b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
100s
max time network
140s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clockLightTheme.xml
Size

3KB
MD5

2235609a58ada82f2110d941341a720d
SHA1

d3b06251eb8f131034ba1ea3b0db982cb31bd813
SHA256

d89ab1d4bc636a73d64ef1d8976d517f13449a11af28d70e88ca3d0c40e114a7
SHA512

ff7543b27941add4a92579f1a55f3b40a16cd8ec8cc43b678b229be38a3878267fcdbb80b040e91132fd938082c47e6e237f62ac3903422ad9499cf7164228d5

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395433576"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000079aadbcc12564442a62aad76c0e1e2aa000000000200000000001066000000010000200000002c9fe4115bb6ac0286236c03ea99371a6c29022e6f3ee0fab47ec6a0b3f14951000000000e8000000002000020000000d203a5e47620043e22e555e8331a575ca1925adf8ce159903a68a3889e0a6b4a900000007eb5493001351f21f4f466700b2137e0d2eb83605df766f04d867d7945b0337f2fad7bc670ffd266d5e8c5174f850b3120a0148330fea910ae7ff96218961a4d838545c1331e54ca0434d4f05756438faf38f930c5abfb617b6da01bbd12c523933cf15e7a0d74e393eda732f46ae8105ea7c2649faa08505ac39319b75468c1b9babaf38fcd918149fd021b4e2332494000000007aa7f442a4b15a6995c009ede2f40fa69f8b37ba1d203bb2759f8813166ba8b6cf88b1a24736c7043c4f79df893dfcb68836fb7c05fae38d53575a98875e029	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0CF57E11-1C2C-11EE-B012-F26349CF7C31} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d06dd4e238b0d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000079aadbcc12564442a62aad76c0e1e2aa00000000020000000000106600000001000020000000d6b0bf023beceb89a16199a41605a3dac47cd61dd6a9525a537bfbe587f0c603000000000e8000000002000020000000d9a728d4da486cf5a8021c70d1048dcbf49364288a51036416bbc34aa61edf85200000000a7ec7f0aa7a8de979ed493901d01e0d4cdaab5dc065b249c96a0cd60e296f0540000000a518ae7f0f654b32b95b309ba6133d7a6a9a06f8191528abebf14415a81ff90a12cb99c512a8f365e9f6901571ac0357d203adcdd69f61e394869765917e8a1d	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
800	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
800	IEXPLORE.EXE
800	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2392	2436	MSOXMLED.EXE	28
PID 2436 wrote to memory of 2392	2436	MSOXMLED.EXE	28
PID 2436 wrote to memory of 2392	2436	MSOXMLED.EXE	28
PID 2436 wrote to memory of 2392	2436	MSOXMLED.EXE	28
PID 2392 wrote to memory of 800	2392	iexplore.exe	29
PID 2392 wrote to memory of 800	2392	iexplore.exe	29
PID 2392 wrote to memory of 800	2392	iexplore.exe	29
PID 2392 wrote to memory of 800	2392	iexplore.exe	29
PID 800 wrote to memory of 2268	800	IEXPLORE.EXE	30
PID 800 wrote to memory of 2268	800	IEXPLORE.EXE	30
PID 800 wrote to memory of 2268	800	IEXPLORE.EXE	30
PID 800 wrote to memory of 2268	800	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockLightTheme.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:800 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e947843d18807ede0919c8dddff339b

SHA1
08f090841e5bbf15ff637e6ed092fc32262360f7

SHA256
e0eb588505c46901a4b0303799d88346fa8c6b1e41e913e07dd9e836476b5e27

SHA512
7f24a5fcd6ea735a70d3e837bd7a3f0ed1b8c895328f6a4063478e9ada3c7ca592a75e62b2f78898c16f644440d542706c89a56eaa79e0fd247d5e588576117d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38701f31ce00ba39167860ee9c45949d

SHA1
7523bc9e5e828359b1cf61ac0ad017fd8ae7a674

SHA256
4fd1049a659cf229e026ab1d998ee00e043316c70597bf9a2098139b743a54d2

SHA512
2c54d359a5116c3c6ae5a56267b430821814cc9e3eb5723d529496d5d4d9624d6cd2102a0a3a805e3d2579f8181aff6c25cab2f7fb285488bc385147007d3bde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0d78e31c15b8f3dcd188ff044b70ecf

