b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
100s
max time network
141s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clockDarkTheme.xml
Size

1KB
MD5

663e33bfbbb0d14830694114d49c457d
SHA1

3231baf54a3c1f336f1b11d9a7011bc5502a9d4a
SHA256

43b0cd84c7344f57b2656d66d5bf215a4f1d1713a8117e0ecf92226b8ce1a200
SHA512

c116ffaf6c1f8ad9bd6a1d85de318c9ca2c3b6d4931a1aa165dc7ef7351c80fbddc7ca1371c81dee35b3e12720fee2d3146d7a510b54026c3aba9202dee5f1b8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395312782"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CE131371-1B12-11EE-A3BB-6EF46A3BE504} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f4000000000020000000000106600000001000020000000f9c13ab9e57accc9b9e7b655a8f49908e3916ef37369887de6601994c055ce0d000000000e800000000200002000000072b554acaf258843c5302023d8fed9cf896b99a78eca9bfed359a22231c7c9aa200000006c2c20fc7bd7d292f8e1d3fe8803b4632510f11311bbd4db424f2ec23a033b8940000000ed82bd53bb3e033cc9385c350a22bd3f03bfa1025e5650870d3e65a1d3512de3935b388da73ab630bc12939c81c6eef00baddabc27c9eeede354cf8e4c3a0754	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b6b1a31fafd901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f40000000000200000000001066000000010000200000008592ed9482df477a1834c258fef6b384cdcd98353f2accd73d2405ac0ec8fd84000000000e8000000002000020000000bd7742c50d76b246ab5b32999e13b818b76ea7929c6c6e376a00adc8baabb58a90000000a12b3f151d15d357f3a82ec4daaff17a987668bf6c334e57ef8e748906ac5d6e3adfcff2fb87fdfcdbc79b941217482bb38fcd42ab71efb737bfe12bccc80f07702ee079db9f8c85af6b7489c204edc9046837c031a18a58b3b0ac8b719a4115b81542c4999eceb5cb5cff3e9d644df5745af2eb4dfbafd56bc1420ad7480f0c034fb846c8f70efd87fd5a7aa23e49cb40000000ba0cec309b4fe9899df6826ac5cfa48169a03e53cfb9a1b7c5c62cb3d86a18c3e96b66308322daa7e8783db980b4176bf9494a7a55504342a7fa679f478d910e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2136	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2144	1152	MSOXMLED.EXE	29
PID 1152 wrote to memory of 2144	1152	MSOXMLED.EXE	29
PID 1152 wrote to memory of 2144	1152	MSOXMLED.EXE	29
PID 1152 wrote to memory of 2144	1152	MSOXMLED.EXE	29
PID 2144 wrote to memory of 2136	2144	iexplore.exe	30
PID 2144 wrote to memory of 2136	2144	iexplore.exe	30
PID 2144 wrote to memory of 2136	2144	iexplore.exe	30
PID 2144 wrote to memory of 2136	2144	iexplore.exe	30
PID 2136 wrote to memory of 2848	2136	IEXPLORE.EXE	31
PID 2136 wrote to memory of 2848	2136	IEXPLORE.EXE	31
PID 2136 wrote to memory of 2848	2136	IEXPLORE.EXE	31
PID 2136 wrote to memory of 2848	2136	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8fa9f7343d37b9e3cf06976bd7c9a55a

SHA1
cc6c0c15df55b4b575ece5c89f0a802527083efe

SHA256
b5524c4edce4d16adb3d555eeabfa46e1d9faf536b6460f27e53fd551c7c0dbb

SHA512
4fbbb68423eb35fe00553bd760288032ab6ca193591f8bbace6713a7fcbd015745a74a08a2cd25f0598775fe6235004b5d24b0d91aa435e52267c38d688ccebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
127e784e6f7ad9c2028fc087cb587c34

SHA1
a87ca2480c9377bbad3f9636902dffad2d3f5901

SHA256
87e1c9f465a249eb6dda44157a059c441aadca18b407c6216deb2ff70ef275b8

SHA512
0e02ed3050dd991ee474e2ca538383b6feefc905e163456080964a7cbbf8b62ffcbd915737eadc84e046e4ef3fae78ebb1cb40dc11e9c2c9f89dec06b2814fc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4eb9274351e436f448d7182cea7e8719

SHA1
aea2ab135e9ffe432ba8925027ef0418eab208e5

SHA256
5441fe4b4dea21e8fe27ac7da4dadfa5f20ab9494d88c1107bd86c2d4ddb2b78

SHA512
f2736ca47a2807a77596c186c600cccd5eac20ac4c6ea8b24bdb2947711f4da0e0b303835a7bb1566205f1ee5963fbe2a4bd6a93536a0c7c1d6d8e5760f187c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c97d9922fedec5bf6b449071d39ddfc

SHA1
a08893a61b9c79f02ffd667d714c167c068ff7ac

SHA256
cebac65caa05dd8061f7e932f1880de09f195dd9653146b7fe718cac3b6a43a4

SHA512
62d7042bec6df0574e09fa189a2a85334c88b374e4985fb6a136bbfb8de2b188da3224e5f984e0be00393a16a808dc628fecbb9606a8f961f1b2fe86c514ecf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a128a145f59322cdc2708238bb7508c

SHA1
f20d687c859e086f8029adac5ae1c98efd7c9bd5

SHA256
cf6b349214c083bdc45977961f92696f644e68ad1112aa13bacaf5019318a074

SHA512
d8ec0875155e0d1352327096851626c231c31aa621314f2b7d75a3f48490f820b48fa8809a2f611720f72e009c70f9d0f9080711c26a9b2c92cefb6420ed084c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c586da3ea4034e01e7c4a69898454c2b

SHA1
31a19965233f9f8ebc6cc8c23329de9e6966168d

SHA256
c3de8ed2c9b172416d45e206105e8a2f5c6f3378f49b3c95693561ad599bc1d9

SHA512
fc131827875915d9c5acff196d15d90404378f10e4880235c528123ba175453fe15ce63bd02844f684a6a496c96e9deb9988a1ceb9fcb2297840acb215bfb931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b80cc67689d75616b64d159febcfe889

SHA1
398b433ad70eb780b9792256989c4bd015f4f7e8

SHA256
294dee795f46f79f78a1f420520614932d376084d6a68aab05de737060f8f72a

SHA512
1b42be8ad2a7c1bee46aeda753a9cb5909a8f4f34f414d563da46f244b389f2bcc1840a92cad4caa53943143f26fd7a3d1bdc6d5d4f6738370a467542cde7770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac10b4f2e49732434fa9158e23886e4d

SHA1
ae595b984832c09219f1ec6d15acced11e5b0a5e

SHA256
5300055caf86766668f2e8f89e5d7500f59b0823b9b56649b0f3c2a0317e3718

SHA512
dd7b81c309db677e9f1d80be3d04366fc662947fddf8cbe1148aa36d401b8c228a9c784c14202d2376faf31a152de627d36329a569ade3ebc4521bbef16cab4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM3TD3CI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab714C.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar768F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7D7EAWQN.txt

Filesize
608B

MD5
d0d3b1b7a1fcd117bc7075a1eda35a84

SHA1
66a969327e8b89377afc0f3e246b49b92f66e4b8

SHA256
f8426e55f0bbbb5a7570a56b52a636936dca1667ecdeb61e95b7e67033842b15

SHA512
d2471dffde2474a527866a23866964bfa70658b46067af8b0c924c55bbf7a877c3b57317ac2c6633803632a2c82c8be60545684bd9b159559c20e485c927075a

Download Submit

Resubmissions

Analysis