b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stella_e2e.xml
Size

4KB
MD5

deb02e17bcc92fef2298a466d71f9457
SHA1

e4259e3c073d4cb4af07bb3a2147fb1e8d7943cb
SHA256

83d0ffc0ea968c3b71c194ecb47bbeb4512137a06e8f7ff7b3973ca23dc467bf
SHA512

cda1fc10cba541658d1f826d735641c2058fadbaf42a9f05e1d8cd3b25fe146db53187548b131bd248e56f34dfebeb3e7b2c1d53784dbe88c8266731aa7401cc
SSDEEP

96:38fSxf3sWhw3h0A+sJCxox9rxT57OxjrWthy9xFnNLWtEy8PM+cRSjOA+Ay:OSxf3sWhw3hysJCxoxHtSZ6tMNoaPsAw

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b560baeb882dc64aae4acff703adb14e00000000020000000000106600000001000020000000c9a7e96141ef14eff2a8a865ab5b1602cfd6a9ec3283a230f1692212bc1da867000000000e800000000200002000000045720fe841e54fb299fc8d86988104234e22c6536452c15d5ac0c1bfe2965f7990000000e7d65dc9206304a681b61bec559a280f8a01fe5cb8e7421bda9f895bb9547493dfec317d870782476e4fffbe139fc5efc9ef86944c9b19c6f87a8f63e6fd1ecbbbbb855d2d4f0cccfd0588421f8c0f0825b655a6bf01c227d325c0ca42414b4f1ccdaf568b58b6eafb6f7a06790185b2004348b75a2a3c0daaa640474c2cc13fa6a3e3653d2e68ea09eaa4ddd3d4af0e4000000039513089a6e83244bbca807e0502932d204cf94f2fe83e62a5ba89e01a76ff1008b40e0b2390d4366a07bfdaa9261c577c34beaf94aabd5fbd1bf6c57b3a6378	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395433447"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b560baeb882dc64aae4acff703adb14e000000000200000000001066000000010000200000007c98df618ee03efaecf2a4de9316c10a6d3671d5eac4554eacb1025dc39f5645000000000e80000000020000200000002739e030ff9b5a4344124ad57955fea615911eb2cd8f26cfef4ec827304f5008200000008aba1213cbfebc88e510aa680d83f2680d190d876fbf509914d93484f1d2302440000000f1930edf81b10dd57c2f7e4ea3ccdff7b69821f0a462bf895f93a7db2474f53036e601489e54fd5fb540bd1a475e9ea774ccdb1af05238428b342c6023f1171d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C01AA071-1C2B-11EE-949B-6EF46A3BE504} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8033299638b0d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE
948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 884	2236	MSOXMLED.EXE	28
PID 2236 wrote to memory of 884	2236	MSOXMLED.EXE	28
PID 2236 wrote to memory of 884	2236	MSOXMLED.EXE	28
PID 2236 wrote to memory of 884	2236	MSOXMLED.EXE	28
PID 884 wrote to memory of 2200	884	iexplore.exe	29
PID 884 wrote to memory of 2200	884	iexplore.exe	29
PID 884 wrote to memory of 2200	884	iexplore.exe	29
PID 884 wrote to memory of 2200	884	iexplore.exe	29
PID 2200 wrote to memory of 948	2200	IEXPLORE.EXE	30
PID 2200 wrote to memory of 948	2200	IEXPLORE.EXE	30
PID 2200 wrote to memory of 948	2200	IEXPLORE.EXE	30
PID 2200 wrote to memory of 948	2200	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\stella_e2e.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cf5fe07e4367f35f270649382d9bd16

SHA1
44cfbeda22b3297136d30977273e201c9d7e70bb

SHA256
2fd5a1a0612ef96375d30717adafc168b141c47c0aabc144d9073787756cd009

SHA512
cb956a2a239e0f90d43d1ca9eddccd92d560c4ca1f87ce862230544ebcb6c0ebbb9f922a2372d7dcc946e279a78a232f528f93ed6098cbbde4d9ca2912e30782

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e80a8afd96e17fecb22d4ffedfe89717

SHA1
80c37a7e42cc25dc7b2ee0825914ba68722279ac

SHA256
a45891b2bd24b81c52fce18caa8fd7c87636e46275b740c72af289e689c945fb

SHA512
c14d3cd44053abbdf557073626a26f78385d4eb94292069c9e2752139cacdf65e01c9f25b1ff7c0a6df922249062aad303fd4dea4e5804d9c36fa5d1b80501a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cc8c8995fa5a22b3d5283befb609a2e

SHA1
a33a7221d1a98718e81ad6187c6aab48c503c6e1

SHA256
c1a0364691d36c0af96a0e8f6e9579e50d8f17054d0e2c5f9020c781f294b0bc

SHA512
d4a119372df90ecda9094128c60af8da108475a9d7f00136b8084e0235dc3cf0d56961682f6b94a5340af8f58781067c31bf990b70b0c5140fae4c8759a549b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b9d674e4658e80c0af1df1fc097ccef

