d70330bff40a771fda25702e66572bbb364080d7971989a60dc172bb52b2ffc0

Analysis

max time kernel
100s
max time network
140s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 08:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

stella_wa.xml
Size

9KB
MD5

4ee3c0dc45185231589902397c7a4c38
SHA1

28a4882e91c2bbb68562fd9373efe43d24dce3ff
SHA256

8fead4d413917d70a317375083a0cab7bcde24530fed6d9eb39de05bf14348f2
SHA512

c22274e0cfe22cddc65f0d258ec623360ba34d8ddeb09a2e7c88290d949cb20f76cb6e8ba8f02c7f5ee7ef4ab551d2d61f680c1dfa0b9acb30143f76d908eec5
SSDEEP

192:OCxf3sWhw3hysJPiaJfdvLZacjO/SbEgle3iVIept8CMei3ttdLx7Kx:Oa/sW63hNJPV9VZvjbj03ISpei3ttdLI

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CD6F4F1-1B26-11EE-8726-5653D379D7D0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f087a04233afd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395321209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cacdb9c8f7e7d1478a5f6d5a6cb4c29000000000020000000000106600000001000020000000c38c42c38dd4b5a47dcc6f7d651149e6b65f5debf3bb1365a8d2afe179f0a242000000000e8000000002000020000000ff935cd884362adc908daddcfd338aa056b5f377e4286c77a5ae3e618dad80869000000020704883ab7176c619d7004dbda393b00f18ff33b14c1282cbd4ca66f29de800a49e19b20d73b71da971a46fc20523391ad93f65ffe749a2989d7574c50f990e5bcc5924605bec1b550dc05e594fcfdcdcdd1801788433aa440497b410bd2d2f0d130430684ec3dbcd114d85a79f228cc715687d5238972c89c3b33ba19e53e02061c18c60c0748e99e407085118a2f940000000a7497c057e73cb9a1d6259472c7fea2506848826a4c5f12f05f1629a159529f4b6e0de81eef5372b8822c4218314b627b6bc79ffbcc5808addbd91d2f82cc62d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cacdb9c8f7e7d1478a5f6d5a6cb4c29000000000020000000000106600000001000020000000a2739cbc04c0736f84ff9c8109b9cabf25e7421b0c0614148d2e68094778ed78000000000e80000000020000200000000512e058f2bec5dcef733f4d4fc3f5f551f1d41a62af558f773600113d7d9dd720000000e8bc99f62a9cd9319965ddb71f281f55bddff0936fba860a39db81bab6849a32400000008b958b561ed566416d4154523fcf5ecebeac5787138af768e8667586645c4e4aa3de0597d43dd9ed5218be35e30753ffc52b3d6c513a1ed1a0199b677738fc06	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2352	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2380	392	MSOXMLED.EXE	29
PID 392 wrote to memory of 2380	392	MSOXMLED.EXE	29
PID 392 wrote to memory of 2380	392	MSOXMLED.EXE	29
PID 392 wrote to memory of 2380	392	MSOXMLED.EXE	29
PID 2380 wrote to memory of 2352	2380	iexplore.exe	30
PID 2380 wrote to memory of 2352	2380	iexplore.exe	30
PID 2380 wrote to memory of 2352	2380	iexplore.exe	30
PID 2380 wrote to memory of 2352	2380	iexplore.exe	30
PID 2352 wrote to memory of 2396	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2396	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2396	2352	IEXPLORE.EXE	31
PID 2352 wrote to memory of 2396	2352	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_wa.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0825103ece918d780c0edbd671a2c885

SHA1
6a0aca1c5e689e47eebb18e0ca3001624674089e

SHA256
835f3e2f0d329e26211cca8732a3ed0d1555e0bf542809c136a351ef996152d7

SHA512
a8a4b33d42b72ce9e0ecf8121f24f95eaa07bd6b407b4a75094cd775a83ada39bac3beaf380508ce160e458fdc028466d5ebfb7c7782dc2a217986a8cb3e2d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21231dffa35eca4fd60dd30c3a6f81a2

SHA1
15b7f548eca491de1b6c59f0d54ab50a9d8e8b48

SHA256
a280499c7cfd3b9f73c7320ba85f026e2c085b4d0d8526c49bf8b3145f59714a

SHA512
2f11772360b99c66cbb6f6839b5182d22b573ec7a67bf2d1014a2b9ec4e2e52df72217e96011dd5ffe90707f3f9649ec03ace29a3814f89279a39a7e1df7606a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be270dc46737a4cde81cd19c1071ad5b

