f2fc5e65cc3a5bf9d0aa9141b3eb4bc390dcb7a25483d0cd0bb6cabaae2013f0

Analysis

max time kernel
101s
max time network
135s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
13-06-2023 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web.xml
Size

18KB
MD5

08101241b15b53ef0ab908f6d388881f
SHA1

ea3e2ad6d71d483c54b12852dcbdcd0baa569988
SHA256

15a2c7a9242bf54d3ccb3e07fa6d8f84ba8b303d8877243787a1103009941bdb
SHA512

a1ee7f17bb069ac42483d1f98ca839ff1bd06f3fc15cd379dff4aca3732a5dac24dc17e15acc8f8fa39e60e186219f4fd70664f9ea284002274a4ff8609791ed
SSDEEP

384:lJJuAr8F1mJ1ayCk5+HK5YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbpJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393397951"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007067861cc9d9d64182fb444f64fac0ba0000000002000000000010660000000100002000000067e060e0dadb8458f65357a13dd64391220c63d24886a9272ce652afc211d951000000000e800000000200002000000048192df2c2571920aa2abe14ee5fc3967b3112cb4c92d3f8aa51155055963c5f90000000b786b601e5fb44b3454410eda9dbbdd328b6f4cb28069f13081486bd434d5065755f29f8a98b272cf072bbc09401664130803f2482c49fd076135a699d85abc3cfecfdc0406cce9b7fea9d9ac961eccad4d71997f2ca594dc0f4c05cb0e94c00fa5fba438bbe119c66e44856a9d841abb5ad5bebd5bc2c315a2936c435bc4dfb5ab6c8e1d7ec95ff446a7690a016e8cc40000000463837e2b3ed05ef786de5f5895a8c547a82c232a1e0d46fc38e79c5f0e95acdea3beff8c4a3d2707df798fe76ee96cf16e9aef012a30292ea6c1c993fdefcf2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DE64231-09A8-11EE-8B45-4E1956A5016B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702d5656b59dd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007067861cc9d9d64182fb444f64fac0ba00000000020000000000106600000001000020000000bb9dfdedd0c80bf5c07ae427a13f81476962d5adcc6c7e20e3e2079817df5e83000000000e8000000002000020000000c38c9473a8d6dfe1a5b48cd7225c5aef7e8ddc1bf31d4e977956475dcd2d740220000000f48b5e050e152fead37abd35fc999c802d0fbb9856ebcb16fd08c9eaeea953904000000075c2d6f289441d11970b19c7edf731c915f048a598ce02f533af9f36b4a4f093adc95256708beb1e47dc7745ba81f59939cb42c9d54bd2971cc5428d392ffe86	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\es-ES = "es-ES.1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1616	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1724	1056	MSOXMLED.EXE	29
PID 1056 wrote to memory of 1724	1056	MSOXMLED.EXE	29
PID 1056 wrote to memory of 1724	1056	MSOXMLED.EXE	29
PID 1056 wrote to memory of 1724	1056	MSOXMLED.EXE	29
PID 1724 wrote to memory of 1616	1724	iexplore.exe	30
PID 1724 wrote to memory of 1616	1724	iexplore.exe	30
PID 1724 wrote to memory of 1616	1724	iexplore.exe	30
PID 1724 wrote to memory of 1616	1724	iexplore.exe	30
PID 1616 wrote to memory of 2028	1616	IEXPLORE.EXE	31
PID 1616 wrote to memory of 2028	1616	IEXPLORE.EXE	31
PID 1616 wrote to memory of 2028	1616	IEXPLORE.EXE	31
PID 1616 wrote to memory of 2028	1616	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07368ea1cf6cf11ced47fa8197e1478c

SHA1
69383e09cd1aa7db1cd3951aafe20c97b79098c3

SHA256
3f47378ab95de994de5a3afafe5628359d94aef3de42a14008eef0a9b3ae37e6

SHA512
d7ea4968acd427b738342f9e5db3e0e1e1139251332be9aa6069684802b529dd93bbd0edad1abf08649a37979585ba39fee8ed4a02a9986b30c69580a554314a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9ef2a80dae405995cd7b129c1480b51

SHA1
646ad8ada47d0f60a274d61d619e5943bd20404b

SHA256
45191bc4fafe02ea3e32fa1a783d0267f3a6eca396bbc828765f135aea5bb50d

SHA512
8022c9684354ebf641cc1cbcfe884cf5bcfd04e45907d44d2facebfb66fb2401ba52a5342023375648f3ffcbea61cbb56fd12c6990e9ec343166536908c98442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe4d4e20f78d62fcb0f2d2f1f7adc142

SHA1
c8ca16ed46f1433861d79f38f4e075a9d9b44b09

SHA256
36eac0b6d14bd55c8590d195849c728ee0d6db073f4a457cc7f5cc6c0c267a0b

SHA512
7cd93090ceedbcc836b5cfc009809e1f9bf0c16309b5cc58dedeada04c95d3a8bf30168e41edd16b3179462c64f28e8d1a907f32b75d922c966b6663cb3be74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fcdfd2669f15385445043e39486852c

SHA1
1fb0bee57c87e8e8a38f33fac9f5f77a4db380f1

SHA256
a1f194499a20f2416dd11d099de5390998c4b6a1a0a09404baa3a7e67085182b

SHA512
69df6a7a172d07d19542397a0f811593c7004ad2d96ec547d8d3ee512b9ea91a2b4068155b37e113b41af5063dbd476f60b73ca9aec989ab18cf3645ba69bdf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14335110bca90b4843199ad6210cd548

SHA1
a97c93ceaeac126168ad458d254ba4be3331779f

SHA256
9949429d1aa2b7c5ee1074a1231c83697cfc8622591b6cf1ec29d9422c088ef2

SHA512
ee03a5d4926938ba7edcbe62aae5e3f02c77e136ac7be8270ec196acc23b0548cfd50098e8a9e7c449d060449b6d234f52e38335ee244ee46f36d6e00836483a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f3e628ca9b028462eab1ec98fc29e54

SHA1
c1e4ab3c81de96d5ed386d4c4a008648bbc82777

SHA256
6e408f404ffa55940c9297caa07f3d5f54169868561a0cbaf552b5c25565d205

SHA512
c93a7d4b873e2202a1b0c48ba5a20c1ab814dfeceacb2a0f07b3417c31616682d4767ce287f7c2aa6469d3465977f046d13fc21bea905a548660f395b63afb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80A8.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar83AC.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T91213SQ.txt

Filesize
606B

MD5
b328cd9d8f4b0cff280dc60f80662ffa

SHA1
43c301fa7bc239205f6e0f69efd87c6bbbd5779d

SHA256
d925600dd8c85788a8ef7ecf79fec9eb7acbba4e25bf47a6321dd3c58475bb93

SHA512
961fdfe6a540ca9bc08d6c04ee91792a1a1d9b3c24de5e439d2f0c2a858351084fe9a219c28c1c5b163f46e3f50d36501bb9be59622da2a507d2c7dc79632805

Download Submit