2a06a00aa2f1232c773a4ee8a85bb5770b52b6d6d3cd3f02da1ad450908b430a21	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073bf152a39d20049a82fa893fd80f858000000000200000000001066000000010000200000000387034ca82cd0b5269e7c667057d7f7c2962cebdedccb66f2f2947afd7684f7000000000e8000000002000020000000bd023f623c69dd0d808c79ba67a5541e9e212c17344b84154f6111224ed9c20920000000e6f273ddc5f1180ad3af8206260f210aa6054ac607f6b9c1e257db9cb279f66f4000000071020612a55ce129391613923129c67df647c22e6fab3d5295813d8fa13f154ef55e9bda0291e47ac6ea6108ef065499fd09c727013aa6424d08d2c95491884c	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0ff3362979cd901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393275137"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8A06BAF1-088A-11EE-9310-DA251FB5CF93} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1116	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 568	1472	MSOXMLED.EXE	28
PID 1472 wrote to memory of 568	1472	MSOXMLED.EXE	28
PID 1472 wrote to memory of 568	1472	MSOXMLED.EXE	28
PID 1472 wrote to memory of 568	1472	MSOXMLED.EXE	28
PID 568 wrote to memory of 1116	568	iexplore.exe	29
PID 568 wrote to memory of 1116	568	iexplore.exe	29
PID 568 wrote to memory of 1116	568	iexplore.exe	29
PID 568 wrote to memory of 1116	568	iexplore.exe	29
PID 1116 wrote to memory of 1664	1116	IEXPLORE.EXE	30
PID 1116 wrote to memory of 1664	1116	IEXPLORE.EXE	30
PID 1116 wrote to memory of 1664	1116	IEXPLORE.EXE	30
PID 1116 wrote to memory of 1664	1116	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a5f12821bb9cf43b7a69b599e71f904

SHA1
8c45ce38291661f082a5f18e1881e033096e8776

SHA256
c6ab0e39d36beb2b32f1caf15e08c3ebf98e4b26b9ec4c74a54141c1bede8294

SHA512
b6cb222dd5c0a19d3281762bddbb18379abc459a5f0aa77e805c2abe991719d03682e4cfa90b3b10b022981091507a628345daa2aef12602cf730d31e30738dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d47b8077e7e19741f6b28428644ee332

SHA1
8615e43faae48a2d8708aade6fc3b175ae25335b

SHA256
dce36aa6f45ce6711f970d9fbcecb29fc790926d74cce22b2efdfa1a0cbeb616

SHA512
92391c65413000f91460e3da9665b086b83c489fb1d94ef51d4c30a124a7109cfbccb879986470dac0f4dc35bb1d6b65132472e663dd5be2d7efaaa74c215851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d47b8077e7e19741f6b28428644ee332

SHA1
8615e43faae48a2d8708aade6fc3b175ae25335b

SHA256
dce36aa6f45ce6711f970d9fbcecb29fc790926d74cce22b2efdfa1a0cbeb616

SHA512
92391c65413000f91460e3da9665b086b83c489fb1d94ef51d4c30a124a7109cfbccb879986470dac0f4dc35bb1d6b65132472e663dd5be2d7efaaa74c215851

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8bda7a70925b90b80e778e47e72fd28

SHA1
83f8937cb796bab54082f4de58f63e718e9e6b88

SHA256
d2405e2f23f262a481ba65d90146b7fcb8d0d8bbbc8331eb5675a5ca3c5013ec

SHA512
c959740a607a97cd5e315b5bfa7a6fe8d9d9c3abdaf21bd74f34a6ec60f246f1264ed09dcb983ad8373886708ca0de13051a8d7558ce0ca392953fbbe2dfc004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8bda7a70925b90b80e778e47e72fd28

SHA1
83f8937cb796bab54082f4de58f63e718e9e6b88

SHA256
d2405e2f23f262a481ba65d90146b7fcb8d0d8bbbc8331eb5675a5ca3c5013ec

SHA512
c959740a607a97cd5e315b5bfa7a6fe8d9d9c3abdaf21bd74f34a6ec60f246f1264ed09dcb983ad8373886708ca0de13051a8d7558ce0ca392953fbbe2dfc004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83f6dd338957cc138961bd22b5ed77c3

SHA1
b42f46f7afe73043361e53cb0e63141672e5e2d9

SHA256
3893f3dbb0e53bd1ef94d5142acbd22af9bc6a23683858f1922f338657417cfb

SHA512
10d7f4f7f09dc9d9c2743c3836d4259b0ed4a8a6ba8c72b5519b218ec6acea20543e270a57acb8e715a297041b33d81f7e4c2c49c1a1c62092d72e0ed2a56e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcbf7cc55048b1d8497830d5a673fc83

SHA1
5a605ff5dceec7fe8e0e0a81561db59071e401fe

SHA256
8b9795483d3423b4bb497605435b38b6a7cd29f18e35597b1137155840bd08df

SHA512
9c60de0430c1bdad3a3705f86706a192e57649b397f25840274f02c3d639876dd0fbefb11b51adda7e95ba24037997f81c0825fc07b164628e1a30c1abca0cb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d87869e81e4bcdd2e2d57e3ddeabe0bb

SHA1
2a4034b7b377b38cc314a6d9554c11e5cd4f2110

SHA256
ac8dd80cee3584dea5fe47041478efe980e1aee0ae42e314f3b0fa5100061533

SHA512
f01adf62a8d25e97a9dd0a4c71c0e5b73fceffa4dc99fa07092b2948d14a963fca0ba2e2526afdc69105c564f1001573b56777ff29a2fa404fc62fc233439939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA97.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCE0.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YTYK50R2.txt

Filesize
607B

MD5
99da705dbb38cb3a1c49703053684906

SHA1
e2c35876096c674170410c4243ffc9a26c84b5df

SHA256
68e10e90420168605c255057944ea227b0bd13df63ccb995cdb85213fe59ce64

SHA512
99bb0a65256aceb26fd41040c51fb17de70195a5723a5882749076d2e627d5a19fe1f5d98441c364f3547c895facf2d89984660811e33af7ae3a3c4758c1ee93

Download Submit