45aa2cb4ec235f025da8de7aad5c2e2c9d460cd46fa5afc36de94f6c4aab56aa

Analysis

max time kernel
109s
max time network
169s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

About/en-US/AuditSettings.xml
Size

1KB
MD5

71075fce08402095aeafbe57962a1f5b
SHA1

f76fae255aa5454217fe973c4a8035ec9005b923
SHA256

6928faad9624bbf4c74f6c138496a4c6ae8d04919c3de9591568300c1dd39e59
SHA512

9df7480e584b16d1b504e2503b3c4c8422efc2fa37d9a4aceb8a7aea0561c0d73e8e73cb21fea20c6ec3bbbcb715c155efda7b8e38b7b448bcda5db10d773de4

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c6fbb64fabd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF9CAEE1-1742-11EE-93D8-D20061566496} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000b9c1a857f06d59a894866a50d3b73f0aeb48888ddf298d8ad3036a559d888c9d000000000e8000000002000020000000b622587f88cee9fbd006e419d52b981a299c695eaf71b982fe7f7967e0ad318b9000000022246c9dc65edd45a1593b32d78c9bd72fad017439dec055da6d3f31bdf2df692b8c84de394d550bca8d0a1e046d0c682b87924ee751263429aeb3447db370c9bac063609005536626233499b877b02acebcdc805007a8c08ee503ccfdd6aaf21073e8cf0e97b0bc477e2b1a427003e46d8aa20067efbcd95f0eabba2cbc1ad29bb1dcc51f3c9dbb852eba5002ae262240000000093e7a0b166de8a28917c98cc68586ff9583a85ddd472bba637dad2e831e69fd299cd733acedadb4d87c4909052679d4f3ff513bedd9c87c88cc474cf1280c71	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394893623"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000b11be8bc94f3bd08f55cdda3779cb94add374b5c33e034f00c20cd7e4dc9d0ef000000000e80000000020000200000005f163b78369fb03c88f49e2a70fef4ada0a92aefeca0b3e7cc55aad0612c45d62000000054c9d9f01ed9aabe5bd750eb51708d87d9b7e30b8ea5918140e33150b76388bd400000001179c2f270637ce04eaebe501110062907dc8b19a029512f62dae24beeec1c494888bacaacf078c6a1cab61d0be6ed081c7cdd6e63194e0f14958c3e1d25849e	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1156	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 268	1116	MSOXMLED.EXE	28
PID 1116 wrote to memory of 268	1116	MSOXMLED.EXE	28
PID 1116 wrote to memory of 268	1116	MSOXMLED.EXE	28
PID 1116 wrote to memory of 268	1116	MSOXMLED.EXE	28
PID 268 wrote to memory of 1156	268	iexplore.exe	29
PID 268 wrote to memory of 1156	268	iexplore.exe	29
PID 268 wrote to memory of 1156	268	iexplore.exe	29
PID 268 wrote to memory of 1156	268	iexplore.exe	29
PID 1156 wrote to memory of 1492	1156	IEXPLORE.EXE	30
PID 1156 wrote to memory of 1492	1156	IEXPLORE.EXE	30
PID 1156 wrote to memory of 1492	1156	IEXPLORE.EXE	30
PID 1156 wrote to memory of 1492	1156	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\About\en-US\AuditSettings.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a26373ca66518d320fee0bf2364f59c0

SHA1
3e3ee65a52940d7d3d051e91b1ae090c7dab324a

SHA256
7ac4e9408d50a761692ffe0e5207fae0624a02fb02f6edb6193c3fc5844b6cdb

SHA512
aa153d589d6c8634a89a5ad230d664bfaec11f48a58494357a3a80336fda7560bc82bc118a9bf39a9a34c270acf7dc5b1ffb149b582e020ac2592ebddc1718ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3323fd8a63a9d35c6ad4efaa610afeee

SHA1
da5a348ee254608cc52ab82023433d2cc12abf7b

SHA256
76459014456ac19e3ee543d65ac5d5a3a98d43ccadc76f69e8fb538c9e5a1dfd

SHA512
7532eaffe1c23e16d04603883ae0a14588443e34caeab1c6d486b86c28ec5e949b648691c9af57931fdd879a0ac1d383c881f61f8ac1e613ee0a0829402b810a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31f9a90ce49ca19be5edcf1ba88fee18

