58feca1b4b8c19b000d7911e2586659d65d8add75d96c3611530afc3cf11f841

Analysis

max time kernel
108s
max time network
154s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bird.xml
Size

1KB
MD5

564073fb36287299158db87208c3ef4b
SHA1

d9ea8d3bbeee99b3acdc1fbd5f779d329783852c
SHA256

888e1f6b188d57d2bb5c86656872193e2dc882672c67ac53a1c6828ee95f40b2
SHA512

77ad8ceaa1784c765eb3ac3cd2d8da442d5bcaa8086e67de4baa929d020ffd90895fe61710f285d6668235188b9520203b86c986154815cf5de82b29c4b3ef1f

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394760461"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE7E0501-160C-11EE-B7A4-7E4856BE5E44} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0150ca419aad901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000f76da751991eee55fafa6efec0a12d85c29688c7164405912dd3344acbc6ed66000000000e8000000002000020000000b87079b552e0d3dd1ee32c40f95f759032d3e372f6d9eb9c736919344f481931200000001c4d5fbb9d6233f8d1a4a9458e29ca40f871d7ca7705d5113a235c05cbca38d5400000003dd9adbbd744820e4039f12d12c67ecc709108fffce315c27560e4b49cf3df8cd7ddc418eff0b1dcecb62975b2fa4158795a65e3667e94262d8805e86d37eba8	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000546f9d5350c9f558d1e05a3e668fd1f4ab74714518172acd21660eeeb7896afb000000000e8000000002000020000000ee0ac2a8d2431a34af203df9ec017bf9da933bb25b439a765c5d5db34769492b900000000916a43b50cafdd86a52edaaad9d8135bca2935a8340d6bd64d473caafce35f8c4e226d5d7bc0acbca42fb120419dc9abed76f40b101efd6b99242f61a52d8e792987e4a8d37b7d2eb7c64f4f9e7344d7539661f8f0de943f037a14e5b92fb15a2ca2ea5fcaccf6d06e81a48bc564646996e2b5bdee94452ada3d49709eb4def4eefc2ca61200116e6602bb307b56e5340000000f68f974642dc3f5177ec04b2090a02cc1c0e57d7d2b71add5133e4e34ae16035c92b1dd2707d23e9655814e268915253e6d9a6c3056a971e81989ebcdd0358b6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1852 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1852 IEXPLORE.EXE
1852 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE
1968 IEXPLORE.EXE

pid	process
1852	IEXPLORE.EXE

pid	process
1852	IEXPLORE.EXE
1852	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1952 wrote to memory of 1164	1952	MSOXMLED.EXE	iexplore.exe
PID 1952 wrote to memory of 1164	1952	MSOXMLED.EXE	iexplore.exe
PID 1952 wrote to memory of 1164	1952	MSOXMLED.EXE	iexplore.exe
PID 1952 wrote to memory of 1164	1952	MSOXMLED.EXE	iexplore.exe
PID 1164 wrote to memory of 1852	1164	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 1852	1164	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 1852	1164	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 1852	1164	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 1968	1852	IEXPLORE.EXE	IEXPLORE.EXE
PID 1852 wrote to memory of 1968	1852	IEXPLORE.EXE	IEXPLORE.EXE
PID 1852 wrote to memory of 1968	1852	IEXPLORE.EXE	IEXPLORE.EXE
PID 1852 wrote to memory of 1968	1852	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\bird.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a1fe4351051cf0257f0962ea3aa87e9a

SHA1
aa50cee3b9c16be62b38f064c48dbbc9c968c4c4

SHA256
cf1a852319e750a437ecf0f3a2e153f798cf39bc07a57eca415dd1f9b6f212a0

SHA512
541066d2b441e1f375598fcd3092e3715fddec9113d87e7856f4690d2c1b4a30c81de342eb4aba8e2f34914cc04dce5de6a600fbc6def85aa0bc4f3b307ca790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
539be74056be93ba7c1de525879b77d4

SHA1
35a7e95c944577bc9af44f1bcee6ee558540541e

SHA256
1a792e18db0df4f307e935eb2be372718b3802dc7102c3366353df66ef470dbd

SHA512
3c9d2bf8e1a1b46743afb9d94b47176c24552f8aad4fa64caa28d9133c74818771e7e44c9f4910c9a700138b22fa67a0d9fcd04003be9f56d4ade3ee2df1542e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
773a21048ee46a4e724bd9d2370ca567

