822f1a68300dce01b89812fdfe8976c355e6fcf40c89d654c0b48602b72b0ede

Analysis

max time kernel
100s
max time network
139s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

settings.xml
Size

2KB
MD5

ba17ade8a8e3ee221377534c8136f617
SHA1

8e17e2aec423a8e6fb43e8cbe6215040217bb8a3
SHA256

ce1db1ad8a9512073164e3eccdc193f7eda036e1a9733caec4635de21b2865c8
SHA512

c18bcbcbd4b9a20a72b1a934d70db1eafef047f34f3ba2c6357d8e3afed07ecaab861e5571ceb58c22d4d3e5ebb34b51e366a0553c3153fbc263d1d80472e297

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394898146"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000076f5b9ef6ffa2e449989fba7f2481cbc000000000200000000001066000000010000200000003a6da12daa181be7589c210d4aefd3fa75be9619c4786e34d4e72687e8846265000000000e8000000002000020000000a2605f971807edafffeebb3edb41230846efcf9beaf9c2c827a62047bf852d3a2000000069fab5cc865583b61b42ee4c4f4dd6c769c682a3458724a86cbcdd21a767b1a940000000765a798f4b3b678d687b977575663d41e88cbe2d1f2cf63503237c3dd527727e21e453f70596da9398a10d2d9da033102abd9bd0c1584372a50944689706ef22	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0efbe3d5aabd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000076f5b9ef6ffa2e449989fba7f2481cbc000000000200000000001066000000010000200000005a7c1655e3cda1d491910cbadd14c6da49c54ae2366230209fda8abc92ab564d000000000e8000000002000020000000b8979bc4d1a878ba8979317c79c78106a7382a3b6f904374815e26093453e565900000006c57eab0907c69c4f8220aaa93d8980c7fc94bdbdb84af5dc0459a7922b674ce7954775b201963f28b837f99204a92e9d41ebc96f89329c05452541347c58ca648e9177b6e4687dfe3089bfaff4bc7d9529e5815a6716c1c6f79565cbab5979bfbb72da91188ba948e33a43b8239b9dbbdf5578f7e2d93a49d6a632877473d9706c7f2ce580d75d3b4cd8405047b14ed40000000018775d9209f3eaeb13029f698e53947ef08d5d1ed322ccf3cd12063aca851e7afb03d9a94f2b7fe73223723b345d24c6770a283bc909a64bb04c98d26ecf52d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{671A6601-174D-11EE-96DE-6E38A193C231} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1468	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 692	1732	MSOXMLED.EXE	29
PID 1732 wrote to memory of 692	1732	MSOXMLED.EXE	29
PID 1732 wrote to memory of 692	1732	MSOXMLED.EXE	29
PID 1732 wrote to memory of 692	1732	MSOXMLED.EXE	29
PID 692 wrote to memory of 1468	692	iexplore.exe	30
PID 692 wrote to memory of 1468	692	iexplore.exe	30
PID 692 wrote to memory of 1468	692	iexplore.exe	30
PID 692 wrote to memory of 1468	692	iexplore.exe	30
PID 1468 wrote to memory of 1696	1468	IEXPLORE.EXE	31
PID 1468 wrote to memory of 1696	1468	IEXPLORE.EXE	31
PID 1468 wrote to memory of 1696	1468	IEXPLORE.EXE	31
PID 1468 wrote to memory of 1696	1468	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\settings.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1468 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f94d9bd5ae2da491e5a9af478d2e92fd

SHA1
65f7cee9cac5576d4f68b5143a2e64e65e75a7ab

SHA256
04edb63665b51e94be3eddb2ce6bb08d28b48960037bbb85bbda50696dba7131

SHA512
5405131c1637b6c873c7ed16ea77d39bd0386ab5eb29ba5336ff8faac3e99684951055f06be6a4a5d1723db561d9d38cd6c1aef6ad13102cebb9693756aff873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
211054aedb4cda1ddb314ab937462518

