f45dcbd13c47c789a90d8e0728abb588ab63ab0911530fec579cb18100a21f40

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web.xml
Size

18KB
MD5

08101241b15b53ef0ab908f6d388881f
SHA1

ea3e2ad6d71d483c54b12852dcbdcd0baa569988
SHA256

15a2c7a9242bf54d3ccb3e07fa6d8f84ba8b303d8877243787a1103009941bdb
SHA512

a1ee7f17bb069ac42483d1f98ca839ff1bd06f3fc15cd379dff4aca3732a5dac24dc17e15acc8f8fa39e60e186219f4fd70664f9ea284002274a4ff8609791ed
SSDEEP

384:lJJuAr8F1mJ1ayCk5+HK5YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbpJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4e20c56306bc849bbbf82eb036fcf6e0000000002000000000010660000000100002000000017dbd8f47dd544bcff0757b98223e477ac7858352915fcf10c70adfc9f0a94f2000000000e8000000002000020000000446e33aa5ea68abd503a795de9d67279c35e1cfd399283032871a75f5d7dbc8390000000b4543f46191dbb9fff07dac52fbb5f4984058d0a8996d4c847e0520c9f15a167f94b96282ec94cd11fa07f6fd5a1eba63c79110dd1781a99db3dd231fc98624e25fee9face36fb11c4c63b286d13ebc57463e0651e25aaf21ce4a5d7b21555d4b5cda778d61abe99e734aab351f606ea2103e45d39b8040dd3af2fb076cbd9acfca67ba369deaef16a6fdef64865c23c4000000091e07f72659db0cab5e0b957d7c9325233145b9910a12a545486bde11f4e53f9dc8771a2ff60ab3352b44eac669386297c13c62fb0ca481f9c57091b3859b641	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E431B41-1C6E-11EE-8E5A-CAC1EC3252FE} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395462086"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4e20c56306bc849bbbf82eb036fcf6e00000000020000000000106600000001000020000000cc2f97270d234a70786774f502d1dd49c75fa0efe32a0235bbd799eea02f5b8d000000000e8000000002000020000000d525e76983d4d544bc9492f72c7db4709ff9d159c8bdef3e36904cc239a8ce7420000000573544cc27182684121f20e9a82f297dd56c23bedb3f1035a8ddabf3a7d9730840000000dfb91a77fb38b6bf03c3963baa3ec874381e104c48559aa03712d3833d84443c4bc029cef498025fa1facb5c6438aa20d2f68557f376c812ba9bd716fc7fd1a7	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0058ad437bb0d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3891603265-141683679-4067940827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2180	2068	MSOXMLED.EXE	29
PID 2068 wrote to memory of 2180	2068	MSOXMLED.EXE	29
PID 2068 wrote to memory of 2180	2068	MSOXMLED.EXE	29
PID 2068 wrote to memory of 2180	2068	MSOXMLED.EXE	29
PID 2180 wrote to memory of 2268	2180	iexplore.exe	30
PID 2180 wrote to memory of 2268	2180	iexplore.exe	30
PID 2180 wrote to memory of 2268	2180	iexplore.exe	30
PID 2180 wrote to memory of 2268	2180	iexplore.exe	30
PID 2268 wrote to memory of 3060	2268	IEXPLORE.EXE	31
PID 2268 wrote to memory of 3060	2268	IEXPLORE.EXE	31
PID 2268 wrote to memory of 3060	2268	IEXPLORE.EXE	31
PID 2268 wrote to memory of 3060	2268	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e52408f4cc13d591ad1db95147ad8f0

SHA1
921371bc71a1aca73005bff20ee6842b3b0691be

SHA256
3239e7c5f1ae3695cf8ffad4ad970aa98f09766e28851814db20d7f6c005bd78

SHA512
9ee7c887c1d8dca2a18650cf8595ea9c77fdbe0d9a49d4dae1a20c11f66ee2f45ae251827ba389e48d29949607bc42f10060728e51bfdba91a16ffd2943dce24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc8fd7986f6fe37114137c1c67ea832a

