d18ce36f11639ee23464c6bcd75dbca7089a2daa322fbbf75fbd28d4ff6f9389

Analysis

max time kernel
145s
max time network
139s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web.xml
Size

18KB
MD5

08101241b15b53ef0ab908f6d388881f
SHA1

ea3e2ad6d71d483c54b12852dcbdcd0baa569988
SHA256

15a2c7a9242bf54d3ccb3e07fa6d8f84ba8b303d8877243787a1103009941bdb
SHA512

a1ee7f17bb069ac42483d1f98ca839ff1bd06f3fc15cd379dff4aca3732a5dac24dc17e15acc8f8fa39e60e186219f4fd70664f9ea284002274a4ff8609791ed
SSDEEP

384:lJJuAr8F1mJ1ayCk5+HK5YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbpJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7D2BC221-1759-11EE-BC70-4E9F0E677C74} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007d43243bbdc854aae23aa742990f40b00000000020000000000106600000001000020000000b3b31f072ca76a3ee149f6ba484aa90f6db20092da823c51b784f5e32e71b0c7000000000e80000000020000200000000f71ad06aefaf3846524ce04d768ee62d5e9a412328a960f429d0e2f057811c420000000d6f5384c02b19203aabd8bc0c229c0bb4b455196dbe76785b3236c5de850ad8840000000fc585f0e23638880c1ef834d19a65bf431e2cdb63fd36510619a99e243905ebeebdace08628b185d3cee849c6c016ad50d37b98a5328c262715bfcd8ef242c9a	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394903336"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b048025466abd901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000007d43243bbdc854aae23aa742990f40b000000000200000000001066000000010000200000008370eefbf24603766d54bd9489a2e0c6adfcf8d7155ec555a3d78c8da2a1d70f000000000e80000000020000200000007ac9967e80b0092544ec0547872a43c110fe6e90b26947a27af6d84eee7f6a8990000000af8d3f3fe820ca86f3aa9f5457123c5f10c5dc62efeba4fec4eb80b9f6e7ea50971cc29b8ee737a539c2ecaf4523c463c9b2d9606b27824f9cc75c16af8edccbbc5590c458195bb3c02db964267cffcb4d6ca54d4a17ef2ae987a30a866a59ab6d1b4200ca64cb93b94438e097ca9144c7474806ac8f99cb438178f5f022fd5b38955cc5c2ef3ffd4b1ab8597679922f40000000af2d5ec14d5b4a3ba252b9324bc0a6e184c9fa855554bd9c9d56d918d8199151f7a76eb3a48139d4449c3dd1e4a7b0694e9792c859f65a48759430793d571db7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1156	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 524	1608	MSOXMLED.EXE	29
PID 1608 wrote to memory of 524	1608	MSOXMLED.EXE	29
PID 1608 wrote to memory of 524	1608	MSOXMLED.EXE	29
PID 1608 wrote to memory of 524	1608	MSOXMLED.EXE	29
PID 524 wrote to memory of 1156	524	iexplore.exe	30
PID 524 wrote to memory of 1156	524	iexplore.exe	30
PID 524 wrote to memory of 1156	524	iexplore.exe	30
PID 524 wrote to memory of 1156	524	iexplore.exe	30
PID 1156 wrote to memory of 668	1156	IEXPLORE.EXE	31
PID 1156 wrote to memory of 668	1156	IEXPLORE.EXE	31
PID 1156 wrote to memory of 668	1156	IEXPLORE.EXE	31
PID 1156 wrote to memory of 668	1156	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7eadae83c3fd1d4c26f17299faee4eaf

SHA1
37d7c9a964843a2daa1f92f7931d30a671fe7dc0

SHA256
afe3e85639dae413f988e90ef9759a28e5b0fbe601e457df1b391c5a72be2f8d

SHA512
c31d7306c6487616c3c0aa82a7819cbdb886ded32b99691569ce6e856397e0f8f2fc8ecfffc4bbc55af80fd57ec05685d777f006437a5dfccc33918c4b51a73d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2135ab10ee57b89c48c212089827153

SHA1
2ee4f7fd378f9491baf2ff42e8d2888ea3b5a386

SHA256
9cd5e827e5f569f3bc8d34528162067c75557d78dbca63e484dcfe49a10a0d1b

SHA512
e6af14ba2a934de9cd89e6902fe40e55f6eff6732eede4ff1dc424935045692374b6c31bc5c9d906dc86197d32eb9fdaa6784532956daf1507a97622af3daa65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0260c76cc53d277c0f4c5e164e1aabd

