4c4d3d04b830b66d4a8c17fcb27f2e4b30b96f63c128308776478bf7ee8ae377

Analysis

max time kernel
107s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11/06/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clockDarkTheme.xml
Size

1KB
MD5

663e33bfbbb0d14830694114d49c457d
SHA1

3231baf54a3c1f336f1b11d9a7011bc5502a9d4a
SHA256

43b0cd84c7344f57b2656d66d5bf215a4f1d1713a8117e0ecf92226b8ce1a200
SHA512

c116ffaf6c1f8ad9bd6a1d85de318c9ca2c3b6d4931a1aa165dc7ef7351c80fbddc7ca1371c81dee35b3e12720fee2d3146d7a510b54026c3aba9202dee5f1b8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60112055979cd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f5d8e2a8512714f9da91932de97133f000000000200000000001066000000010000200000005ed0d6ab1d7e5d867aeacd3a7d394b54b0ca25a7c75cd7ffe62436cdd82234f2000000000e800000000200002000000011ec603b66995f97da88362c4662586e0d2c9d23b3097da87adc1a345df177952000000093daa6fc86cf636bf6b18d5a4c72bc53dd605cc76293f99383d0dbe11f97450a40000000380e3460dc8f53ae5608705d87805b9a332f9acac68e6ff4d309fa5019ebd029224060ece9729e0a9e2660d2bfc806124a43b8ed0771f8213a2e65db59e0ac8e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f5d8e2a8512714f9da91932de97133f000000000200000000001066000000010000200000004d9cce941eb8b5d8162867c8b790349c8b16f26ba6b9227e69337e58d9f0c991000000000e80000000020000200000002c088b544afb86e01ad2326151a873590ed57b86a3b120d350fb384724bb2ac0900000003973e0aab36f5f48c83c5b60a67da688b0f5a47316bd73ebb284dc6f3394f7e534043788443d9f84500e173e95b37ff712bb55d3dfb0f4299aeb329fbf7e787093aafceec81ad999d94844772221992468204e5dee2e3624e6edebdd986296ae70f33df079ee4ced7a5ce8a31289dc848709d5c56c883c32ffc3968b7aa0ebe800fe6ef259386ef86e838caa33dc738f400000008c7965bf70a4f3935635a4013ae08c9a9591ddbe8488f0a1506c54ef49f6d2c7f05872b5b16b5623f3177e78f9e245c9b861bac67c93db95c924033677e349b5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393275117"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F223791-088A-11EE-BD7B-F2E58DC6BB35} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1640	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 664	1484	MSOXMLED.EXE	28
PID 1484 wrote to memory of 664	1484	MSOXMLED.EXE	28
PID 1484 wrote to memory of 664	1484	MSOXMLED.EXE	28
PID 1484 wrote to memory of 664	1484	MSOXMLED.EXE	28
PID 664 wrote to memory of 1640	664	iexplore.exe	29
PID 664 wrote to memory of 1640	664	iexplore.exe	29
PID 664 wrote to memory of 1640	664	iexplore.exe	29
PID 664 wrote to memory of 1640	664	iexplore.exe	29
PID 1640 wrote to memory of 1632	1640	IEXPLORE.EXE	30
PID 1640 wrote to memory of 1632	1640	IEXPLORE.EXE	30
PID 1640 wrote to memory of 1632	1640	IEXPLORE.EXE	30
PID 1640 wrote to memory of 1632	1640	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5782ee6f4bdb705cd0b45fa2d19eb609

SHA1
94e2978e3182f6e473d28f146efa911dae150643

SHA256
47d2e46d31ee54426c1864445a81caf520cd5bbe1fee7c165f58243f443868ab

SHA512
8f4cfa6582ed462da7e20e4349601a21bf7cb0197ac0e87ecfd7a769f448b921e1f2f6e08a22d97cd5f08fe61868500d326a72205130d8464f2883edca915b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49ccd62c7d3cfd5ede8b6ce4c133983f