SHA1
5318689a9e1fa10cbd6d3db50c6dd10834fc64d6

SHA256
cebf190df460f3914c8a3208567f63f90e38b034b934cc815041c8f546fe60de

SHA512
517a7020304553d7aa0f6229d8e63f6581a7c63a99b70edd3857e1b267cd69dd285347e9b87638d56b9de2bf580d5608d04ce79c90679aa0bf73c6f5dd9be504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af7aedc80ec35481fbb6a9e0d121176f

SHA1
16494d6f09ce67d0a4dd3437b986230f851f09ba

SHA256
7d16baf6ec4916bef4921a6fbb38a83cf999298680c94299ad2d225a9b371ff0

SHA512
bbb25d7588a04c042b3b8450a515f98a2155cc422e24c3f9428cef83049020bf059a0acf9e2006af8f247017ad9a9909758cf2ea9cc003b9118e9d4aa990252b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
906d26602f7c6f02d0bf787dcab9e3b8

SHA1
f97ee077073dfc8454235bc9db799fe5aa914085

SHA256
c56ef1a901d63401be86f7bb1e5d6cddd655a419d2a76ad967095eb6999b68ac

SHA512
0f4b07c4998aa0146427f43f6fd08b819aebd85217106eb92e026e1f7bb8b2359c36f640bb62200fb7fa5d7462bcc3f24de8face6ab91aaa9a8b1c6caa1da5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f27bedd2be827e1f61cabea7c27236f

SHA1
64e966684ea6e3070db4d8b2ac360fc829247274

SHA256
c120bf2c7418c5f749b8d007474ea9e90c901dd89a999db9b6b8bdadb3c197de

SHA512
20905177a5842994c5144e808c506c42556b9d92a47ef050d0e3e25aa89388ac36d8f7a8797c1817c3465a2a57a6b62e5401f876c0b38dd39fc2279a46e06e10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e92283228e21b0350c0f8822d90f17a6

SHA1
c2871ce24ab8af9b3e58de8fd3d0eb67c28ffff6

SHA256
c8f2ae1bd1c1f08c0bd36835e8a5f5ed10532f68c5a830539e58be863d5108a2

SHA512
b6e4bf26aa1c8b5f3606fcf4970b9bd19b646dc3b56dd0fd878f25ddf80b6701da019c79a8010ae6ca24b43a4c4ab3db21c22323eec5172e057ff98a39a78a08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82e3f4c7a6e8ceb27a4f04110ff169e9

SHA1
e89dcc11932b42a1151507da65a4eb68cd7f55d4

SHA256
eeb68de218207ea2f8db82c4aa33410c0efb1f5e2d9096811996a696e1f38704

SHA512
69e29f361ff8a4e9b5b1f85b878bd90448c0f3a1ea6595f3d34ac6e57444f3da86249ec320e991f073b3c19f4886ba1275fb1744baf90fa5225050b9292d2c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3f1a43779998d1d0be627d05d9b34b8

SHA1
e0772c56d0964dcb68f9c6c75bb7c1870c3fb3c2

SHA256
9143f5f758353dede2de0b365c86f64f3057c7cd477e6db70d2d31bf7b026605

SHA512
f95257af072982d0277fc86867323c6c8439c6a482d3885fa76eea72b8fd78f521bca1e4dcdc4638c1b53d4a4b3ffff3812eb75e7d07d4ed03e5efc7212935f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0ZGWADP\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5F51.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6243.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\36NOGPIX.txt

Filesize
606B

MD5
e9e388d4a87fe3113abb2768b35fe1d6

SHA1
e1aaffcc6ca7071b0e8b263b2c39b543bd8ff7a0

SHA256
bf1c8e37db22469fe4510af5d1aebd00d0dcf24a6ad301baad3103741fc1e98e

SHA512
7049e6f55f11590ddca8b6497128acb0c2b345e07ce1e9f6d238576465905550b8fcd79d7f11baf832d2ac6ed84f1c54c5902e06964be112d61789b44df67ac7

Download Submit