479e12d47db33b3ad27b857f6d1b480de7304dc93ce951d282b945530a48bb56

Analysis

max time kernel
99s
max time network
136s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_cloud.xml
Size

4KB
MD5

cd47d4b3192545c91fdddeae5adb3d8a
SHA1

8d389882bb4a501bd8d2c9690a023d0c808213d7
SHA256

8ec8ca9e56edab13c9b45aa0dc21a4970398ba6917efb981e4533cd510c56d58
SHA512

58f8482402652807229c3d5a563c785f4f85d6f768592521b951ade7555826f49f45e41881b1012c0350ee5aa77e0e4daa22f207e0fa3ddf3f06c16e49817ddc
SSDEEP

96:7OKfETG9jU7aGyVS0/K4TL+uhBj0HPDYKnCZB4qdP9:SoZuaGyg01TPhUzMd1

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394759255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000725f6215c6983e1cbdbbe6c70733912c19d2a27eec2959377a8af094bb57b53c000000000e8000000002000020000000bda4ac6f8d42fcd47d6dba37c8d2b6d52c31924219a692cfe9f6ef3684fed1dd20000000e050d41686e77f0a2ca1a3790351204c0ae70b9cd1ecf315da6f0de1b8969709400000001fbd7dc46c55945aabbd80ebfe17b7dbc624c61df64f83f54cc1c010f758cec7039104b8e96e8bab65e087af5c68a6b719e210799bed379b4d749220943889f3	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a48000000000200000000001066000000010000200000000c5e102793e0f11377dc7752b71d413566b5cae12411e51f2f61bec2aadc4524000000000e8000000002000020000000de87370f2166de510ae938c41e4401f2ab3d8284e02f690f27a3b34643dac9c890000000685db219ecaf74c8a9eb8e3161daf977629c23c195e15dd013e4b46f0bd40d72b40aa096c2595204c70e602f19fd58e55e6980bf991f120fb288e8b338a939fe2dddf6e0e976ee33466a6491facb377a23a748957f756db97cb98b252852454355c4eca7e7209387057f9861df134a9eca90ca683042e637aa3637f1f8ec3677a6326fa0b5d66435eea556f090eca74540000000deab13eb6c10ee179e3efdda0da05d8bd831df4708d38ae5410fad1cffdf31912ccd398946a55caf18e606f8ac47142cbf73f1cbcdac60a1aed6a811075c6451	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{062E3E51-160A-11EE-B7A4-7E4856BE5E44} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6013b5db16aad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
584	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
584	IEXPLORE.EXE
584	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE
336	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1952 wrote to memory of 520	1952	MSOXMLED.EXE	29
PID 1952 wrote to memory of 520	1952	MSOXMLED.EXE	29
PID 1952 wrote to memory of 520	1952	MSOXMLED.EXE	29
PID 1952 wrote to memory of 520	1952	MSOXMLED.EXE	29
PID 520 wrote to memory of 584	520	iexplore.exe	30
PID 520 wrote to memory of 584	520	iexplore.exe	30
PID 520 wrote to memory of 584	520	iexplore.exe	30
PID 520 wrote to memory of 584	520	iexplore.exe	30
PID 584 wrote to memory of 336	584	IEXPLORE.EXE	31
PID 584 wrote to memory of 336	584	IEXPLORE.EXE	31
PID 584 wrote to memory of 336	584	IEXPLORE.EXE	31
PID 584 wrote to memory of 336	584	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_cloud.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
663fa0cca1ecf668cfc00098a3956a84

SHA1
b0845e077cae97b7e4cfc4fd67ffd738b5df147d

SHA256
2175a73c51a9e88cac2da5db6a5a1d2cee312e63a8051959080739d1abe346a1

SHA512
dba14c691b91a071ccc1e4ebd0446d3a191420574d085adecb8b9d5a91099684010df71e37167ecc581f5facbe07d2ed0b41e770ee430739322ac58cd81ad19f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d4c942d8f4f2a6bfdcc1b2fcaf85cbd

SHA1
8cfe029196134e3aca0dcb2362a079997c8d26d1

SHA256
7af9c260808ca8fc21d38d8ace36120fec364deff6de12bb8c5cada4edb39067

SHA512
a71ecac424a48256547fea645a9b330f1c017d4c91052021fb41cea3138177a27cb6c30ca536ef3f844f98fcdfbd273528f75002c378b8b0752fd755830b00f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f13e3956682c36c40370f78b25aac342

SHA1
0f4c2bc38587a34fd3b909324c07b5b372e6b705

SHA256
fc3dae5af7b66f49d0058d9213207cc81d403ea00a82db37d0680fdc0e535ac4

SHA512
7987c3ff611b6d5f2951b78640fb7eda772af21286b3609d652d3b1e9834bfdfc5bd7e346a9ba2f66ea563afa9750da1ce74415482b32aaf32646fd8b7bce1df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a8f7d29a980fc2846432a1f3c81e195

SHA1
ea20fb9d0dec17312db24b2dce36c1230ecfe873

SHA256
5156faf90ef3e9ff27121b9582b78331d4efaf9312d2d9ad1e81ec217513961c

SHA512
664dec8ec7bc260ac09bd57512a6bce388cb38870a080ba6ff94c3940624eddce781eea2e72280e43d33c5613404ea0f41f4818902d36b3847c03ac30cb1529b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd9587f1c595f6cacd29ebe24fe432dd

SHA1
67039bc42ae6b3d76775b429c430ecaeac69ecda

SHA256
22bc894a6cf4df85053440af15fb737567879c3cc845465a371364bba1f6d162

SHA512
2d80e0fb0864514344d6784961cbc162f39339d09699b636bb9d72cfe746f00bcde136500fc7c2d70aed695c4e65f0a8434866d3c224be0c44c459d2f621d6fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
624353fef46d39011fde342e3ea955f6

SHA1
42e2549820b9c0e2c56a24805bccd6dc9bc1bdd3

SHA256
7c0e12f0ec1ee049d96b94ac93e9822ffc7b3d601ce17cada2003ddf4b61530f

SHA512
6d74e0110126d580853104deecacda9d3e2d8aa97276389352c82696615dfbb6a1a4bf5ac199b948c7660442e8abdd5cf9dd061ead367c1a7586c8109b3498b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e6febaa4f8263a9dd6a9000e9fe6be7

SHA1
a114c53cfa224241a75dd2f480c1a493c771af44

SHA256
e8753f051b430ac47880fa2766bad765bf29c3464a3082a22f29cdc41069ab38

SHA512
f11c0a56425c23d9fd0ca051c9afa3b0b30dd93f99cbc61d2a37d461d136e564faf0a9db2e6f7f369c7638ad30f7a04073c9d8d0067c500ac49cdc9b3a0e8938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab61A3.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62CF.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YPB3KV7G.txt

Filesize
608B

MD5
9b33bf654f56f267e00b4488e03cb047

SHA1
6e9011d28cf0fec2d9f82c8a1cd8a7bfcb7b0765

SHA256
a1e39330d559181cc116f15053a2bfb95a0cfaf676f5fbdcf3d304c0ff197163

SHA512
f57ee1ddf1960707611395807bad8f979eeafe8ab817afcda5c6994461f14d96081728ffc329bf8b6215cea6b520695c5aecce375814154c72f7d6d57d0c3c09

Download Submit