SHA1
702f73409ec92e727e784f5f079f49dd7ecb2b0b

SHA256
9521198805d5741ddb53e204f419ed94f5cca93c9b3f260fef776cb840d08e4b

SHA512
173bd0e60d22ce067ec6649f817ac8ac2cfe1d13c4674e25211e3a42a350d58395a7be98a9c9c8e2552a70abd77eec389ba099c85ff1c88be60bba1f62ebf02b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06121e6ef8cae549341baba486c5bdf7

SHA1
dc49d43bb0ec990a9b5384253a50a30c9a795004

SHA256
68622c7cb420f001f6689f7a09fe243ae48888433805e79ebedcfb39fbf4daab

SHA512
256976d01f472f9d4de3136c1e3b791a21908093c1c285b11bb6d74cd8d7a469998858ec95f5c3742f426ed49f51ca978ba7e2bf8b86632c993dfc389c4e202e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3468b081124010529f2b040063d8aab5

SHA1
b3f10ca9a07e2240e541cba7a2a0cbf75b3f7a1a

SHA256
ca30974df98d90d42be1e6970e1f3fd5de0bad54ea0de53637f1e1e8dea5a0c1

SHA512
2852f178113fc9c0da82ecc0f0feda96db582028ed47f617dd75e64bf372ce7dafbccc6cbbb758a199fc15c5c88024083065c3bc0b876f9c5a38469cf7aab549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb03e9ed769e66cb75fa1f1e96eb854c

SHA1
0b95fe4409d5abf74c842ae9e771a5f8da7f7284

SHA256
e76f39b83b9d02a7bab5762d481efbfdb1342e299f06b846c2cb8dc7f4b488c8

SHA512
9f7dc46229027af6af40d83710ff59802f19b72f999f08d1979c8214597da258d6c9d81b0e185f64b53e3df875573f413caa245bceb95ac33a3bf9054e210218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11757169bd41a39ad6f1e6595d21f842

SHA1
d65f3d3255e2219cdf831767b9c8d3db2e16c166

SHA256
e0c5669033dbefa23012a825bb190602294189520845b6b8597a367d1436a59e

SHA512
f4c9f553dbe1c3a1ae490d312f4d1fb7c9c6f5a5fef182144d8b33121d193a70f414b688f69c67f012c757f287acf80f0e15346e4298fb83fe3994220189f157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52b3b57cde78d70352f50c81d1673d13

SHA1
6ff110cd245e04b319f673da58aefc9e11915a48

SHA256
ef3a2f86b47cfdc54bf6480e91f52a75d307aab6ebb7282d656d6f38e80f5ecd

SHA512
4e6bf848a5ad6f6d4bea5e96a224f79ad1652d9b374e0295343c139191b3597e0080f93f00144285b6bc091c6e137af02b29c97ecc1359a3b8ea1fd4978588f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f44c49b2dbfd53accade51b923e216d

SHA1
8b92f7400f32fbfbec2dd4b33f10284df01bd8d0

SHA256
62e564aa1777f827e2f00e53f9e6b4aec528a8469b79a1ead144835f7b3cf23e

SHA512
1c13c59219e25f8105f7dfe5d33ce5c1e88dc4e96bd3607984aa09a0dddd0e7a72517574ccc961fbe90603ed833f626f34ae7ef39c6938a43a6a8cbe5df78932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZT1SZ958\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAE7.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBB6.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6R7LJ1GF.txt

Filesize
608B

MD5
3629874d4018eb4d9afeaf2c880b6101

SHA1
00e0efa1cfd5f43be4079ffeb43e10ed26130aa0

SHA256
f7a8f1c1dcb2abe4eaea8bfeb03be91a86f908f0076506bbf5ecb42a7d303831

SHA512
1ed34d5ded0208b3ac32d181e79b4ed380ac5dc13288a49c449e9964ca806dfb64b17987bda75f6ceaa542e5878bc94015eb90002cb237dbfacf8e1994f8ac5d

Download Submit