d18ce36f11639ee23464c6bcd75dbca7089a2daa322fbbf75fbd28d4ff6f9389

Analysis

max time kernel
148s
max time network
138s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

machine.xml
Size

33KB
MD5

0869544722561f5aff0eefc83fc7b001
SHA1

1e118f4b5c1c6a7b1858e3fccb1b1d1095561976
SHA256

ef9b9387168fd1dd6c996f96c134d9c44f8eb06f9587004bf997252a520182d6
SHA512

ced7c9a5363cabdb87b01ed6b4ca190a690640dddf5cbcc0438acdc611a8ee942cb6cd73c78d3fc2d59f70171f22ac832a10b1e23758dc92599ee24acd978ac2
SSDEEP

384:PbtltttttSRtNRtcRtGrRtSRtTf5Rt70zDgRt2Rtuj4f1RDRty6ugyunHMSeuWuh:dkn

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DAD4661-1759-11EE-8CAD-469C97065D71} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0181e5566abd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000c1981c6cebc44bea4ae3aa9334937e3972fc36e49e88007e9e0414485bdcd1cc000000000e80000000020000200000001db16f7bb71b9671f76c456ea29df5aa948a335a93912273a5d083315cfea7ce9000000014d7f08b34865e9e6ba64200257c722c9a603a723730bffc3c5515223dc787881a19012180de02a098dc42c3dbc9f83555a433270b6107dc9fb832327825b3184fe0e42a49c6f7a85d945f5803483f7de2bc3174686ee80eee32595e54f3eaa3cb0461e1d5086fc5d8ef6e25da78c123f8d278c2eef1c61069de0eb9a71ba53bc9ffe176853f35059747c2250b493d75400000002ada8d50b59b8cf67f7c930d0fc998c86f004c8eb417462b55c0ae026bf8386e0d4c51227be99e43ab55fcb1bb9a7143143bbdd71d8a29890073f7d82519dda7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394903337"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eba41dbc9f109c4eba713b962a4d0a4800000000020000000000106600000001000020000000a9a81006bc26598fededae94c90c18ac0b408603735ea4030151fd1ef62216ce000000000e80000000020000200000006b55bbdcb23df8181bbe916f606056f24625c59d835167042dfd7ae544b26f4b20000000159322eed56212dbef0777e7066dce4fa1fda36079c6b5a0db4db27ebaba41824000000034cbf889056059330d226cdaedf9ebaccfee3d72700bf275e5ffde87da2a6d4cbcb4f3617ce091ca53ae7f5a52aefcfc0b0f62d903d76d15a11bfbfa3ee275e4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
560	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
560	IEXPLORE.EXE
560	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1528	2016	MSOXMLED.EXE	28
PID 2016 wrote to memory of 1528	2016	MSOXMLED.EXE	28
PID 2016 wrote to memory of 1528	2016	MSOXMLED.EXE	28
PID 2016 wrote to memory of 1528	2016	MSOXMLED.EXE	28
PID 1528 wrote to memory of 560	1528	iexplore.exe	29
PID 1528 wrote to memory of 560	1528	iexplore.exe	29
PID 1528 wrote to memory of 560	1528	iexplore.exe	29
PID 1528 wrote to memory of 560	1528	iexplore.exe	29
PID 560 wrote to memory of 1896	560	IEXPLORE.EXE	30
PID 560 wrote to memory of 1896	560	IEXPLORE.EXE	30
PID 560 wrote to memory of 1896	560	IEXPLORE.EXE	30
PID 560 wrote to memory of 1896	560	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\machine.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09a96e0d000fab7368411a93228d4dec

SHA1
9b981bfd6cf9f3e3010fed9e5ee676ff1cc6d0a2

SHA256
6f5867798d4ad2b9854423f102f3d2b82ffb5eeb350306375f9d7427220452e4

SHA512
89fbb8bfd82db5e233f5d999b2864add7a81a3af1380851c1aa0804984f2e05f6b6900cf855e87e3cf51ef2e00fdcf7a27075a550cca973f64072783868bc15e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba0476b32b6aaadba4b93acad2c3ce1a

SHA1
6dd7042bfb2cf0d126116e456bde929c5d041916

SHA256
049976a7f7225aa23515086b5bff6d93a4aae7e8634c6da81413e317bb9f5002

SHA512
3a07833e3eeebe20234638a92eec01387bb8a32348dc636c44561c994bd61938c174337a84c888d40d3cd6c37e21ed9f79cffafe1e4a9b7c74445052c8f43dc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac0df73acbc360753f0c753ad71698ba

SHA1
22288bab193ebfa4494d804311a497809f321da1

SHA256
034740020f31bb93e23e531e82ebda14ab0862a944a6f2576fdfa4139c6228b7

SHA512
8ad552f6a54011c93ed4e31e2d9a74ae41762ad07b23e75621c52437ae016fd10f16fc02b1d59a7170c8427a0e70018c70bcff037fcaec27580f506e9d144d69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3223a4953ab123a114bef124a00959ed

SHA1
2392ba65324b30c3f6d943da1e426350d31dd935

SHA256
ccb4300a33da2b23ff4ff380f3329bad9a8081bf794eb0cd9bbf914a4d0cd436

SHA512
122354f5876be071f5def4f798b58a5910b8ef61e0385c9f9ecf7edaf5b7145fb08b951957171cb3e68a4b077f3a244ec9e682e01588ef9b35a06c55f475d7ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5d5a96bf68ddeb03d3892134ed89280

SHA1
4d85e7606e980eb5eda5f2429d06ff3023e3fd9d

SHA256
9215670e87ab995ec19fea5ea8a1f5bd720551f0f04c295de8dad28042880b9a

SHA512
e81a0a0dd7305ac29b8ab87c70cccc2160c83ec3516f23c87a0c8325204ecfa84c8b23f0d509e17691a4c15390a62d0f2e044178da62e0e46b04ff8717c7a61a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ec5b7038376fdd8d72f088c053130eb

SHA1
af62adb3a4725cdcd568a654db9317721b7b4b51

SHA256
0b9f894dd2106f167b2b69d3dd70d91aab4fece9d2f0640d7ea8a38de7f078cf

SHA512
cfdfa16088af21f4dd5fffd186d407827702100249ce868347cd8cdc0aed66badacd93aa6733fc6ee6404e33c8148dedc6edd0d3cecb19f15b1a6d7a8f776b65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d6b6be15290363d5b9c4ab34734f7b1

SHA1
4e571e60ff611d4ebe267d84f060cb42e7bfdfbe

SHA256
2c6a49f3173aff9eeac94e4f33f1673d923fe454b1f6c1a14fe4afc6a07aaf74

SHA512
a4f26cea8c8954e6c57b0ec58e44236dd54eef08902326504425c3af7edbfd84c3fe1a55ccf08be106342785fa933420a72912e648aaf9ec6a494922a46a6546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZT1SZ958\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D3E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7F16.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\G24OW77F.txt

Filesize
604B

MD5
89e2fa5bf245925d033f60b1d5902620

SHA1
3520c975b24b80a1805b2514e2da035cb2d48d60

SHA256
4010562c49f96ed676d918ecf6214e7eb725ea1e282c2df335f89fdd68d98af9

SHA512
aec71b16206803e04993135d4c61520db29ae1937773bd6f1f4393016ec7cf3448e28780cf8c52213c757cfe0585d4c37f1cbb2554778fcdf54ec09cfe7f4f49

Download Submit