479e12d47db33b3ad27b857f6d1b480de7304dc93ce951d282b945530a48bb56

Analysis

max time kernel
101s
max time network
136s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_7_overlay.xml
Size

1KB
MD5

13da4f83c32b6af839f40448ad4093dd
SHA1

2dd817cbb6c2198c9b622bf8a4a4bd0f58c5980d
SHA256

22a5b339c8e15d0b1393e540966b414ca577f1e6c2c4682bef22e98f74e5a5d3
SHA512

3c5e37b7638099495ca3773edd1b4c780ceced0db68749c7c7437ad460ae765f1e3f952e146f7851a778f9dd32a5c7cce57ee616c0f015231b0071c9a39013cb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005e2967218a20af4e980a9f47ecd196a400000000020000000000106600000001000020000000f02eae57bc3cce629a6663d76573edb3b26ccb319029acd2852521d22af75a1d000000000e8000000002000020000000c4bb5558b8edac397db61adf199ae6d2a7f44c7cf5c26af7eef2e921bd3b72d190000000ebd31a281627f3d09b8bbd4335d2e7330331811d83666a96c7c510d2d8456c88096de69eae44a6c25dfa91a9860f79429be6d413acb3364e60793983c0b31fd0c1ef4c0ddf13a3a16e5dd1b308a7cdbc2bbe98b75dc8e72145163cc049fdd14a7d8bc93b05801865034f3e63ae16e459bcba2587e34c28dc0278d7309de4493b997bc56343a5895832eda4e455df736240000000bafe04c5220f0be256bb4128d6733faadd9c6c350b610eb38942fe08669baed2330f13ea39a5337e954a9e1626d2b9aee8e46f9dde4382854424b9b61800be9e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394759254"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005e2967218a20af4e980a9f47ecd196a40000000002000000000010660000000100002000000077bd51f9e4ca9439ea6c14ab2f1f205d780a06e27f5c7b97a8bafe190188529d000000000e800000000200002000000029c386a8b65d2d8435e63705c4847792353ee5d57ee7fc195256719a9ca9015320000000a92f6b43c07f11ea7310776d6a832840bd396c07a0e297a8c6a657d3848fccbe400000000aae0b164f262222232a66e19d5f84b1b2a42241890d8e9f41b5a206ce3426e14b01ac4c8fbfa0ee6340ba1e5e6da5850273e9d7c64ec3a6352655e3cde4b223	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05B67E11-160A-11EE-8EA5-DA01AA0573FA} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306cecda16aad901	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
1876	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1980 wrote to memory of 436	1980	MSOXMLED.EXE	29
PID 1980 wrote to memory of 436	1980	MSOXMLED.EXE	29
PID 1980 wrote to memory of 436	1980	MSOXMLED.EXE	29
PID 1980 wrote to memory of 436	1980	MSOXMLED.EXE	29
PID 436 wrote to memory of 1876	436	iexplore.exe	30
PID 436 wrote to memory of 1876	436	iexplore.exe	30
PID 436 wrote to memory of 1876	436	iexplore.exe	30
PID 436 wrote to memory of 1876	436	iexplore.exe	30
PID 1876 wrote to memory of 2028	1876	IEXPLORE.EXE	31
PID 1876 wrote to memory of 2028	1876	IEXPLORE.EXE	31
PID 1876 wrote to memory of 2028	1876	IEXPLORE.EXE	31
PID 1876 wrote to memory of 2028	1876	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_7_overlay.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4791f09f73bce11ccd990867b2101a9

SHA1
075f1aaecea879bbc77d77332bd24799c4a7fcec

SHA256
bd3673a1739152b3223236b05705c2b81dc54073b0ac4b16344139fc34381aa8

SHA512
f31050d0567da4fc73770850620529e536b181167e980e167f3cc2d7199ab78404d18f92a0e8e207d135912d370cd84aa672ec1e007086f2dad59080e7bbb3d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55b37ec2bea9c1b5a7084c90d5c5bdf1

