229dff2f805ee436aa067b023ee4dd9155bfd8914b575c80042193db59d3e07d

Analysis

max time kernel
100s
max time network
139s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

callout_dest_triangle.xml
Size

641B
MD5

24a35ca36ca578188036c1c9d37895dc
SHA1

9860a6c72e30dac1c5b45d71e6898f2bc071b0c8
SHA256

341966fd69edae87778eedfd7bd3c80fee6a9e396fd8b9b04657633b5d17a325
SHA512

3029bc310b1ca12c2d3f09f07509d0b05544d008f3732451f1e858d6a02338e67455e6bde091f8a1540529324bd4cfcdce1064ed539b41858f26cc545fa0dd2c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b560baeb882dc64aae4acff703adb14e00000000020000000000106600000001000020000000b7e615747f06a4a2e20919d38eeb3c80ed513872806b48ad22c68bbd70b21304000000000e8000000002000020000000d40afe341fb4a8a7e349e9f4900c10ca5759bcb02c69434d18bd52103ff5822020000000e2719e70b3bb3bddebfce474c68090575ccd37e5bf9fc9f93c8132d9404ae5b0400000005639d76fa8fc1347a5117a9822d1722c2daa7bb7c62aa743fd85b9f031b8bd63d68ffb3f00821c1bc5c2f2c4736d5c6c00b1811b837be9447988788eca4a73e2	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395245076"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29F0D951-1A75-11EE-93FC-DEF85CD8AB75} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b560baeb882dc64aae4acff703adb14e000000000200000000001066000000010000200000001ad36aa375c9947b489bf3c6a47fe2df96ba09582df4e4b354c4f5dde143e9f9000000000e8000000002000020000000b06a0028cbe5f477f91e75b1ba1cf40593de88c1e08d81626bd245de7f2ef6c290000000822df2f1e2d0fb491e5836b3659731c0b40bfead76a11ab8a8f3ad4e4b8f9749a1a1c022f81fec4d6c6bbdb5940b2e8e1118d958988d04ee149ac8105ed3c143a647e32086bfefe59d9798f5a55aaba3698975c148fae9d40229b34f4668602f1e86c8490b89031c3a8a4aa7af41990302591672d148eed2e2411a372d190071ae827187d38794a7162fdde14252380b4000000082b3cb40b911f0cbe02c0e7ad4cea8ecc88a655ed7f4f00b36ec8b192e428ae7eac4fcdd3979d9e2e0895d0bb2188d6e1a44cbe25bb6ca8015b15cffc8d8fe34	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f52aff81aed901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1344	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2244	2956	MSOXMLED.EXE	28
PID 2956 wrote to memory of 2244	2956	MSOXMLED.EXE	28
PID 2956 wrote to memory of 2244	2956	MSOXMLED.EXE	28
PID 2956 wrote to memory of 2244	2956	MSOXMLED.EXE	28
PID 2244 wrote to memory of 1344	2244	iexplore.exe	29
PID 2244 wrote to memory of 1344	2244	iexplore.exe	29
PID 2244 wrote to memory of 1344	2244	iexplore.exe	29
PID 2244 wrote to memory of 1344	2244	iexplore.exe	29
PID 1344 wrote to memory of 2304	1344	IEXPLORE.EXE	30
PID 1344 wrote to memory of 2304	1344	IEXPLORE.EXE	30
PID 1344 wrote to memory of 2304	1344	IEXPLORE.EXE	30
PID 1344 wrote to memory of 2304	1344	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\callout_dest_triangle.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f83fdab5896bfe26691e1d949e6cff7

SHA1
2fe89533b998f33c2db42253bea806d24b3cae75

SHA256
74fdec885d4e81764bc45ee55d12216f30eb6e7bce765740e81b3e23ab65634e

SHA512
7937b56cdbfa1287120dec1a23e75d964ec79effc45387a2c9fd8c7397a524fd22d0ad5ffdab2ae9bbc9fadcce4743177feb480ebf11913fb3b5a3ac6ed29022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5c42d0ec07967c177c8f6e41bc601fe

