822f1a68300dce01b89812fdfe8976c355e6fcf40c89d654c0b48602b72b0ede

Analysis

max time kernel
100s
max time network
143s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

web.xml
Size

18KB
MD5

08101241b15b53ef0ab908f6d388881f
SHA1

ea3e2ad6d71d483c54b12852dcbdcd0baa569988
SHA256

15a2c7a9242bf54d3ccb3e07fa6d8f84ba8b303d8877243787a1103009941bdb
SHA512

a1ee7f17bb069ac42483d1f98ca839ff1bd06f3fc15cd379dff4aca3732a5dac24dc17e15acc8f8fa39e60e186219f4fd70664f9ea284002274a4ff8609791ed
SSDEEP

384:lJJuAr8F1mJ1ayCk5+HK5YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbpJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00be31435aabd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a48000000000200000000001066000000010000200000005f069275e71fa1c5da33d51f6868720a0c63af4c7c17ee6803d58386d41d6743000000000e800000000200002000000062ef4e73925005f6daf97b9e9b60b8ae8f0c65c6941290eae83b956eac3e837190000000b9268c59d3a580610f1a8d9475252e79e51be4eb26731460d00b025a9fe1f6cb7697bb7c3e0f7b1edad60b5e0540e399153e5830de0563d9757fb9d01badc2f841f28f42c8c42bbe3681f586119f85ed773999ea4c4222ce0adf507d97fd515d0aed073b18e5c8249cf70a82caab5245fd1d3d8435634c3ea814a4432cfaec0f5a87c31c05b9575fb4286764961da1b4400000005cc8ec98d274b3c5b065ee47b7c935712ffe771337a4fcf6383d91dcf96a528d3007608fb8b64c342c9a9d7aa16dd80586782d3803f13fcc45dc3f03fdfb8469	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394898150"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000d1d8c1a9d84fc679d1cabe0cf058f926381c1aededfef5c1d72f87c8f02416e3000000000e80000000020000200000009271ba5a1f5bd4c62b4884c2fc993f6a377ec1f621a3d7825fa720ab1dca02212000000069e20032167a0d62e7064f9c1839a3aa478a047e490708563bd386c77664efc0400000002b413855b2be98c91c16672ec742c8179afc443cb38b0870ef88835380d6437f3ee28b3e6905697e13e59bb327422e27fa801575962733addb919ae4c7af1995	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69FC5041-174D-11EE-84E4-F677B60E9451} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1276	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 432	1036	MSOXMLED.EXE	28
PID 1036 wrote to memory of 432	1036	MSOXMLED.EXE	28
PID 1036 wrote to memory of 432	1036	MSOXMLED.EXE	28
PID 1036 wrote to memory of 432	1036	MSOXMLED.EXE	28
PID 432 wrote to memory of 1276	432	iexplore.exe	29
PID 432 wrote to memory of 1276	432	iexplore.exe	29
PID 432 wrote to memory of 1276	432	iexplore.exe	29
PID 432 wrote to memory of 1276	432	iexplore.exe	29
PID 1276 wrote to memory of 1600	1276	IEXPLORE.EXE	30
PID 1276 wrote to memory of 1600	1276	IEXPLORE.EXE	30
PID 1276 wrote to memory of 1600	1276	IEXPLORE.EXE	30
PID 1276 wrote to memory of 1600	1276	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
325d7428e913b3cb5c511fc7a29908b9

SHA1
05508246daf54d65adb2cd4facbf11527e587a58

SHA256
295a439de50976652edb4fdf053e4353375bac2fc5cefc5e8a3c7bb2c8c19738

SHA512
bb27808b08d52add7075dd01965e2d98456d63233af10767de96ba7a712145e24107337431438b89811dea7447e8549b933a89964cce81151f78d44dd3ac038f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06cd3eda56dfbcc83de3ea073471e74c

SHA1
bd74d7063d4fa5af069f549cb815205d3f845df5

SHA256
0dc4d939e11661697afdabafca5e630248f2e23a195517b9d8e82133d870745e

SHA512
67364cecadd1df5de504dc20fc1695476b0641499c4ef2689d2754712629b3955907bfd3c031147fca8f39d145af18db544470975c55093c7e966fea706736e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a166fd8fbbe2bac26b2d7f63e27a2201