SHA1
a333e78ecbe44d5a5bcc75dcd1887d4478b98737

SHA256
706265a49ed79b89b2779bec15cfe5556e1a4fd898295ccf352fb753a5e6cf86

SHA512
ff2596b789223e50367ecc8eb0354241c0421f176a67276be11d9a769078bf6703a173aaa47cc912ab913a56b963f6d3f7209fd33db9becf297f5df469fe7872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d45889d234b3c46b7b1294dca3543349

SHA1
9b474096488290247599f25761d79268c3911f35

SHA256
b01b271270a4cda01396db94ac6e609afb7a0053eb7fb99e0b6b4db89aec8a4d

SHA512
b8569c7e7fd27d23889904c4e18b3af9eaf68b25c5aa6afd37511b3f13eb7522ba1b4353f6ccc68e5a672304b82a966b3a8253d7ea7746a9e4f84474c2578a87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67fbdd128cf69421516252e5f2cec63b

SHA1
5e06a037862e979b700f18d2710df21049109c06

SHA256
1d91aefe3122b773b7453995b588f600bfb49307d9451b1178931b5640bf27eb

SHA512
43c13e0611a5c2d770cf940c1258f80626f2b1a2936a72277b3d57fae228ecdbe8ab39c3916b019512a9eab2b8bbd16d7193d6d5980b8f1a7205dc43f8c798e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55fadf22afb4c6532eb93a2398922cce

SHA1
3fa7adec3705dc7b6000bf7f9098ea488472ed42

SHA256
f164f34d35406fe0b4836cb5a750cc7d9899b220ab7b58eda84ee83ce0c0ea7d

SHA512
d64b1e64eb42d71267e0519d8533bc1689377ca172734c5af44402e3e69b6a394e2555c45d0c433a3a4938720173b9606aa12e0f5da9f0bef5bf6de96b0a4b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bee81d803d866f74c5e125ba0c2ecc39

SHA1
f122caeb90594eb9783b6e0ccdda0b8a314308b6

SHA256
ae2bace36b4393e6f70100790b366b7e768fe4d76324642ba17666ef7d62e25d

SHA512
ae4dbbba938ac72be1d2472618b804f1b1ce5fe546ce6125a889c26a32aafdd1886ca1d16e3202b80d715ad6bbea53c79c79eba7d8c39a0069670c2583f5def1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22003403b2ff3280912b08ccdfd8fd15

SHA1
3e371e3b63fc1b6cee4f12ee65682c1be150616c

SHA256
df600239b47fa14a43c3b8f3a098bac7d5dd6677e5f27f90f0fc188457b761df

SHA512
854839c6e657b4a51e75bda200558a98cd2fc5ae7f840cc628fb1ba5fdd1289b6aff2e05ccd79a509db49e9632b47a7a36450ccc9ad44d6e9400cea11d81df49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6872eb953add8043b1e2cb2b78c44c59

SHA1
4f57080890b17f7f509f1324277fd5bfa287e1c5

SHA256
29da2a6d825f9ac5b94c1a8c1ff8240f9db597c971a6fac598adf40f147928a8

SHA512
8bc7de63da7de1d543e94d7bdf6bc259146e4d43e0b8275bcf05dd3519cf66d60816d691d9ea8d23981d527fd5e6c058be13e65a51b4208d5142dd6175f51be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4022ea02e49ebcbdfc5eff78d7adf536

SHA1
ed363a789d73df4cc9150c3ae05bd4bd44d371f5

SHA256
28ce0e9626146fd6b163391e5a1f94a66a83957a469f10cc08127e19ab17547b

SHA512
11882412dcbc869c67f881d7ac0249cfa55af6ecd515f3d18c14d77f25136123a9eba8db4c8c12db41681adda99fc1589fc67e81e1e84306f211a3f953200417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61a87cdeb18780a7c60a6f5f573cae2b

SHA1
c4b295660c1714f4933d89a0b79d920142b2d953

SHA256
645f73c17a97823139a2407e07fce50bc62052c3b6d774d206a8e0cca1793d37

SHA512
454ff51c03a65d1d998c626551f7b3867737458ea3fe4f1f9a6556e85e37b54c6bbf7969f4393a5448669be1d530090c26ab90ad6b1004286a6b9620f2c2c420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab710F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar722B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S2NAGYZO.txt

Filesize
606B

MD5
4fe5bbd6fa246ae739fbf6038efe25c4

SHA1
782ac0e35abd198fc3a10ed9d5bcb27975de85bc

SHA256
735f609441769050c3041f7ca2721fa46dc9311e1b7ea2df230cc7795a162934

SHA512
bfdd0a8352aecfc590020ecec9e764879d1f39a9b957442c4217223775c8cb02dcd55679176559ce84be454b9c0678173c1b2abf62c1f0425404e804bb71a856

Download Submit

Resubmissions

Analysis