98e176603a5ce4a3f16fd4c952635c663061a73c6482a8ea25f385519e71691b

Analysis

max time kernel
100s
max time network
134s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UuuClient.exe.xml
Size

614B
MD5

8c33c8af4d492ea3816643ee506e6774
SHA1

d1d78c4b4a45cc8549cb79134fac79bcba1f304e
SHA256

8841b21c5fcfb1a27a40d928dca98c6fcae3528202e4834dd9431fb80397f649
SHA512

64245aa007c400ce37c39a2defa9cd174bb588e6a1971fcdd2e14ae3f87ee6024df2ac421b11ae2d07067ebe8535086341538d5c59e5e2b7b17ab196380ec696

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fe8893ddb0d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ab35dbc53fd45498f88cda789e11c5000000000020000000000106600000001000020000000adae021f0ee2b0535c7f8df08e2c9f465d5185592cf2a2c6b86afbf60778a4ea000000000e800000000200002000000079e7e7a8038e4f42d2d6d0b7d7c00b7bf98074f84a07893a6e00a7ff632385a8900000003cf13286f614daf7e78f2ee4386b7540f81be240872fb0ab491d63b8c74c01dd7bd43f5eb8ca0cb15cd3241b16f674bde3e003e28a5421464dcb3ff9b97616cc463b66b19b6554241322b5e93654e687ef93e37290e371357aabf46f46966a31ed62bd64ee61fac3d068196416d442b4335c16e645b5d7475362429fbec15eee36e75756f4af1b5003ec89399d5ee0b5400000002539539c99cc838212a4a36af71cb5a39b907ca3911a811b3c73ec6fc96e626306e08557d8a8e31a094b8420b09cf0ddd9ac94c3afe16b9ba87166db9615d50f	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395504311"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE4A74F1-1CD0-11EE-A014-D6EDF4D42B4F} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ab35dbc53fd45498f88cda789e11c5000000000020000000000106600000001000020000000fac913b60d3856085a2aad9156d9c8a786f1b98274d79b860ab039e9486e27d3000000000e8000000002000020000000bf8050bd7207adec8b80b45976a502ac26fffce6ba76598755ed515653202efc20000000c554f4ff7a679fdbd03b5b65c3cf3db2d219ca35184181f48ad837d9bd0fccac40000000a4643aeadae3bf691b6e302d4ee095b3186755408dd45ebc235b104914afbba7c08f4c8bf538d5e6af5e88d82b45dc04a46169e00e5430d27d8f7f5a7d959a6c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2859459355-424593036-1984306042-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3016	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2008	2964	MSOXMLED.EXE	28
PID 2964 wrote to memory of 2008	2964	MSOXMLED.EXE	28
PID 2964 wrote to memory of 2008	2964	MSOXMLED.EXE	28
PID 2964 wrote to memory of 2008	2964	MSOXMLED.EXE	28
PID 2008 wrote to memory of 3016	2008	iexplore.exe	29
PID 2008 wrote to memory of 3016	2008	iexplore.exe	29
PID 2008 wrote to memory of 3016	2008	iexplore.exe	29
PID 2008 wrote to memory of 3016	2008	iexplore.exe	29
PID 3016 wrote to memory of 2928	3016	IEXPLORE.EXE	30
PID 3016 wrote to memory of 2928	3016	IEXPLORE.EXE	30
PID 3016 wrote to memory of 2928	3016	IEXPLORE.EXE	30
PID 3016 wrote to memory of 2928	3016	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\UuuClient.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02b86f7c00949e5ba88148d5b1a9fb97

SHA1
36d1a01adfa00a0bbd620b8f26436b490efe1a96

SHA256
f7b0d36b283e85f824c5ecd8dc2b671c8d7b65430b52eb2145163f1d49e45d5e

SHA512
eb1cbfa11f23463f9a60b88af3be5f5c4b9d0f35941c4c0779fd4caf0358aef44b4fe7fe9949188e086557ad32477cbd27dac395e8abcb28cba70edf931c89cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
318048db89f0fd1eb3a88a2c5f45abd9

SHA1
db853dd7ab83806b81dfe1320fc30f2bbfeeb6e7

SHA256
3dd4f29a60cfcc29f295cb08b6a9426a283a704e94d456c03b74aee7a8eb838a

SHA512
1b0ec6692391e03fa0a9724299e2ed6437e4d4e09e690d76c03893278eaa085217830563fe74b79f42df1af60c082f16d352cffaf7519440157c7728d8616802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
669c19eee15b58750d78c43e6293ae65