SHA1
f5214477fcb7938dc0c10e381111e7626f5f1bd7

SHA256
e5b57ce038ce21ca863efdced69f58551c1130601c48fb10a746c62247b9c704

SHA512
dd1e8fcb48df0c8834ec4b857cf5cb17f59efa8f255b80bce0e16b4427ecb837945c15c1486112d41cf90d9069896da4a444d8ee1294faa326dc5274b70a4aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f5c51adeeed6d9494d81d55788b88b6

SHA1
4eccea190dd743fef2d0dc2410abbe7d22e08a26

SHA256
8861306436b4da3b92c5903d04f03996bbfdf6c0af9b4952329e2d95b48bf7c4

SHA512
1d6c3513a497b8399c73744c3ad12bb31c50c620ba5fe3c03f0e0eab2acd58f335bf47f0a6f9fb1a057ed383283e8b4c7835d035676986485beab5f647cc4da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63db74e1f00e7a2cad6e1d48143a6c9f

SHA1
6ab08e682735253de9158ac91a61c2b6b65bb98a

SHA256
98e93a81552a21925bd71317d652bf2ea191ced4334c5334414ad6a9997e4005

SHA512
c857a5f86367eda6be703981ada11bed37fa5eb31fcf081cf870acde86b7c9f236819b7a6666565c6fc751a2fdd3ad8195be5c74ad829e734105816cd575a7e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21b0ed3363b8f2814d50f11a70206fc1

SHA1
9936300815d62c80374ae2ef8da92021ddedb700

SHA256
792dd65c57162342ff7c360c56022ede43db0eff83b11897c4a69c59e037dd39

SHA512
5fc2962619f3afe77f21387782f0a5893e96f651b8e0dacee5e5379a0b3efb77831285b87ae1ec843c8ea5ad6097a3660796b893795aff812c22a3ccea356c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df6e30851624a4de5337309979a37540

SHA1
b99429fae95f47748949c62def472f4ece51f1e3

SHA256
acc5d2a9113db65ec8a6a9ab3628ce189bbfff7df790beb11c6dbf1748e1e2d8

SHA512
10dcb4bebdc02da807e56602c15c4f87fc9207a123589ae883084493268e638b1cdb271a0c605a612daadc3e3215b6e9b843fe5f7c61b6513fc9f95ed208cd7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adce4cedbe1c6543cb6e0537b9102669

SHA1
8ea59cd4a50fa5713d4afb5c1b6f3ed415bc8e8a

SHA256
3a09c92b7f7585d167ba080b96f91fef0d5e680a7963bf5d5a56615e552043ef

SHA512
04251f4faf0c5be905ca9fd3976b98b2078e432f4ac075b39012fce5cbf6f259be2c6ef51b6ed32c4965ebad745832974cd4a04f5db3636e4c16049dd7eab6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db552ff0f2deda7d4ddaa91fb14a7aa2

SHA1
dea562b9364e27369f8ec0fd898c88075310f870

SHA256
a75a3605debd81c0f196146edee3c88ca12ef7407c4a0de84218522ceffc7133

SHA512
23021cc1a149e59e5d39dc61704f0cabdd7a5075486b76e3d0e53f68fa6d8ce0c4ebd7eb00b2ab0b7824c2f1dd0b6744bc1dc9bda741e54fb78b8ec8955adef3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b21782a04fcd9d7cffe282ab78e5704d

SHA1
95f0928e0975ec339528c0e6d532605df0b7883e

SHA256
798dfe7e8d282f2bba77eff3f27b67e7acafe3048cd9586fe5bd4aab3a4884d4

SHA512
fe360639e7fa7e8cd4a4875782845556069055be24e712495dcf30fc2595bf63a96fd0fca5c47d83387faf20d0faeb0d77034870dfb77566a0c3f6b223456d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORT469H\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3298.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3367.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R9X9MWUX.txt

Filesize
606B

MD5
faa7cb4a297c38af5306627f8d3e35d9

SHA1
fe3e687f7105db753e756b1d23fa636b53917c6d

SHA256
86abfe9bf4c5fcdea0c34ba04c8e24471bb470a453912a11fa861ccf113649a8

SHA512
24d533762b7f7b5806225e4cea1ec061b3974782bd7309b3962f65c8cb9961a17573ef82195ec9ffaa15be8834f8970f04890930ccce44657e351491d352c2f7

Download Submit