SHA1
92e8ecab9f8d4c42f13963917b170978080e0726

SHA256
2a6aab04dc31063f88360d3a88ad9f8d443c4ed39063e104375b959f8a096f6f

SHA512
2d01a16242470cd4b419780a3d605696faadd58a612d6f7c284889eeb2c597181be69a8a6e801f523719a2f44701cb86168edd4a61d81bd5f310885d4914dfdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
915923ec532c5ffc0d7a2759d10c5a1d

SHA1
98d037d0c5d2031f484c8672700c5a9b93a7798f

SHA256
8fa7a1c0b417ffe760069cdbb605cd20d7766288d57a09045ef499218aaa4378

SHA512
1f67aba4e43406d85a5e3995a05d639ce0b82e9147d5b6179bc20283d898e94dabde8b018c0f79cfac24fdb52b849fbaf532673de60f6dd58c7d714a8124f40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f6917e00f559a94c20f477777d9fa57

SHA1
eceb25b832f7fb729ac204cce74ff976bb69e4b3

SHA256
e14a21bf5899998aeb37078f32b2388c8d4a75c56faeeaf5c7071468c154a4d7

SHA512
bc3bf20f7d44c42d6e2f13c64aecafa63f08782de2d9c569380bd2c548b963977e093467927fcfdef21c9e799208faa3a30c246583d6c7355c95d2518b00011a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
697f7d4350b903af2411da67cdc6e09b

SHA1
cf6719e6b14a175e6e17d2951f6bda744cacd613

SHA256
eb4399048d178b1232ea9d66cfd01ca86721bb0b806e4e71048fc1b08f2b99f1

SHA512
d6e899d6e70db1964c488e6c98b0f6e468c2f92c19c252adab6db45782a676f1d2d5a020ebd2b228202e3273d1b7f0a73ebdea4e083ee02fb82d0366a654319f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87df97903b01ceb9d93d2837c9307e69

SHA1
295c83dfdd741f43580d0bd7406a2b3607ba1ac1

SHA256
02d054e309d99879da686034ce5b70eb077035a936af7e10042920b1103a5210

SHA512
668982da205f98c98f57fc41900a21a5ca8de5158ebacad37da3f8dcc6ae89e79f70cc28be07aae5bba53816bce0711bc9d763fa176ae754936693649d086a2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3dded9f1b71210cce5c68e4e46f84198

SHA1
2346275575fb045e550d33d66c5f15def6e3650c

SHA256
9fb3a41c2b4c6aabdb66b3bf7b10c2d9aebc5f784a901f921a5c5ba1aefe4087

SHA512
bb2b2a2c0a80f08b6b768563a995ecbdef3bd50d6b5f36e2fb6cb78066ac6ebe15d8d63c44a12578583b9a5c5af13f6b32d3c57b79094b88509c1ced8d29f3f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6909a584d8cd4934ad0c019b3a44874

SHA1
b5f295ca7f893f57a7dc9973a90d375c959a08b9

SHA256
f88fcd2efcdc4b7691c24cb031acc91b0754f02275ad6cae081969ad51fcecd9

SHA512
3478bfa5a8aaa669a0b7a347f3e96caf449cd3bbf26f6e764b0e1ef37e58044d014f7fb2fa5848ce8eee3a276ff972d1a53fec59c50950b076a726045b52456f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
729c19c40e092251ed54a04b50098036

SHA1
8b3421e439bcf9f0da3cea6507770aed6a8be36e

SHA256
81d4588bb7540b1b8a2f3d5efd0c018f6a26c33d0ffb06cb772d1360226e5d5d

SHA512
d1c615d2c534d4cfccf6abdb94d5c9e7aec85dbafd722b031b82b5885f9a5614dbe8f4105650f579984091098a9410f55aed68ba60bda0c289e54e52f542c764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9STJGIJX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab537F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar542F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IXOR08IJ.txt

Filesize
600B

MD5
deb3da8958b376c32726a12eb2b05f90

SHA1
1c59c95535c8247bea9fa4cb6e98d6bcbf051c38

SHA256
a01ebd80616273c27edf9d4ca21c2d69a2db112a56532e4428acf29bfe76d519

SHA512
0c4dc1ce5f09c5035339486fb1b02a8438058c67d46121f1cd3484fa8bd9b6f74f966db9ba7a46bb0d07a3ff87524019b82de2c72a4e4a3ed4e5657b79298d74

Download Submit