SHA1
d7ccc6974876e4d3db1ea02344b45bba101db859

SHA256
61975db1b8778cd70f803552f0e701cee67314bdb6086fc2fd37e2b4f033b2d0

SHA512
ba9cd4110e839b64f0503fe5a65b5b5ce8213fe82bff35fccd943f9fa053744b94fbccb3d85e09adf07f4444f71add50ece67b2972983264112a4409318764bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a98238999de242b46f4a0a89bb7ca4b

SHA1
6ce4694d9fedd059b74efe1ebbedf8ec7941f2ae

SHA256
af7d10131829a99db1fbe0340485bdb22a319ff3315024a4ab52351d96f2e017

SHA512
0b08891a60ef2cf73a3728bc96d73cff403c8ec23a377a9a80e3149314e3774e58bde04ee6c2bf37155ec59679a3d8c26051382dec31db69ed232ba4c49df5b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5254ef4becc96d01ac7f5e6fadb19c5b

SHA1
3c6f1b794effb12f9955c6f97df5cffb4990984b

SHA256
e8bb0495f8ec37eda7221fe50012a14c2115cefe6b5acecca4af682a7aab746a

SHA512
d0eb5f50235de5805a81700297c7ab12446a852b0f9d93a4868a854be5ec5af335e00d8ce603520c4c46e2ef01e70828b46059bfd290476691ad1ec5434a848d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a557c179099937aa90368e1232856ce0

SHA1
6d711eac96f4e321865b0b02e5467b2c2050498f

SHA256
0cab647a1077ebd9f9d1e074ba179155de1c6f33e7737c728fd49fca403b0c60

SHA512
9aed79447fc3dd652111531e3b369e2a977a7c82952eaad2133a786ba92b7dcf94076babd5f11dc4fd23f25ab2281f818d490b7f26e36758808251940e9a37e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9b46bd12bf84974658ee25bb82d490b

SHA1
913dcf57208544dddae4cf356280b465db667b38

SHA256
f94c65c90b25d81db2f7c72fc9d2e407cf93097ac8b9480bac482edcb7f6184b

SHA512
abeae7cb4e40677d1413f7086916509e554b441086f4b3fc0643d70bb60e365ef05afc96983eabb9662d9d1ae8e0d90ef873ce6296cd4a147286fd9aeb96d5d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fccfec645fdffef50ed810dbe0dcb492

SHA1
607982f2e1df3dfa4af25a031c2d9c165d9ebb24

SHA256
3b97759f03f302aceabf3829f5dfe57ebb05c2f4833f3f6bca747c986deed9e7

SHA512
ece6333016d0044e0545fbb048d192669547622f51f5bbe8d44199c763c970cb42a9a0811ad89c33314150fc42824d365f749ab781544f3704c48b5ad6e57bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc0990fd63380cffefb20fce35b90324

SHA1
7f2543fa2d2bbcbe0ec653c86c9994fd1b098a80

SHA256
b8f965c6f2f1f30f3282656e6cee829ad02e716cbc13b6dd65e9380370ab191f

SHA512
51cb226189880080d2c334b6db8a849d7ce83b59a09c57c79c1a3c57b4e260bff7f84939986be36b21716b8f1d36390264ba85429727dfbfe36ee3293943dd7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e96de4519b95a410b680e83d74563c02

SHA1
da657ee3878728be623737d509d717af15bbed66

SHA256
ffc8afec3511db8e5077d3278ce03d56226be396590febaec468757b7d8a201e

SHA512
322e258238cbaae9565d5a368b3fc527a9b71c84b2e4f1aecd40508ce12d1397186ad13277983509b7636383a6603eabe34ce9f628ae792731c88d43e0a6a097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DXRMASGZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C43.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D42.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0BP6NV66.txt

Filesize
606B

MD5
451106179fee86c7dca4d764f5841501

SHA1
dea926c206953b9c299598cb86592f58550e0ffe

SHA256
b60e73e5b7aa71e6de8dc709ed308ac35a105ee11c31cde908062991b66442c9

SHA512
c1595c660987d77ce355bdcb711610e76371b60a5326429ee2d3acf216883d2a6cc6c7d60cf0b36312486544f96bc26a057c450e4f7fb64f69fe1f43c73062b9

Download Submit