45aa2cb4ec235f025da8de7aad5c2e2c9d460cd46fa5afc36de94f6c4aab56aa

Analysis

max time kernel
102s
max time network
169s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

About/FileSys.xml
Size

6KB
MD5

499e7751b019078a8a997d67e8805686
SHA1

8d3bc566a990569dcd87a4862f4ea74b5a8d7696
SHA256

bc713bc684b0bdda9342da9fa7e36caf7f328f32915144c6eca49b674917df88
SHA512

0ccb75c55eeddfaaaf658087904bfca12c520d542789527e1248785ead66bf9f3de8478b2661814f549c6ec0bf8ebaefa1ec250199b1a6e3ccf95f6f60637d12
SSDEEP

192:sYl9Bi4JFLHTSRPTsOyA0VXAQsMAy5PVzRMS6l0TE:ztJFLHTSRPTsOylXgMf9zRMV2E

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394893601"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D27AE5B1-1742-11EE-81E4-4E0CFA160496} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000826db13b4f2d6946b52cb68ee9de0a2e00000000020000000000106600000001000020000000dc962b55ea19dec470707b60cf555863c9471d33156ef5c8f6cc9611d45f913a000000000e80000000020000200000004ed9911cad31d4e1c65d13fa3837f6adf17f31aa9f44e5f8ffd6d510d6dfc280200000007c7cf64618fcece5b97f8b6e35256ffef8d758a6ec95cd825bdbdd902eb77330400000004d64bd8e4623658ba329c49a257dec161c87e4f351b1298b7637f0384d2a678fd818fabc88a6fb100eaeb8105c6968958122f30adaa01b19cbe47ddf000b6162	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000826db13b4f2d6946b52cb68ee9de0a2e00000000020000000000106600000001000020000000a4f76beccf3a18813ccf4ea0e1b52b218c6880f35b648c8a203a264ab638be06000000000e800000000200002000000072a869aa1a8194656397ddcc0ebad7f4b82d67b9c638f6e70effc188bf347b599000000026665ad3bcd8b7d5a30ce4baa617b3306dfe891a89b6a5f766c401b22d04cdf042478214996da27ba9a4b6230c2c9b4669194b8e574477ff1595ba73d0d7ac3ae06bbc7497d82696f9f6925e2eec3aaca1fdaab3735ba1deec55428cd6ad70b02a2fdb943997cc1a944d207fb272e15f4e6f1daa2d17e9a7e2dcb00b2e6c714eefd9185398f7d46bb901afa85c76635a40000000b6e3523ddd753a8182a1e2f2abc9368849619f04c82703fb6209b4b7dc8c9c527e9f1c011ab3032155a9b25310c3b233424c58e80922eeab6fdf66e8592da3ed	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80dd67aa4fabd901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
472	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
472	IEXPLORE.EXE
472	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 524	2020	MSOXMLED.EXE	28
PID 2020 wrote to memory of 524	2020	MSOXMLED.EXE	28
PID 2020 wrote to memory of 524	2020	MSOXMLED.EXE	28
PID 2020 wrote to memory of 524	2020	MSOXMLED.EXE	28
PID 524 wrote to memory of 472	524	iexplore.exe	29
PID 524 wrote to memory of 472	524	iexplore.exe	29
PID 524 wrote to memory of 472	524	iexplore.exe	29
PID 524 wrote to memory of 472	524	iexplore.exe	29
PID 472 wrote to memory of 1700	472	IEXPLORE.EXE	30
PID 472 wrote to memory of 1700	472	IEXPLORE.EXE	30
PID 472 wrote to memory of 1700	472	IEXPLORE.EXE	30
PID 472 wrote to memory of 1700	472	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\About\FileSys.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:472 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6c76add3648d6b89873d3bf8bdb7043

SHA1
f1f89968efb9f3ca64006cbaa07fd6cee18223e8

SHA256
23e030c7c503ce08c649d4652009253270387f607a3bd39477009661e36af37a

SHA512
307de45cc3403336db5e7869a01302c3d9d24ee63ce0225456a201b3b5f8414634d88b57e24fecf09f2e8a192226e086da2c7700d268b673036162fcd391573d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb4ceb48c005d11b2b7427e9c9f30724