SHA1
3093202f796f0aafa610810b2b236d55f4c58348

SHA256
d7b9f9217044af26fc7abf69350a6005f3a316774cc4edea136a20a0cc6387ac

SHA512
30db1849346e67098a75a0830188a11f58d2623858217d22b76f29b2605486d7bc426542d78e156efa4c97d5fbaa8aafc90ab4e1d33448de0f6298c98cfe3b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13032f59d9151e32b3cb171afdab6238

SHA1
ed83a1da26ede9be6d2f3dfb4ce47ee16d480928

SHA256
2bb9bb9f0c9cc89b2e4c97ae49d70d3aa00379ed08c107d80428ae2865c01084

SHA512
03552af375377cd1e8e4fdc7a53543d149e97ff94a99aeb3f4b270c2bbb776e94671a595f0f1313c970f5ec03b302219a4445129e688664231905a3f03476b31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
446d6ffd7ff2e98fe7383e3e690ee53a

SHA1
d588f3d005df0547748b6c30500eff3bf39cb417

SHA256
45d717eb592049f5cb1376f9eaf2e65acba4c9197bfa145bb8e62bd8e5c96a7a

SHA512
a8a153fb18a196bd649f0809a731e2b1825e4e417d15092f3acb529e888bd7f42d76b07e503509ef307e39425bff82f9d21c0f928f4d9d69e08bcc389e8f24ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5f17111da603cb0407f3a731d730f48

SHA1
c18011e1900e4d682c8190056dce986f7951a28d

SHA256
cb10e94dac858b37cd4c615c9518187a8bcbf0a80d20e18cd924f0e766c943ea

SHA512
c47ad3826d81266493462a167358babecb72006c77ebf7f9ff3c33a8f11190886f060017194ca1b5ff298df95559e3db3677162297d8b18cf43b341f4add033c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a77a10cbc6db9598d083d19e40038da4

SHA1
f5ab3af6e673020c9814b829be3274070cf14d19

SHA256
bdab51b9b2ad129ebe02478b0184e71bc3c7bd206e8444398b6f916b3a100933

SHA512
4d1ce63d4e8c4db01092ea42603a92f2afc795d1f5eb298335dfbbcac7cb5720e4a26e986e059881c79c59e3b24ff58270dc8641c3d27b1673155a3a2cbb2db0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
283cd7111f8914c364d26323ab75e22c

SHA1
beaeb0f6cac9dc2ae5282ae6f1bfb29f9516a10e

SHA256
f6b6fed1789443dc7577128d10258bd3eff3c06ccac3d5acbe9f933fda94c6c4

SHA512
b6f1ac468cc581826173c764344cced541e123c005e4af985b1ad423e1631ce73ad4d37ee3623db3509dcccd61bac7b23c8647a006e0fbd0b568919798d2184f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c045acc724f23b88aa842380d218b0bc

SHA1
a1fb8d865caa969be0798b192a362ab5571d6ed9

SHA256
903444ebaba0e31de140d158de4aa135a88160972e5f5f11e136ba3c0c88ac2f

SHA512
cd0b0f9b1b36bf874767bb2cf544468d32ac55be531b3355cddc5f9469e1457eee18d4a0eff49a5f3e37d2672d6f1dc14488d93b772fc46f5b4125b556e5bfba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00b5caf9e739b5435e8a10beb15d4d74

SHA1
c26eae0dbe2542cb89a65c827ca3823d4012c1fe

SHA256
3b228521c74f6219983e22a4ecf3df7e614a26dc1dbb3c7a5092f667a4aeea7e

SHA512
d93a59cd6e417291c267a3c7e2b9732ad660bfe1eeeb007b6c95ea915e4e883f114e5e01dbeb4e46c9ab4b7f14608a355fbd43d93189ec7f2c0779a96dc01bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4976f389e517c83115978aa65885218e

SHA1
545e16e68592d7242098cf9746868c8ddb5d5602

SHA256
4ea77983ab2e9b23201b79589ef06ec2fe492d21e1ab1c00bf8e7e66050204f7

SHA512
03e11d8d3c98c9da863a1bec1aa4d59a0b2af772c1eac1a3d33a019940790afbec7cf133d663415ce1a960bae684b53863b2db945f739da06084bc1c975d85ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5459.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5539.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S4F7TN8M.txt

Filesize
608B

MD5
6c0360b9aeb07a32349b3402af2e45bd

SHA1
e3eb78f0d8d93786eda2d1f7b5b08ee207fe8500

SHA256
2c96c0154a66273ff986381e685e709f43bd226254ffbd26db35926d7e60f1a1

SHA512
d09f68ffac961344483214d25f4e322f4bbf8516586621e4b10bc342893d7ec84c63171625c6052debe9feffa68f16ddcd7e32fdea65386505e89c295591cd66

Download Submit