SHA1
1201f897e0afe6913928cbda369c84a8b242ee48

SHA256
7f7fe0ad27a8825644f94990bd7c8b20ce13f611dc8889d7035eae16db528f5a

SHA512
a7974d7f0ecd3a86c65994e1ac808457cb9fffe100415441c5f44675d426e9aa807a2d1ef990f6f7ecc50cdc00ae6ffcc7361dfe33b5cae974376b951ea163ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96252600fe04f973753054b57d58f544

SHA1
191f24cfaa0b3e3fe02f53004cff2d1246f42ab6

SHA256
8bf8fe7b75bd5a52581489ec68b22bb51bf943fb0a6b0116e46c67205917015e

SHA512
e6887174c086713ca3b966cee7555ea7461928ccdf56651828a7319d4432a083b5ad03ac7b4e74a62e64e6ab6740571824dd8c60eec0f431cce3b531f9dbb86f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b66616aa98f3457fe2d17ebaea0bd05c

SHA1
cd4865475858ffedc48b6d70a2743fb4efd94105

SHA256
d0b1b1cb663c3b751f79c3d2c78e38f16cc0c321f91f75ae40c119dade3dc9b9

SHA512
80cda77430ec74d2d1b54634321dab4b8ecc21cfd6d53b83e14d78f34bc8ec63a16f3e2ec176d66e36da7c115619cfaa861d19fc00d7c6e8d5cf03f1578a769b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e057edca1867c63ec6f2f566ffc0ee6

SHA1
7fec980bb5bfcb6a42536893f806d684d20538f4

SHA256
77376cea19d1094983cdc2a7a9e2f8d7c4f0201464f35fa5b9cc3d7bafafe33d

SHA512
2b207507d1b3d495426adbee1a4eb8282a85db03eff360b159b74da5f7cb5ca28b558bba015a1908ac44b8c55bd02e56abebf44474fc21951199ab7aee598422

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5312c65fc693292ffa6644c3c610a1f9

SHA1
2352ad0a385c8331ba80544e63324434297ff43f

SHA256
85532a2a1a8223927e8bbfbec5ad953b642bdcde04c61a796b6debec428b5faf

SHA512
08f9b3010577509a96c316bb57b64bec08e6d1716038cdb072c8d7edfb08458f9eb3d0cd6cf6058c0a53b28e921ea3961697e59dbfeef30b575e38995174d9fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c9c58648308f7b6c58d4768b01d0d47

SHA1
291353a38df4a46e967610ad065d4b0dc83c235c

SHA256
d2fa0dabc93eb7053580927c4061cf1af8abcec5d2b103f3dee1af1fed7c55f1

SHA512
c750bd75b165cee710cb1162958003d708883b329374a35683204fac9c5ca42a6b9c2cc22658e911478f05cd0b140f2c1159e4d65ed6aa5a0e54b0ee990976a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f0b6288af4e1778ce50dd32d593e888

SHA1
99f12751ffbbbeeb612429ecb1c9691b839ff900

SHA256
9a0637e6f298104fd7a50f078132df239d7dbbd5c8248fee6da9cb43d492c51d

SHA512
822ff7e77715ca4887b69b220e0a1b77e94daab445449d762b683be20f3b87138349c9db239298f3fd408f15950f22858a85ec51e6677f5f0e03e20d3adc3328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68262fefc5ee07fb800c968bfad5f61a

SHA1
524a48e42eaf0129a2dce87df61e6b2a23b6022f

SHA256
e57e3dc67ea717fc9263d8014132dea949439bd9984fe87fa04e868b2c807ed9

SHA512
546de26bc966f5433312a4937811e846e354aca48704611a8967a6f35c8b2824e1e8a391c77ce850307889daa7e68b26b98e52ecbb1e92fc1deec2cc82a1bdae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9JJ4U5LG\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CA3.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7CF4.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R9G3LUOY.txt

Filesize
606B

MD5
9cd0385d5aeacb043a4958eed9cb99b2

SHA1
090e85c6e02fef91e02e0bbda93d9085cb61330f

SHA256
538a647d7d89666c69f0a016f480d5dbde6a21ac324487f7b2de9194663a03c5

SHA512
e9d254afffaf2e336c2a5ce65863f9e54f2640eb16bbe6cf0292ec3f0bfc73d149dd01365a2c4c987a5ab66c122b9fb39bf7119296c74028cbc681953883cddb

Download Submit