229dff2f805ee436aa067b023ee4dd9155bfd8914b575c80042193db59d3e07d

Analysis

max time kernel
99s
max time network
137s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_dest_bubble.xml
Size

1KB
MD5

5a1b792bf859e656807fb87228b66416
SHA1

21612430725df233bd8bd7e10ae17a33a7923429
SHA256

07c9841559f933977b9448e4ed5e18e3000666faa8768526136bccebefe8b104
SHA512

e908a8dd836b51193f62b60eda3a5371cb9f2548e0b792e90fe624e012c7d64c20c987ead14f591a1e59b7786eec31221f56148447ba8deb53082c7594462b25

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4e20c56306bc849bbbf82eb036fcf6e000000000200000000001066000000010000200000006f1731744f6c27d0a3a21962d95ef8ffe912b534733f3852707d8c6221e75076000000000e800000000200002000000025c4ca5e0344dfd037caceb5f257f6b5a46adeaf6618776c9a3900a24b1415af900000001606e1c3b14626e03d55c300674c74e48e91c6c23f285f4b040e30f407496cf298ac2dc53967a96498405fed17679f31ee1cd72aa2003f6f71d2dec609a5ff9f2fc41a692caf356eae85b8ef96e4341cc2007225a9d65c5bc86d8701cdc427547af7e4a01d1730298b224fd33d1a7b3e150d30d1e89c87532b6c9ab394977fcdece97b8187cf6276d0d8fd6a66c223b64000000092a8c2651ad18e64afaad86c9b476a0e22c97772778c13d3a0d94917cd95607f539b6ee6bc409bea69350e3d0f74d5af5406ae32d05197ee9d5e75629f5504a3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4e20c56306bc849bbbf82eb036fcf6e00000000020000000000106600000001000020000000814e6360b5d91a5d7c9fec118cd6a1a781414b24cac5c36cdab82bacb19ca492000000000e8000000002000020000000585786cf2ca6c6a6b0cd789e6b2e76c1489a393cf03c21bf95a5b20c96f6ddc920000000c3aa5d3cc109125800cbb8124b2e98bd599d86e2f0576915286c44da114eb4ab400000008e9eaf3db55f3b57c7707454b82a43cede801fe92a383e88795d1a5ff8ad6532b1452c69d264b92f1a63db276821a4c9862d54579074ff65a2b93a9ec2f4e66b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395245074"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307235fe81aed901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{287583F1-1A75-11EE-AE05-EA6CBFEFBD22} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2244	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2192	2404	MSOXMLED.EXE	29
PID 2404 wrote to memory of 2192	2404	MSOXMLED.EXE	29
PID 2404 wrote to memory of 2192	2404	MSOXMLED.EXE	29
PID 2404 wrote to memory of 2192	2404	MSOXMLED.EXE	29
PID 2192 wrote to memory of 2244	2192	iexplore.exe	30
PID 2192 wrote to memory of 2244	2192	iexplore.exe	30
PID 2192 wrote to memory of 2244	2192	iexplore.exe	30
PID 2192 wrote to memory of 2244	2192	iexplore.exe	30
PID 2244 wrote to memory of 2028	2244	IEXPLORE.EXE	31
PID 2244 wrote to memory of 2028	2244	IEXPLORE.EXE	31
PID 2244 wrote to memory of 2028	2244	IEXPLORE.EXE	31
PID 2244 wrote to memory of 2028	2244	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_dest_bubble.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e67041f5590f62b84911324628e8b814

SHA1
639f2fcb65814f2c2da9cb664567a29cc78c0720

SHA256
567c146afbb7a156c8341f5834111e49ff9a5a1285603d52e26e967af9ebc716

SHA512
2de6d0369b2364fe97c7ec0f966b24c6fc954a2ca047ff4c0491f2735a0b715638a36295454effb70c2d717c8a9197722bd3fd93c7803e91f1bd30d44b5db5c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4b82a3403017ff386d852acd29673b3

SHA1
3f44414456b104766ee4ec5250fb24ce8f8b173e

SHA256
4a9e9d9abcb822c0601d1cf29bf54fcc3e51a74e675253c5ad69a5326afedaca

SHA512
9609cc26209c42c4905556ed31d35625831e4067f0d1e24307ff047ad89f6078bc0d7f43d6e18fca0a63b579df481c36855a8d85d8486b9b00b57f146f766371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ac7dd140d5d5da8e0c7f290af1f2e8f