SHA1
4961a0217899506a04192312abda233331eeb8f6

SHA256
77a6a5a7dbaca5574656c85e043af45d9957912e9e7d580c03b458575d040608

SHA512
05629ea1e69068b79b384c23a6c7dfd80a8fb1c59cbb91fb61f98ab91736a1963b3215ed29eba733898d41b7f03783b7e0a33991525e8968e51ca673eebcecba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1fadb817e3afc9a3ff5a7b3779977ca3

SHA1
5644cc35afc433adc864c6ac4e2cdee6cf17ba41

SHA256
c9d77809f34029419752863c575c10d91598340e2f0bb44fbce227286faa4474

SHA512
f6125b2263e9e8d8b97e5f054cbdf9aed3cb94dee071f6949c7cd12bdffebc3b3e62c0c84b6d1d2fa1a45afbab2833096652e19576e9e6aa16c2c2d1bf6ff4df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
777d51d0b575d706d3ba0b0cf759ec53

SHA1
84cec2c1642c9c915193663695fca10a6dcc013c

SHA256
c179f87df4f1372536ef894b16ae693d8774224407b2ecbebe4d8e85d714dd88

SHA512
f1f1449a23ef70ce1ff67c9042e1bb97295c0fdf6eb65be076c5850e35b9720d3f20c9531c3a2e0997fe0545ba183d8311758e482e73471c27fd85ec8130a9a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b46b9b1b845a04864ae535b077072bfe

SHA1
d8870d4b0abab608ef92ce6837f71f4881d64ee7

SHA256
4ceda6b7d22f7dc41a2fa1a48f722b7ff12d059583460b907b2355f44cd2fb26

SHA512
a5cc70161188f772034419b04e01b319a30757a84023f8b8a814e7277f9d915dd2b6c1a30fe53f131bf99c685d8a4c5cbdb644126a9b93deb3fefd3982f5e7cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14ae0aa6693dcd6284e80eb49359ddf4

SHA1
8ab6f59b6859ce3e84588b7f5d2d07de26d4fdfa

SHA256
5b44734d92dc1d69e4d22c7535ac26ae20295e1fec1264dfd5eab7031e6969ed

SHA512
32bf38d3a166bd00485f977a2a089b805a9166ef2b102dfe7207000f161a5d52a97a1c5380c626277d54e0ba63c3b4cf2442d98e02c9660b93032fb75d6c8c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7414190c2fc3c23711b6bc5684cd64a4

SHA1
bc778c4186c7ae20e4789abbb427804b41ed87c4

SHA256
6b766f80e884ac6abc27e3f116d35a35d9719bfb85313f80bac9c90c97075f0c

SHA512
a26ddb40f71602f32898a2c4c4efa59a60bac4ceb32d260b0b1137e527f8fe9b74ff792aa7895950a385bd0a2a3f658ad07dac48f7104e870731f5afc11eb6ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbc75620715a46be3a3fc61b13fff967

SHA1
0d4760604d7cb4d7f16276a4156dd3e4a8007466

SHA256
67f56706d7036f3e4d9b770a04e3acf616bc0fc678dcddc2786964f25fc3463f

SHA512
2ebf64b71f5e14d24af84305fe1f79249552578e10a65ce26c275900884829a22602aa06f4bd6b37ad27799d333248d6951ca245468eb404bb3b29eef41b07c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6981a717b659ca7686864098f0ea65fd

SHA1
e57a67578622f087cd5d47477cbcd29e7e6b4c8d

SHA256
de8641630e1cd40d40021391b96d57855bec02f70b43ff3e7f8ea293b414df53

SHA512
14d8e744fe96be7322ea4d8e7387a28285569e6c5dd69bd0ffd0a433481daeca0d8c2004d51384344071192971619bc1ecf5073cda928c39009482772b1bb814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7774.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A44.tmp

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JAYVLQXU.txt

Filesize
604B

MD5
32d2d9865fa471633dd0098640bd72dd

SHA1
3cd86a90cc20e1da0e0d537ecb8c895bb1faa3a5

SHA256
bff6229bf796914d9cdbb7f39eb48e1db889c30545f41bee944b76926d873e50

SHA512
920cf4e6c1b5da02777aadb5c71c1e748e08009a0d3a78d0d046e3e251057766e789e1451ca633c979b12884b459d2668f2a454897d92e7b34328cada8bed55e

Download Submit