SHA1
a2b07502d264cdbf5a8cf0819062046914e01955

SHA256
c9703412fc6769a5fdcb74d5adac6d79eeb492475789d14275cd7e5ef6a66dae

SHA512
34362d932fcdf18c3797a8c8cadf7585fea4b88445f01a2192fd3053e9e3f441115ef4210fe3dee9fdd63a15b17cc788ad94acc240df445ff433f591a3e62de9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e7c60f717178d5399e756778d7ba6a3

SHA1
156f47505627db8c4618e27cafd4fdfd2ab0587b

SHA256
c7bb452fdee5853cc3acb851f997d136d3e7e5830896ec0a1fd53e41f207f304

SHA512
0b2693834636ca2af82fba10c6ca23ff1673f150ecf07bfd9ab5554bd2ac625a8b8344ba0bb0fa7ed0b0b767a0a616b68be5ecbdddd27e5e5aeda779fbf2317c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2ee1e04f54d68276b29f61b595c7ea92

SHA1
c94f457e6afd0ba422c719869c130a94ac3f82fd

SHA256
5dad917f72945e9c141c30d831aab8e542cc967d6842a63db4843f60060f8882

SHA512
ac403c43130cb4fc5faa1e4c7ade5026eeb4e7386f82f761faf8e0a93bb8582e575259e60500f5803d717930f2181ca783c67e79dc677121d9c4e75ab593b360

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c3a6899130b387ba87ac40ecc2943002

SHA1
9301ed03bc8561a3e3edde4c37f04a65444eec42

SHA256
46ba4a937e5b6b84119b4216c1800f9d83b78b7284a574198e827cf3949565c0

SHA512
7002fff9616f94a8435761991524eec3ad272534278318fb019c3bb7a1ff8ff4781515b9e1cc39fa4343ede1153206b67b166ad28a206df3b2f865616fd35c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
46d076331b0e5d322c9fc976d290cd43

SHA1
c2fe508f1158f9c1049aa15fec9fbc43e08ca97c

SHA256
757bd4b1498081a6cfc19b03c7894da707f8fc5b900b05e5f10ca008667273ec

SHA512
881f955734d690e3ca286c92bc1c13ed42e7d2ceb7fba2e3b144aa78e4904c3d611c5eb19401781cac7ebeb6746ff1ad8ef2115ca8c9a3e2b12b33228f647ba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0c90dcb1e759a5c0bdb0b310ce0db20e

SHA1
4c00470f3b072d01afa5cac06b03fe4c90bf7402

SHA256
283961b155ff2b23d7f86727467b6a9614c0c2e6d5a62b0178cf8217d082fdf8

SHA512
74e9e506fc6d0a37ab24708c209d0ff6e1c8069e8f8ec80bb42ec60d2bdd9272c6f2f11383de88eab263d27de411697932ca83166767f33e6af1eb77a5f8fb0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16637026c305d898468e53b477e1151f

SHA1
4bb461eddf0522b84bc5f46eaa909fcd61a234be

SHA256
b0c0e067b1fcf0ba673e1f7aeb685296501df06d63af875b054ebbb0a4d41178

SHA512
8e3add6adbd20c34aa4d8db7b93bc5f58cb5fe2292658113cc8c8856f1edc6a5bf5d11afb565e2cdd69677a3f1522af24d2b0ac9b04597e93bb4dace29e5a876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
325794957f71efc6dd84c5b9e87d3ec0

SHA1
55a9373c911e17651c26ea27bce777a3062ce20a

SHA256
f939b926b448234171268110eff50908d03d32a0251271e48cd2d4c798a0947a

SHA512
d9383bdf7f194c9e1185690e9988ad144d502314b51f1d92d41eff803f7a15f2e993651b320717de9d60a2e04469faa3647c65266be7d4b1fd799deeec8939ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab624E.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar632D.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0VN1O2OV.txt
Filesize
608B

MD5
5042e6e695d84f2ce8be07b4f14c0697

SHA1
f3ea5c7a45956c8918a296da1b7615fcf0d32daf

SHA256
5dd06ff56614ba4b7524fc33c06431d0d0df0959a3a6ca62ac78cc699b342bc2

SHA512
a4453d00455d669e118505038fd2bae05967425cc936526bcb4fdfb5f061b2697e6177b83e0ef071cb4785e3d10f3393508bbd6619d3d28e771fc6a27c717fce

Download Submit