SHA1
a9ef41a3656966731a0365235cf737d42a35c9d5

SHA256
c1010d27a7b86d5d530132b941af0817fd1853fb0a47051180fd3f79ee3599f8

SHA512
05e879f0091b63cde38a43723ea59d029bcc63e0549562d270a1cafb1d6496f2b62ee72775b4669a87871c6eb3d44e97395f7a1fe59a80517372b532947dd90b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b355ff4dc35a766c9851802c23d628a

SHA1
00ca41e087175940c18a55b7bb51e554ebc43d5e

SHA256
cca1ff98030ac3c76c31ffc058e70337043c42a31cc42ae682155e5520ae6393

SHA512
4ca6635e26afff9d2e013e3cae2569a9d5dbe4cc2ca98bf993cb4ac005b3a2822d6eaed2ef75632a28584e54d1a83767fc31bdf499e321d3183ef81a0320ac07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
502ee507ac4da4530a020264c84e693e

SHA1
825e20559338c2d8420ec5910a5fbaab5c209023

SHA256
1da9bd5c7949658c8c46220b2ed3d89b8c08fabee5b51d73b8f44a421e35f9fc

SHA512
9b9aa35ef9407c49fd7b4b08d8515588fc2bed2bdb37181b4aab2428cbf8b743e1ce34ab36e7f127fec7fede4ebd9492974ba06fe31da339c14f1d2d4a5b8ca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f272d25e519803553f818d83efd9b712

SHA1
69bb220be78121d192fabd7e08ccf3f1eb8993f5

SHA256
1c317bf1f2477126bdc35111d819ef9f4c549e00ba2f4d9dbd0fffc58d06dcc3

SHA512
3d72328211b6bba78e4430d1af4c428ca66cb090be752e63b59c6e2056621139042a28bf097742c6bbc5e35b114d5e85b36cdd2b3fbefc4146e953e9506f6e51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
184e9231461fc9cff6f76658bb11cc33

SHA1
ba094945859de826dd2bf3e1b59f1c5f9a68a406

SHA256
8be2433c2edf7a57b09516e74b24824d2457a4c58c82d92d74a8b8fb2ca7aa48

SHA512
17a5feaec6d496ad432d847080da4f71cc7c429b56f4133c863c83521bc92f8f96ce35f0f7d1d33e94c11394dc6ca922f71949a90d0cfe292c6d1ff81801d18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5256ebcb51e50c854a15ba47311f092d

SHA1
e42ff710788c3c3f5fd2fb53e077bcdc47ff6d17

SHA256
e8b632bf6e2d07854b50b0f60be24b0133313ad2fdd4ecffc306b1508550e9fb

SHA512
263279b22806e712eb7b3594acee3f6bafc9d6b2db1b42e823d7fbf931f3ac5bae1b4f104690e8087565250c66665a4f92d44ea8c65feb10272e7668240e8dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82c1ffea4d22a05c85cd318dcbadbe20

SHA1
a4ce3ae45b7d3870881e35766c471d8040ce61b5

SHA256
05e0650b7ebe65e04aefd7f72abc5cc9c060df1c5daf28d5b10fb3af0854dcc0

SHA512
60130c91543cac28d4030a6cdbc2ea770a0e3a5df9910cddcf0c81b8878574be2b634a418d2016d67df78e77412039ffd546ec279e4a2f2d2b310f4f0db82eef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IXTVO3I9\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5870.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58F0.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LTJ4LXMP.txt

Filesize
601B

MD5
23978aeceb70ab303be55bc4ea0d3d13

SHA1
2bdac5aac27089565477f501657b4f8874e8f39c

SHA256
f404c4b3594bb952ebb8679d51ee4cec164578c555c4e4333040abb402a5a4cd

SHA512
13cfadea5706c2b7c1fc7b51386017f1d6adcc2f74c12a8d0680e1ac6d980ae0df0b7d21a97938dc6bfd9ed2973f934212a75975fbb012053fc37488ec9fd575

Download Submit