58feca1b4b8c19b000d7911e2586659d65d8add75d96c3611530afc3cf11f841

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28-06-2023 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_7_overlay.xml
Size

1KB
MD5

13da4f83c32b6af839f40448ad4093dd
SHA1

2dd817cbb6c2198c9b622bf8a4a4bd0f58c5980d
SHA256

22a5b339c8e15d0b1393e540966b414ca577f1e6c2c4682bef22e98f74e5a5d3
SHA512

3c5e37b7638099495ca3773edd1b4c780ceced0db68749c7c7437ad460ae765f1e3f952e146f7851a778f9dd32a5c7cce57ee616c0f015231b0071c9a39013cb

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394157364"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000376c0b4d0fc806448c2c8b4fb3cdeabc00000000020000000000106600000001000020000000466c38f821f1b3e547ca137566533e06c81419b9663ef598f499d8483b793cef000000000e80000000020000200000000f2145c604c66e2b9a54dc6b21d233d51cc15aab9868799e1a61277573b0c4de20000000b3ccdf9da28ef98db9e7d789f37ffcef00c311df87562ab50c7a591467620609400000009bf71d5dbd12252d8326a778fad2e1bf39d29c09ed3b3dc0a43afa4939f846ea501741a19d90f29692d60cd7b61ab89dc1ea924634d5c25a6547582f7e05044f	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a367a419aad901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000376c0b4d0fc806448c2c8b4fb3cdeabc00000000020000000000106600000001000020000000a94c6eaa4e6aeb68df766db3a03d2ba5bd81e423ad0ea989a22a29c6678ee566000000000e80000000020000200000006b22d1a38bd3ac680a7aca3b2a7896ec086b8b69cd384b4a96066f8569fc036990000000dc48f152ecbd386431bc6e54d6617b7df689f2276731e53c8c7e158012eb7bb8a93b15d523285f7a3ebba6186b76a052572e9aea4612dd5e0752f8a7e6772f098ce6d5cb87c82a98fe328bd2a5659b89e6b6dda9b83d67c87af160679abc7f09843d7552c8fe0d99ca5129ace1584ebe6d5c6ccc977b65ccaa2bfce2bf5f21259ef196c77abb9ce2e4d9b45c2471963a40000000c92d5d1d80a22b94dc3aafd574d7a1431f77c46ac05a0ca293024b43bf3455bbe28e81d719a51f3d16c56bf1883a711cc30d29cb163414f8a7b88703afb1844d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE994D61-160C-11EE-886C-EEADDA397F5C} = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1672 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1672 IEXPLORE.EXE
1672 IEXPLORE.EXE
1888 IEXPLORE.EXE
1888 IEXPLORE.EXE
1888 IEXPLORE.EXE
1888 IEXPLORE.EXE

pid	process
1672	IEXPLORE.EXE

pid	process
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1624 wrote to memory of 1864	1624	MSOXMLED.EXE	iexplore.exe
PID 1624 wrote to memory of 1864	1624	MSOXMLED.EXE	iexplore.exe
PID 1624 wrote to memory of 1864	1624	MSOXMLED.EXE	iexplore.exe
PID 1624 wrote to memory of 1864	1624	MSOXMLED.EXE	iexplore.exe
PID 1864 wrote to memory of 1672	1864	iexplore.exe	IEXPLORE.EXE
PID 1864 wrote to memory of 1672	1864	iexplore.exe	IEXPLORE.EXE
PID 1864 wrote to memory of 1672	1864	iexplore.exe	IEXPLORE.EXE
PID 1864 wrote to memory of 1672	1864	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 1888	1672	IEXPLORE.EXE	IEXPLORE.EXE
PID 1672 wrote to memory of 1888	1672	IEXPLORE.EXE	IEXPLORE.EXE
PID 1672 wrote to memory of 1888	1672	IEXPLORE.EXE	IEXPLORE.EXE
PID 1672 wrote to memory of 1888	1672	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_7_overlay.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bbb0d5bea82941cbcef2f1863432ed0

SHA1
3f685e62487e3159f63f8b28e587c2e9d10200d2

SHA256
674b16a648ae4faad44f10a3c145def476838f27c0d31efc44f1f9e8f009dc9d

SHA512
ab1f5623eac527520245c58bb8a2e0b04e36e71ee31d1cdad1c53d62a711154bd9147cdc43e27cabeeca3f51edd2e40f9139bfd6fdf680e45e8715e554ff3386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41be9374df1e40dafddeb4a67f79e2e3

SHA1
97472c55f7b66c7ebb81b12da235bb9d1a04c571

SHA256
bdc6eacc416b3a031a61e364d9ffbe3c90d4ac03d0c6653c022a251dee53207c

SHA512
aa78397c45fae68f39017e3f38c0d0a7b5c08a88d389022c7ba8746ede838fadd7c43f4ae53dc4413d0cef12f5fa90b8a5c86f3940a65bb6077b4f8bc9153268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a9a0e206ed66ca5ebb6caef028db375

SHA1
1210ab303e0f20db8e1e5e7fd4f74551807c0ef7

SHA256
bc622857ec4f501b8714bb957ea0534ae5251716f5d45657671352c2853a8d24

SHA512
dffdd2a0e277a435d2eb94450c22c5d2cdc8f952d8ac5d1d0c58652bf78c937e967129908565949e6a5b5f76f81131b656fa71fb45dd353b70df0d4dafb14987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b33c973301fadb093838ab2fc595a49e

SHA1
8b63f0bf9b4fbe90c141a63bc5e8d9fc7dfc04f3

SHA256
52ef61b3409abd7fa8b4a3a99a1fd1ea462300b05592289b14491eeaf00f9b66

SHA512
93b0d64bf0004585f9a7cc1c10fb6f3e9d09a1de165c18dfbd93a38c926d845ec5d2097bfc27ae27aceeafa5dfa94d60e14e12d0965f0478e55f3fcc98016296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ec823b582e4f4917873503a4ffbd7e8

SHA1
2f902a3351c10fdce73d556c097a5b04884fa164

SHA256
f67f2cd9ded678c8d024de5de23dd43783e6a6a590c2d5a096d22f3038251433

SHA512
0d6843c259851597cf73e17b355fd7cd1dae6d3d7430ce9dd90f453d3ca21d02bf1bce4558abee6abeb221a02ea01a6ab95098cdbcd18318d16ac31c253f8254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b7e855b667ce4cf8e21f9ee094c813e

SHA1
bf72c52f6aac9d1d3022a5886f931ada8befa777

SHA256
5e5f9bf61f4efd03149296a3c31bd3c71400176a0f80ee7b85fb5911543997c5

SHA512
3d5eec096edcd4645f06025f86cd3cadad485241071fa5f70ca2e2791aad1c5434bad3355fc6482e90d3a723054d5f132b1caa4f4526d215d62ec90e397796d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a040ff7a06deace8034434e203d9e21e

SHA1
dc1fd02260f26856401a289a363c1fb5e7ad583c

SHA256
6cc6ff62484e3da1962b67d1dfe66e0ea5ac37f6241904cab18878cf890d0476

SHA512
89f250519c9e0b1a2cd32de53913417bd4a8c698c41f0021dfa4126c43da665f638f4b2e97f81aa218eab00a75dd9eef729b3be7c2a3c6dd379876608e0dc883

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9ED3.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F52.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit