9c80f0885070ad37c7230f73fd0edf1d4e2465e31e82101ae65cbb510137ffaa

Analysis

max time kernel
97s
max time network
141s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

assets/images/alert.xml
Size

1KB
MD5

0a8971ff7948291aa608c32e22073cde
SHA1

a16b3fc11fb1e4a58353526f2ee947e8857e3e64
SHA256

40f759d6d150c7fbdadb7fd58391445a7e05aa99e8782497a82e4530a02450ff
SHA512

d6bce8b1b24467f7c4e450ceeff431792e65d856d25ab609cba052c9d4270e0ac1a67985e8991f653fceb8233d5524cabddb0fb1fa552e7243adfe5a69c8f873

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a48000000000200000000001066000000010000200000006c274bd13ae25d9a90affeeba7ab61bfb2fe1f0b45cc6fd9e4e697e4023faabf000000000e8000000002000020000000680892ff305ab644ec66e9e800dc25e46397efff0d7164b6fba55cc7fb5c2e6190000000c4985890db71d7d4029ff24186895eb6ae92bb2b2ad4487d79779fb519a2a9e2590325c02fa9497f99ae51d4f30bd3db42b707db8a61538a0a4a289c007fcd548c0133fde3eb10eb9811e837dcf2f6496e764fc57166219f6d904c0ef6d9b6b8653e0609c1e1326ba2ece46fa82aac2df7cde678755e7540d79f8a91a943ebf128e3f35e066140028ff510dabf680e3c400000009657eba7a6687d34805ea3cbd505e561fa5bbd6bf63dd62fb48612de918108a48b072108639630a6c440b16e8571bbc4c06b22950a2b1f74282e4bff5d65e3f8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68554521-1708-11EE-B18C-6618774432B9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09c5c3e15abd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000de9266cbb2961020b47a73d2de5540eb5f087933d592c68b762e0498517259fd000000000e8000000002000020000000f46c0b900a655ee662e20f3d36cec6f17dc1a1bcb622701545ac87a0b2327ef52000000066f2c9dc25352196642b5d45000ea0f6d94474b65ebdb6f427403d663c75618b4000000017a54709e20ee55af3a073e90396d10f5574eb060d8cbd4ebb4bea306e7003a05e82fe519baea8c6136b1e109a6b378c72027252313b4a813e6acc7bcfb355c0	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394868512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
612	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
612	IEXPLORE.EXE
612	IEXPLORE.EXE
792	IEXPLORE.EXE
792	IEXPLORE.EXE
792	IEXPLORE.EXE
792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1676	1224	MSOXMLED.EXE	28
PID 1224 wrote to memory of 1676	1224	MSOXMLED.EXE	28
PID 1224 wrote to memory of 1676	1224	MSOXMLED.EXE	28
PID 1224 wrote to memory of 1676	1224	MSOXMLED.EXE	28
PID 1676 wrote to memory of 612	1676	iexplore.exe	29
PID 1676 wrote to memory of 612	1676	iexplore.exe	29
PID 1676 wrote to memory of 612	1676	iexplore.exe	29
PID 1676 wrote to memory of 612	1676	iexplore.exe	29
PID 612 wrote to memory of 792	612	IEXPLORE.EXE	30
PID 612 wrote to memory of 792	612	IEXPLORE.EXE	30
PID 612 wrote to memory of 792	612	IEXPLORE.EXE	30
PID 612 wrote to memory of 792	612	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\assets\images\alert.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
653a7d5bb7a519b982f1e6715fedfe39

SHA1
267f976095dee7043940099bf5c6497794d3d85a

SHA256
33a595027901ac713ceb134893b520236baeafb7ef9688ad0ae618d7c7f88980

SHA512
760f338d92daa4266a28abd094d4badc885feb9b1cb1172c195021b032526879d5ecab643765aedf21047000b649694eca2893771a00dd5ff55db0aa08536948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1297d7a7089757b12cda243970aa460d

SHA1
415f7da0af23ac4ae1a759e6014878453c6c5a21

SHA256
698bd02cd88f6506b9557fb821d1963605d5e029d2f714589f8ecd70fa2de4cc

SHA512
3034c68660df3a5ba9fba1b8d1b08c324b49d980f7939baf7340bc9feafae8d1341089609897f090a0c89fbdda6df8a1619475c6b463456e47d1c6ec8d8d73b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3aa66b26d7136d40873efef24c7097cc