SHA1
5d8e0b73aed8690cf05663fe9b35bcb7d6d53536

SHA256
6ec203798f711abf76a4392edc4b35630558d731baaf59fea4c91dede1b1cc3a

SHA512
e176dafe0e322f518d13467cdf656674e41c52216648abfb629f79bdd23b1c4cd4f6e853ca6e0b283701b9d98c88f0a6a31c652b63a08e37914f2036733da7ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a066de4662dfbead657949545adee4b6

SHA1
28e928582a6540f8b3b41fdf09d0c374ae689099

SHA256
24d1d32fe8ce0396b5270675571778525654fe8ae117fd046cfbe6c5939bda3d

SHA512
1f5bed2c9175e0a8ea2c3730e9858c64e75354e39b287115ce3473a1d92ce2b03b6199e820b68c009c55f9f9a34c55143df27fce0c3e094ed9e20545c98692f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
494d59e9918fd55a08eef18087f2a2c2

SHA1
e7ed0ef69aafd2d7aa307954cdd41e47d61ec284

SHA256
94ba4f5c902dc722b0163eee94f873ed18a610402fc09089a4e54262e4f1988b

SHA512
ea8cbe397a647703c2d1653d056022ec35bda38e981186c9bb5cbe8fed92963c72461d6e7c6c213d5967c84cc55f73228da9400e0d909862f69a86748b7f0faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0942b6374bd8b781f3119970e06ab1c1

SHA1
410cae90a2ff42d5018a7d1ea8253a829907003e

SHA256
22965ec3534451348798ed6620943463982e7d65500bb0f71cec2f5d2a8aa91b

SHA512
30da0e6abe97a0b377cb4d89d76f72de5fc761da33ce77ddf1db7d1721f9f4373c4607f08f848fd904b51a48d2d87d0dbb43393cd4e64dc52370b7526a71738c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4b78a115574d51bf0276965aab49ea4

SHA1
6dd616167219aa1f6c60011470d52fa33639e3db

SHA256
ccde44835ecfe7a1fb05e508410b28db4de4fe1835d6632e40fee2f84dc535ab

SHA512
7ca5985e89518c38cfbda85306ed2b99647cd993386afb3407a98d2d1862131f1d4e1a1b17bcf2e1a9aa2159a01c868fdce5b21c0cb5673d31fcc7ec2eb74617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07bf93cca330bab3bdee394c3d08fd40

SHA1
34701941708ce26345f4f66ff1f98df676514cc4

SHA256
55e12bd0206430728a217958c52d28ca91e977638b124a6b7186594a9e962843

SHA512
99d27997bafbb9017f6bf3b1d7daaeb5ecb055f05ef4e22bc202d0185efd2fe0325aad67fd380b4a75b7d4c2e4a4ee425e998eeb19d90834ff0e24898f7a6b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4253d5e8542f2d020a10292467f3ae4

SHA1
99d1f97c9a6bd29f760ca87f8960cfe08796f79d

SHA256
c6bcff058819c2aa2dae273b79109c213e9fc6dd4a030a7c760842dcca97a9a0

SHA512
a3d889529c764a4b0351386b3eb8bd08e1ec0e0a28796eb7a5250c499f12bcd3f85d532449bd710a258ad6f28e22de380ff918c65b26cec88a2b376b868986c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA0C6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA107.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AKIXQG6R.txt

Filesize
601B

MD5
8f0ecf2a83f8d03e654c3d301a33efc4

SHA1
0df6e12786b8574f11130b9403d4108b37b59e8e

SHA256
a715c05ca5fe2f167068e6d0b3b5328cd9a25a5816aed605e3a812bfb934119b

SHA512
ddd3203a1a6c6aeadc8a615703e5160b3d3b04f5c4a3dbd1a88cd52dae1249cb0d0c0aaa2c1624c074a1316ca59e09ca76452abb379a2380088bb7f60fbbc681

Download Submit