b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
104s
max time network
143s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clockDarkTheme.xml
Size

1KB
MD5

663e33bfbbb0d14830694114d49c457d
SHA1

3231baf54a3c1f336f1b11d9a7011bc5502a9d4a
SHA256

43b0cd84c7344f57b2656d66d5bf215a4f1d1713a8117e0ecf92226b8ce1a200
SHA512

c116ffaf6c1f8ad9bd6a1d85de318c9ca2c3b6d4931a1aa165dc7ef7351c80fbddc7ca1371c81dee35b3e12720fee2d3146d7a510b54026c3aba9202dee5f1b8

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11886411-1C2C-11EE-A971-5E12BD6EB171} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01c92e738b0d901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b560baeb882dc64aae4acff703adb14e00000000020000000000106600000001000020000000d4e1c9cd8710fbef2bf10659a5d75a9def4d53fabbe3a82c37cdab06cf65241a000000000e80000000020000200000004ec61fce29b7eaf7e3bac094396e28e012d7b8bd5e608ed400109c3c7795fa0390000000fe1657eabda50458e99ffb68255a3d0d1442d27e458976509f6fe3164c78afbea2638b1a848679df3af79ec3a79dbe3dd6366ade739b5a498a6c6531cdd562e072aec12301f571fe69f115f6546f223e1e9cf66a9bf3519d8efcd317499392a8a304d8b20f7eb776992cd798502946717eca5c7e9ddf3010e7abd4f62a567f847015a841c2864513bb7def2585a7956d40000000b3a7190da4dbcb851eb4ddcc55540231065445be0ad4497ccd79af84b8a4859289103c301d8937eb195f6b7864b2044cfb2f48563ff78d17021b08cba4cfe56e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395433584"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b560baeb882dc64aae4acff703adb14e0000000002000000000010660000000100002000000064088a429d6fe13c79e68c8c1b609b1e240a92fdbf4e1251e5a854e3450699f2000000000e800000000200002000000078724ee83396ac1fc9f71d0e33021da9ec600c365699ca90975e710f5f30b69820000000db6a04d2e7a0d5ae76629b93e33e9c1bdfc20473814a48e62b635f2bddbe926040000000f36b4affc096ce522852fabfba8f94dd0a8a1026285a58450562cd785f9b1bfe2346c5540543831816bb39eb3a7fb9ff64f574108ff559b5c3f19ae8fa426860	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1305762978-1813183296-1799492538-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2360	1212	MSOXMLED.EXE	28
PID 1212 wrote to memory of 2360	1212	MSOXMLED.EXE	28
PID 1212 wrote to memory of 2360	1212	MSOXMLED.EXE	28
PID 1212 wrote to memory of 2360	1212	MSOXMLED.EXE	28
PID 2360 wrote to memory of 2916	2360	iexplore.exe	29
PID 2360 wrote to memory of 2916	2360	iexplore.exe	29
PID 2360 wrote to memory of 2916	2360	iexplore.exe	29
PID 2360 wrote to memory of 2916	2360	iexplore.exe	29
PID 2916 wrote to memory of 1340	2916	IEXPLORE.EXE	30
PID 2916 wrote to memory of 1340	2916	IEXPLORE.EXE	30
PID 2916 wrote to memory of 1340	2916	IEXPLORE.EXE	30
PID 2916 wrote to memory of 1340	2916	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\clockDarkTheme.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93f49b0b3dcb6188cfa95ac4f2d8ce08

SHA1
94dc99c255bf4b7d8040bce1850e0aa91ce7d293

SHA256
9538c8b49bf5aa8a16c769222bd9ef37980c09d780650627d962bbddb00ef0d7

SHA512
e9626770f3925b1b1b9c4a33197e88900403271bdc20c3d5e64402d08130c2d46488781db754315343ce9a876e81af513225d2214fc9d06b92dfe82d01e6797b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b7f8dc75925c4a72e6d9b7d1747875a

SHA1
f7509304fb3f76712bae70aad4780d8a31ca0d0e

SHA256
f03e82720d206c3d2cd6c29ab65ea0487330b822d8478a6ce888b4a548f4aed5

SHA512
512d17fb99f1fc5431070c612eb62cf49ae962a3f223463eb5e0880faa3233ce670e665d402a6bc8365d24d5a335f57928edcbf5de256ef85470a4ba5b0712b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d2ec42f9a3b2a0a82903e2940f786c3

SHA1
a59773c6ece1eaae2741727fdc6f5cb877f078dc

SHA256
f0af24c73f9b7cea6ac4865ef2d5e9154d34422a2786efacb874f7e5af941b05

SHA512
d063fc143441a990d99ac908443d0ac1ac8a966b11d22cd0d1d14614629acf6c880a7ad3a408bfb0c16bc1b8473ef288e0d574d1e2e6680bd24538a1c8183c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97ba719624d997c1330b390955f7d9ad

SHA1
5efe5d8442f79dbbe9a0edd92d943eb1cb151cc9

SHA256
b7ba74c017cd954d9152e340cbbf4e1c8502ac5fcffd5e75478902713c9e7ce4

SHA512
c08f1bab9ebd326e65c177b8805b8471dddedbc354857e92dd14cdfc9b89c3fff56fdb257c8ff87d084898679de98d959a38d40b679a3f4f53768755d9416388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5476c84c0f27243ddec4ea15510a1a1b

SHA1
6f5958190b12f6ad2f69c2ae2a1e52772e5d3bd4

SHA256
7b5aabdec75d8c2812dc5f99bce5dd21c79a76c6cd6bf26431fb407ede346c30

SHA512
aea2309942fc3b836f9dcaf216be477a59dc40aa7e4da327df91785d8809b3975d17ac06b4c0cd1106d062e7b56aa44c82b9f971a55ed14fa2747b7ef3526af8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d7a3437dc928282d94aae07845470be

SHA1
48ca2e65398161f44420665841e71a75973108cc

SHA256
c6b3e6f0e05a6119079ec3533da2bbe79d8996501d838516a72b05f17c889ff8

SHA512
53564a95fb67efa39351c88b0ac477cf9170054de87550d01cd9d0e5a629ae323bf5e8dae5c36390410d887f302c2b15e87a079053dd086653f8ca5e780cfab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15b726008ca0f902d2cd8580ab8990e4

SHA1
211f2ba0acf4c90519722199a2c7be3d3e58db14

SHA256
dda80bb813d2eb6524e92fdbf6506d670e779d37b47a2b6e1b9639ab74785feb

SHA512
d860d1beed03c58af2bc834ffbdbd6b8f72d74381c0ea7125232abbab49a7209abafb6c45160841cfeec9e5c84320d2bdf064f8ab7a982a59fa31a011177f205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D5B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E3A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PJSV8HKC.txt

Filesize
606B

MD5
8e74225cb3ffd5d6dd365d7a2e285059

SHA1
337c6d74706499233839b782c73b6d3ecf3f0313

SHA256
297925a7b65d16f86eeb506708a2b2581fe65a2a8bd884cb81acaa6e4ed65e3b

SHA512
6de22c5182cc4571c64363378e24ccde94679bd5dc611d87a4f5079f49ae15505b3a9d275f8c93bb1d986412df05ad7da202da97f8ca956ba3e6192c04a9f054

Download Submit

Resubmissions

Analysis