8a15f942dc320c465a63dd15614dbdb659b267a29539f807c93f2ac66f5f0fe6

Analysis

max time kernel
105s
max time network
151s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FAB-blue.xml
Size

1KB
MD5

beeb15f69eb7675da389dd2a7d25e61b
SHA1

9b175d994ff139e6079aa83e8d32cd97f9799ff2
SHA256

3eaad41cf652ff44c03f0100b20dbf00d0bcac736147619fe9dc66050095a1f7
SHA512

5c711726090a1b3791a62fdbd78683caefbb056a900598a67851f1e1a89f0f92ee1e8854c3875a141aa958517be720c45f1c7411089c3adf7367f2e11076d04e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA295411-17AE-11EE-883B-EEB670E095ED} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ddbc2eb40027547a7b75ae262b677ea00000000020000000000106600000001000020000000080faa0dbf990598a4ee905b3bbffd2a46dfc4bfe19550741e9c2966651fe010000000000e8000000002000020000000fc1cd12dbc551a5927e5af0081658cca3dfb0bbb4bbb4a3e342a9ec32e22744690000000302875f3d18af1881c6f9bbeb27706960777cf97ebe1701d56cbd2c27dcf55e98467278b5cb24429e9c0b9d8a9288be27a0dc05f3255bafbb4eef23e93ac9af6a3cedb221ac11b0b47c70816546e7fb58fc9b1e7dbab98adf439733b8b78d6a17c91c0df26e002d9ff7492ee84bfee777da3fdc92e4e32e17d674f8be2a5bc7031b871e542038e6469faa2a9fd1a471e400000006b0db3cf9c770d2cc2d6b4ffcfcef18f7b933eec0fad3f5a87399f79ebdf8bc9adbc9320fa2128eec17aa41082ba6846c42ec7796db5d5947b55f9cbf67f15a0	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ddbc2eb40027547a7b75ae262b677ea000000000200000000001066000000010000200000001345c274229d4c7504a8e4242e3dcd5d354ca69dd59c59f115d1ff841aa31587000000000e8000000002000020000000dd4351f9ccc96e87471ad63b25d34cc73faa184c0f87905a388f55203a177cdf200000003780390d13255323af568c109c00252fe83abf7d75f6f64695bc51f9bccb0a0140000000f3673c76c76437195fd2b8512e5bcfd157a4fd3bd4657dc43d15bcc4f209325e2ef69791b9109643cf410503b8754ec90cfe64cdebb4e5900db0a5a49537bb54	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394940000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206b22b0bbabd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid	Process
864	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
864	IEXPLORE.EXE
864	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1824 wrote to memory of 524	1824	MSOXMLED.EXE	29
PID 1824 wrote to memory of 524	1824	MSOXMLED.EXE	29
PID 1824 wrote to memory of 524	1824	MSOXMLED.EXE	29
PID 1824 wrote to memory of 524	1824	MSOXMLED.EXE	29
PID 524 wrote to memory of 864	524	iexplore.exe	30
PID 524 wrote to memory of 864	524	iexplore.exe	30
PID 524 wrote to memory of 864	524	iexplore.exe	30
PID 524 wrote to memory of 864	524	iexplore.exe	30
PID 864 wrote to memory of 1624	864	IEXPLORE.EXE	31
PID 864 wrote to memory of 1624	864	IEXPLORE.EXE	31
PID 864 wrote to memory of 1624	864	IEXPLORE.EXE	31
PID 864 wrote to memory of 1624	864	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\FAB-blue.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9495a83b2f0a1a6086dca718275343b

SHA1
79690ebf6e0f2300e356c19104c58aaee99dc6d9

SHA256
39c34e0317a50bbc15a6099cc71f324e00f43c275a41c8ee5a364af7c960602c

SHA512
a1cacd4ce47e4530ece73f31b132e8b4557d36b0a298a4b64a8b50ce0956f3ffaeab09cff5e74f1b621dd714c44c3a25cd6b04399b9cf47676b9250f8aa35d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5016b963a97ce8fea9aee3f165ed85e0

SHA1
619cc6c799518e545551f1ac3dfa80705fc6a2cd

SHA256
e365418ef4d233fee4d7de142b9b037a9bd19d4eed98de9f26a768b4f88d5744

SHA512
8312a182f8d05efe09e454819c9da7462cd05208fe859f58e53991a0a58a4432109f819f406721cac037c88868135617f68cedfebb6029fb62718688a5eeff0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
386411a22245970745a05a67a32e0d1b

SHA1
ed99233f064a046c3767456ab22ef2f27acaa7e9

SHA256
35aa905bd821ce31dac6d76e30310ee85b3bbcc8c58793e9f751f36751ab9050

SHA512
37565e8841148d16ca3ceed3542eb60274cbc52dd4a2701b08ca5304fea2c8d8a6cd8ebbfb940c81a863ba86e3f4ccb61d8e7b32a9e66e899b141e03d0a9860e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a08c9af97d1bc3f1017c60e4053d7e37

SHA1
cd0d8202fe7076b29b16b39ac0a918d786466fec

SHA256
69bee230afc926c52389da758b0d00d9f3e2b07c164f11890135c1f4fdcd05f0

SHA512
8c5e5faafc28af7ae692392c59fc1c973e9c4e1c80a1bb37aefa813a1fa7faccfc40ecdfe6b44a2a716167974e47bb183bf0050aa02f38938890443be167499e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a2a999900a0bf8bd88760ec97d33483a

SHA1
c0d3afac030a08faa4bc4ec0fefd6baf1890469a

SHA256
1760c323cf970dc32a4cd36a6744cd40edbc3d228c147f0d06464b7efb7462ac

SHA512
d9152faf95396315ff280f04bc196cdcb3093870dd5337a6c0fe1650cfa1b9ba4a0aa83c8e459c4807ad3beaca1cb851db61be6e17382229938f6d016b884721

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79d86c72841ee58d23925fd382139e70

SHA1
df3c751a2d51304a374c1cdab58699e83343729f

SHA256
c061383119fd9171842a75b53e5ecdfb3b2291f7ce8654eeae88dd661b29372d

SHA512
0297953ca1c6035ed3857004f5c12fa8120bbe431809d102b8e467d30e5cbdd2912ee73ccc2f30735c221f8bceaec75c38a5890a667d67539760f2144855f516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77204fa99e9b0ec3081972e237e3c834

SHA1
b771154540f89413f8460372c5970c9324659215

SHA256
365ed2b1e9896433b409d24796cc7e55f7fb8bfcfbc4894a61f8c8ccdc4862b3

SHA512
2c22f84c7f9c00e11a51ffc5a5ce0fa0056db3035388211881e8f97add5d0cc4a6c035d41043b9a49ecd7719557ddbb6cd358095e90e2e4cc7e9701b81cc1936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPQI3YTS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCB9D.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC4B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8XXPO1RZ.txt

Filesize
606B

MD5
613ef013a9c58e12c67c8275c27fe46f

SHA1
3156953da644edb16c7169869f1b1408ea3d45bc

SHA256
8fcae465655e267782f86f822294c98dc3e486f0bc501017717310759aa3f0cc

SHA512
167b325e42ccd707953d41a55f60e62c953e4bf9eede216e4043b642dc00b34821da8fb705e64da5a28d38fda2733da00a6889c603f813c1e385404a23d311a1

Download Submit