SHA1
137eab82026059da61fa6d19002f146df6d033c1

SHA256
3ee3364a5ff601d647b656f13eff171773c81927aae85510b38d7132b57f4c10

SHA512
a5387b58a35b9f9f89fa9a109cfd1ee6a2ffa5f27b4ff685007f076e94dc9a0f1fbd7bebc3fd863551cb6332be6b39af94660cae13ecc830b872781c57770c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
237acf2e481073a12bc608e977c9b822

SHA1
7316cc614dfbbeca5e1af771bc0570699d2474b9

SHA256
9adf1535c80164cc67a3db30ef050af5bcdf9321ebce2a1ee5661abdefb39830

SHA512
7d5a845877d9d4e748569c3feefa2bc690997d8d1c737cbba65defccbcc9392183bed57c6fd05e2e43a543861997fbe34c5913c34b27d072f30a8536e3da2979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2ad0d0fc96d10aacded08e2053ecff99

SHA1
1d70a8f653001d8fa7a3ef590291b365b19a97d4

SHA256
fa4391214e142bda128d3f04c4aee918a0c9692aab833b2671e559a5fcda7a0f

SHA512
0140510daf6f7092cba7e8aaedb2a99c010c08741762caa0afa2e560a08042a88dbb79bc04018779980af6557dc82f3de8a4ed439646b64ac24e101d8025629e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fecccbf639268d27fcfb06c82edf27be

SHA1
4731242ed6d7d36690f84d510bd6e1f94e33b112

SHA256
3133eb9fef099b71667b08a21cd5dea144950b42ce307ec0f63f2fce005e777f

SHA512
9c494988efbe57f533c567caa1fa86143fd2be11995aa3e773745895f4ef34a56b21132de370a2afff2f78f56ba44da5fe304bee6372b3ef363617f61d755ae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cfe532d9e749c3edbcac6ec7ff26538

SHA1
021215c13acd04ea9b4cd2c720e2cd9f59ce0d9f

SHA256
0f380f867b6c27ac4639fdd4ef46b8698796df8a7babfd5af3d87fbfad8e51bc

SHA512
ed4e754a47f8c6064dd13c03b672ed1dc107a1e7e2523f4e7f0b05caaea0f31db0157ea44f6809502e4cdc924a4bfd1c252670fbcba348733bf3faccf36c3b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7fd9aafed287859b71acfc45563cef8e

SHA1
8403d60dc60b4845960606908a72b8ca27879394

SHA256
f2745210a9c16fa2b59a05b69611bec5ff5ee6a98b476b284207b05443d5ba5b

SHA512
c9bae69bcefc388efa9bb352162e027878f81880afbf13316e43a005a54c798d3b6071eb3b889548e57d9d3c90f4bd8179b42d3d4973a1e5809632bc7f3e9251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
321f5ab3c9d3d250444194c5032e16ff

SHA1
3e128c91e0aff0fce60c9863d3f44ad48894f9d9

SHA256
313f876c3b14970fa2fdb86ee3266d0a17fc4dda1012a6bb890478609cd3035a

SHA512
2be79e41fdd8bbe9efb4eb93fda21f258615b754f41ff75226cbce29577dc5900e57a0cedb2743cb4969c501ebe2bd55aab31b9eac0f620af791af08d351f6a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d49cd496794d8120cdd0ffa61767ff09

SHA1
78946edc25e80ab62abd15867034f110b50bfeeb

SHA256
954ea3e0bf506cceda182f89cfbb78c75ceaa227fb3b4d443820c662af9e18ca

SHA512
b2f701b807f702bbbacb1e75f1ca8efd9904db139299be7ca3d7202524eb99e2f84fce7bfcaabd12bfafacf9be5badc1409a0bbb2ec56645f640975485a86ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffd200de9138c30235f96d1d96b87059

SHA1
399b7faeffc16611866c47e44fb8e75e91ecf6ba

SHA256
fa002708c0e7e38432fc109daf2c75ca4dea2d345a97f7c13c44a0912c0e13e3

SHA512
cb9729a3abcf7e75a0db585a8c15fd26bcf54ffb07629b58646d4256f763ca43033ea7f4da647108c11c87e986a013cd4a4ba5db0fdf7780cd3551f1adef747c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQLKSAYN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab877B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar88C6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F81FPT8U.txt

Filesize
608B

MD5
3337cb13eac25d964563bbeb282f3f9c

SHA1
12ba89c9ada82f3a27724b0b1139b8f7fcfa882b

SHA256
d7dd2ee5a44b43c3f22a7aa87cd8b1ee3be61bddacd2ef01d86d8cc5b8440df6

SHA512
952c11de1c97000f4f7d9ce33fbbaab0777ee01ac4dcda4239efb9e241c1661ef1c9c347de4739249549b50e8562620f5fbdc20e660d6324108035945508685e

Download Submit