SHA1
1613051a22f472b7dd01a995b201200ac092a7ea

SHA256
7175f0456cb527b2d70d88befa14cbc2039193fbff1a45b4e5ca8e737be6fca9

SHA512
3bfe4a229893f2903cced39516cf5a16292766c0e1edc0992703f5d46d2ed7e84248a8ed845a523f78362ece2f0c3f2d78d6cd0c1c8a732dc5418cdb89bba429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ae46c61b9171f13c356b22979f17cb6

SHA1
1e9b39f57b357a205e8384353bf216ccdd6caf6c

SHA256
2a655780aece0446c729d5a5f85fcfbd37ad8258533cfc3b2bcad30c23aeee0a

SHA512
9187fa701a082534a7d8b07a9dc0fed01af17aadbebf42bd6f8a4889023b212eab6d61fbf9d8ac875564ed3db0e51ea922201c3ae55e9ecc2589b1dbe484994a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d7dfca067b21107683464a66628da5f

SHA1
ac392a0fd19b35e2f66fe55e90eddc8f56e132bb

SHA256
69e0a85bf0946d0080fd58f70aa79b0aacb83b68659757607373f41976c6fb0b

SHA512
78911c93ed7c62cae15e900c17b1792213e556028dd4d6b2a84a84c3d9f6e63454a475e75541f6aa744709b2df393ce856b922490b75c95948dc8d0d3dab287b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13d62c0565c5a32db484b99f8f098616

SHA1
7260d5e739a950256fde55a94ffd02aece8fe0f9

SHA256
b6f840695679b897c0dda5187d7fff1f8be155fdeb0176921dda83213ca84683

SHA512
c2a74742b6f6dce44068a3430551751896055b642935e854a119f20b17ee1f22950f2cc430439c2ab0cec8a25f9876b960c4fa89357b15a4e4ebcaad62da867f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddca77a7739eccae5dfb8a7036fbac61

SHA1
bc993d8b381627574b4a5f18407e0778463c0647

SHA256
90ca94a7685ee7038834136551b12733d9f65ed32673febd21b012ad4929100f

SHA512
953e8b43cfe85ffbc40f8bf05156c8d35dcbfa1f4c708cbdb77fd79a2f953c76b567d2c72e422bceef1313bac756416ff3caed2753b278635179409b43740aa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c57261fd298ea3725d41cf7897f2f1a

SHA1
46850515b04c5d587892c556330b40fa65fa7796

SHA256
60084b91e60fdcdd7cab28855e5b4ce9d8c2933259473cacdb465aa6a9c0dcb2

SHA512
188b7793cf4b211230cad657babfbaf063f92fcd1effb6bdc4086a022c9c0135ef884dd9a8f31845c0d32f2d4bf3da4d4b99d135648d178d67366299afd9fcac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bda9f423c8928e82767c464992dc32d

SHA1
0fdb5396ead77cb3179e97073aebb5a10402c00a

SHA256
705eccfa1bc1314f4fbbf6e5f7f76b8e80d499cf47ee9745f988069ba44ca73b

SHA512
4aee4320692b70e71e51d26afcf1e032aa45e7cb2a2c5980caadec3b9c592275d14c71adb12ad9c5a88254ae2beff965c6dd5bc7e42ac98384202af318707d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ba7a87957ac3c438f7da37af30db865

SHA1
27090951d0103f34f5746a9f1f062013c446aa27

SHA256
c25e0c69774c246154489548317c872ce6d559166ae9e7eaf7f5f20a0cae4d55

SHA512
7ad11776ff65594cb7f0c9e55627cac248af66a4d7a3dde8953b97d8e50e58602c571776d4c08806c1621dc86d723de5ee41c6f61ff45e1a9c0bd0359ba1034f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1WCPJCZQ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE11D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE3E0.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9208LNCQ.txt

Filesize
606B

MD5
bd1d0a803ba4e7e481a6b2674b80abe2

SHA1
826804b46d9843bc15282daa78dd5a857f156c3e

SHA256
50fdddd1a2600d52ae0d838a4747b3ffc88c481d01b909efa08e7adf0f3e8f96

SHA512
7806b8fafe49309d69d3c4913dcfd90433294e041393a223e85dcea2bb275ba30d976b68b295dcd5f3210f2b81ac4dafa04c44004b749f4114b67ed19e5a4d7d

Download Submit