SHA1
072357409dd7245965582dbe7899d877b4fc84c4

SHA256
a4c1506e51de267bc6a365e8bc1ae1b36e36be822729e9a67ff6026960451b32

SHA512
2f2f991e778745c9848353566f716298da660726eacb84fa80d7281fbbd8931c0d3c78b8b6e2e127e1442f55ce9d3339e4c57b04cf50b0ea9c3afba50d274d5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bc8ef53c72738edf15230c358b73b97

SHA1
df23e9b64de113da39c8340f0ba1f750f7dcabc2

SHA256
51f2a4480f75dbdc0c27155e63701de6c82e8c0c91024996e7ed241bebf4cc38

SHA512
9bf83781712ac393ab4a596143a2fabb5ec12ebee8fa58a90cbd22a84d31f6d482d4553206197ff03dcaf25e23fadd39d9ea170754257be1802441742cf357a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb51b355f8c5c6684bd2455a73f9de36

SHA1
223a223417770334d048df854581da59248d8b47

SHA256
2cdd8a2ec713dae8db8884c81817e8faf309836152ea6eaa9b5304e8d0d5c3c9

SHA512
9e05270e44acad0b80fefda17b9a759681ef8ede53a2ef3721dec238fbabd70c5d2848dbc26fc752691f2be86e88e3de43a531a1c0e9104a12bacb079e30b3b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4d116020c8044cca89d4f24a2307a59

SHA1
77d8a94d354f8eccc93ebae470ee6c3b98551821

SHA256
b1caebc64c05fd8ab62ae3c2c0c0739597261e81ca1262beab3e75ef8ebbc31e

SHA512
4c4a443444f3136b5baf20a5c7b8a4a80cf40b94b0926b2d2ce455f0e5e76dab2414a17d678a58b923009b080387c052e16dfffccc17291455f403da37e7f028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67e13ac18c5d34368463cc58dfc07ea7

SHA1
361d212fc3cf784a25e2f2c054f062cbd0145cc3

SHA256
252ae2a5a6aa4313f960086fd4133a330d532df519f1503bf397d5fb1816d558

SHA512
d36d9cf3629393094b60920a47a12c3e0bbf0192a66bde82e80659c7d70df8ef46e51517c834bfefc8f399d52c57ea88bc25a82dea772305662f3e8ecf963a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48bff49327f0f4282c722a7eeffb09b2

SHA1
c16ec710437a8ac0b41fdfa7f6d4692d4df438c5

SHA256
e48accb37d45f17ccb4bd8b56f7582b623c0cec0e8bfd80e51e69dd1c5b1f9bb

SHA512
353e1dd05d469f7d15f0dda83c2fa201362a751f6d1ae9cf65150456613aa259c35e7761cc0d4a2c03aa189172dc65b7ce7d203bde8a116c955d9276eeba139e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07aaec6d12f36dbd35d77b515e7f3eb5

SHA1
c2ce547c67d3ac78d552ffda900e319817ca89fa

SHA256
4f6d60f6b95f25fb9481c6a2cf35a395cf487e61e32cb5e035720e9e646e1c39

SHA512
e5990c27af6a083d37b12e6fbc533485b016ffa1de0e0b6f854cf7dc26702b2b473e7530f7ab1d3438736ceb3eb279fa0e0b5835594f9b8b6f682febafb48d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M70DY8PN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8AB6.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8BA5.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\61NUDWJG.txt

Filesize
606B

MD5
0118301f4d7941d6a9ae2cfb70156e1e

SHA1
03e2a518bab582dc4205cfc58c98db9ab73905e4

SHA256
3ac76336469a35024fdcccd608b0ca9b71d7c1063102fe8ed0d4f1a97bea3ad8

SHA512
2650aa5aa68be8b8fe678e021fb21aaa54441d47b8898f60b3243fb55fef70ba873ca838c227f36ef876541d02d05053e08c88b313e37ee03d38d17fc91caffe

Download Submit

Resubmissions

Analysis