SHA1
5f5c73a55b4f1e595c5434e9aa7c8398ee3248c3

SHA256
1a51f9b5326732533f087fad0e9e0c3dc8f1d544296dee5c4fe0d29665723340

SHA512
ee83a4f241e99132b7f853c7c60616d89086e17a60966fd27e77e55cb94a2289c9be50437645f04c75ae7cb248d3dd59a96122fefb91847ad906244be073e3bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7203240cb4f0507d0fd4acef4e1bb368

SHA1
b492d8ac091ee68bf5cd842dcedb299467ff3835

SHA256
6546219196a2e913a9b635251d52304832c11b71285434de9285c8ebbdcb277f

SHA512
439ea7c0f346591ce9ee1b7091358d4d638ddcf9ee4ccc47ff704cdd82d6dc1652aa2ce02d502df3ca3da20d4d32a431dca7f7c4fc1e5db3293a051f185354c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17d84cd1e388e602f51cb2071b318ced

SHA1
ad09854f53fc9043947463111134bb484c078b79

SHA256
1c1fc5ac01cd068032f3fc1509c4992a1706cb4409b8bc86a4456518d9f92d4e

SHA512
566838b0117e711629170510559cdb3edcee6d0e1320dc8a82b814bde987b49ea220a713c3ea4dcf8089166c73a223f93044449a71b77bf3719202c351e6b135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dc4f7057bb0e97bfc3de80cd36f1b80

SHA1
2d772367cf401991feccfb0f102ed0b08623e01b

SHA256
cfcc12376987f5bcbc043b5f937d99da3d9c49fbe0ffed35e65f5b8abefe723a

SHA512
ca3922e90ea9ba864f2867199f22f2264cd717b03621cb9d16fb8ff7fa531a6eb4012dcf85c8395375a05153cbd4ad25f29d56425a2293655c75b725f4ef93a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db9d227a33157905c411e91578ece769

SHA1
9decfdc2aafea7ef060e6f695f7fdc90228c3fc5

SHA256
85126fd33f350cd3aa277851d0d7db9ceed841952bbf76f61d92f9d45ed36c2c

SHA512
621c95d6a0c9217961d268c07c17be928ea1c3e6604b5ea889a99bafe5e2459a986852e4d4c276893d0bed785c982a99c4f0fae4aa17d62a514cba3a1b9c7de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
635da9bb1ed8e93163f01e40d1c2bc4f

SHA1
24b4b090e8517573b7229a44d58895fdfb10868d

SHA256
8a296b0bd62c07abb99f4693c1eaddea6a264f0f632b23839c06693748aa26cd

SHA512
5655679fe5f95d9244ae865255459ed8b246a460b2595ba53a1ec5041a2f490b8f14910181346bf8c71d8bb4d09461f283e73c1d623b4ca5fb97f9fec016ba4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7d08c06860075b040fc1e1f6b4aae83

SHA1
028c4d1d98683f20ad0cab4d64c2b0b435ee6e71

SHA256
39af1d972de36464ee27aa649885c12d4d54ae79cd37926dac716849e81593e2

SHA512
7d938e0b66b22b3ef879c248737ad7dd16b1308dd8c849949f43100e84ce4fa686db0a562440b1bb3fab0e9e099a05c1198640881c8c223313e1526bdc222cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZT1SZ958\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8BAF.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8CAD.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YKT4A6Y6.txt

Filesize
608B

MD5
b2999574047ab360428ddeff01a85809

SHA1
8a848bdb7a9cdf563c89defae9fab6569d0e3799

SHA256
deaf760cf5c4b4df6035f9ad9cafaff1415f1dd9b679ee162d28a2fa6fdf9a39

SHA512
03d1597f97db5c0ace045dd267fee164932579d50bd6add765db9d684f7325cbf0a62c32c797cd684892d51ed497e8ba81dbd6c8b0fb77bb2cac20dc409fb173

Download Submit