9fbd2943a668e098f3c8b06cfc567c12a99c2d9d30c1df55b87ec4e4b558f033

Analysis

max time kernel
100s
max time network
138s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

help_screen_font_specials.xml
Size

824B
MD5

7bd3ee44447f3de2d3c88e4500f68e49
SHA1

7773317c60d15f947a26965442fcce026b94d241
SHA256

35c156fe59fc23c9a7fa08fb9df29cdc6a7cb7c386c8cbacfe9029d4a4ca75fd
SHA512

28ade6e218b050abcffb13489df446818e75cc875a5ffe07e86134ce627d9c8b79c18d4f6654cad1dca502a883b184facbec67692839afc6d8478f667b23e7d2

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{653D1681-1DD2-11EE-8165-C2A254DF4AC1} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f400000000002000000000010660000000100002000000052611bd96abbc7cbdbf648af98d8682a6e477e627a92c8c397caf5492412d858000000000e8000000002000020000000199afc93c83e9b9d58a6bfb64de9d1e782209b512eb4f99721672a9a68abaaa020000000654a0878ba116bc347135c2c93bed6acb181549a4d78a3363a837a6c485cc256400000004cdb1c2dbb7f61dee9621302d467aefe35e69475f3cc3272f83301aed671e8df833ba217738f4b3a8c633cf45ea42d9e717b94078bfe39e123b5578969393b80	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0acd43adfb1d901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e9b4fd3e4f8f414fae099af533ea5f4000000000020000000000106600000001000020000000b118d5d136da28b6e33b823813fabe0410adc2f4b501b3dc22070a457c272a10000000000e8000000002000020000000957f2154a975f2533d00ff69f9aa6ddc4162a3ddbc6beb92feecb26585dd33b290000000da678e8bf87b21047e2a771552e84d9035650e1b37b0164e4e0bb7aa0a63aa9e90fae6281f0ad113d250e90fe15be4e98de7a417e32a76c0939dd9f0c013c37e4e7597e9a38f35d4d642e26c6a0041bc74f1b4e031825e65963fe728a4c5d13d98be7ba721db356f233b974a045be478af9412ce72af7957369b3926d48a36219a67bb816b0134483c72dfbf2d4129ea400000008d58c0bdb45b4ae600b5096bb80756d884656b6adb28491a9b9c7b9575f85c83838c6d72cbcc912d28f13403d104199dbe7f551592e57fd98027a8261a841bb5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395614972"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
752	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
752	IEXPLORE.EXE
752	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 3060	556	MSOXMLED.EXE	29
PID 556 wrote to memory of 3060	556	MSOXMLED.EXE	29
PID 556 wrote to memory of 3060	556	MSOXMLED.EXE	29
PID 556 wrote to memory of 3060	556	MSOXMLED.EXE	29
PID 3060 wrote to memory of 752	3060	iexplore.exe	30
PID 3060 wrote to memory of 752	3060	iexplore.exe	30
PID 3060 wrote to memory of 752	3060	iexplore.exe	30
PID 3060 wrote to memory of 752	3060	iexplore.exe	30
PID 752 wrote to memory of 1444	752	IEXPLORE.EXE	31
PID 752 wrote to memory of 1444	752	IEXPLORE.EXE	31
PID 752 wrote to memory of 1444	752	IEXPLORE.EXE	31
PID 752 wrote to memory of 1444	752	IEXPLORE.EXE	31

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\help_screen_font_specials.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:752 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb3825196b325f3919a3f920e5ab3465

SHA1
7826efec10edd9bc7951e5c58001dc23462f3a2c

SHA256
8a8e3714cb8d4840e2eb1b3037213e91599cb21dd350ab19f74a86cb8f71ddf7

SHA512
c191495a8fcd15c4c658eb5df0fefcaf126d69b09484b434c1e45bf0a8473c3f743695fb99996b0b82799e7b076474d86e01a3d3c9b8b17d9f79160cf5f9b19d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56386b4019d2bb31af9b0d4fc56c8ad4

SHA1
af2bb567638b9bc058e2260ad1f20166515f28f7

SHA256
3aef6df2e945e83a0f318199bb665c318a87050994ee281a56e9115c3dc2ee1d

SHA512
2d16f4af44450d50c4ca3bb1e8e27cf2384362a2d8d38f3f04af296637c54b900222c2a28c8aec59cad2850c00d8194778e9df0177223fa7e91b6ad8881882ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f993dc126254d01e37ceaaab5020007

SHA1
ccdcb8e16fdec0b377f7e000dbb332e618208bf2

SHA256
05e5de4683da571c785daf971e63f2cfe3aad4eb6fa919cbf32d97027e7183d1

SHA512
d4bfb553d4a94b2634baf5770555c887f7e48f910e286c9ce3c9cbd84438bb903ec95d47a1ca0bbfad820f27923d9da9818c94093886610def1f3b28a0eb7662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98b3e523ed8c641bd951f5f3f820e612

SHA1
04651d4372e9f7c28f92bd7a01fa50fbcc304986

SHA256
6e96a62631f0216861ac6d4bd4e920595f40a663ff73c9a859aed399d3d2e247

SHA512
cea161b76a81b27d365c864a19a47f1c07b489741d7c7501f9e93e72dd3e645c9c91de96d3cfc58483ca4969488c21dc1af74299235aa8ed5209f7397d362ab4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
097e3b8c3e291ed17ef7a84b1102d899

SHA1
e003569ef1ee3104cda30c896ed2b7e461cc45dd

SHA256
a109cd9274252015cd8618b5a7e5ea0c11a5e880e48a119feacdfa06bc8876d3

SHA512
da43b58b46d0bf4a49de8c92dcf02300a24baf22723452c97fc44905b58c2df81e51f10add71ec83a1d9d9e1b35b1024e8dcdf50ca58efdc881f989a7124dcf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02242b23a2bca5948243a674772f9d0b

SHA1
bb8a9fe3011a03f5dd4f263f5116c24c0ab352de

SHA256
457c20d852ed529432aad44c33ccaa87198c85bda0895f7db98ca6d4ef40a841

SHA512
3b7c81c67146b4147b503c9464381910e514d342661344a501bd7ec65f243a8e563365c70d12df0f60bddfb9d7168caac7e0e0bc85565c25fa7395c7c02ee5db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92983ab19d5394b720b13f9a6244cda7

SHA1
4fa39819ab3fbda5760c60041770a098de7e4ef2

SHA256
f769eb59cbeda135ae03d8757a06a5e9021a9f58334ef1903d2f0c8e3024eaf9

SHA512
3ae9cb0de56aa249a0d544934ce0345fc7047a8fda32ecdbaf7f9cc81e455467b18b868f9cc11b4496fda0c8d4f28a5b0ceeddd7c23d3f928a37dcf239a5c7c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
71b880c43ab9a30f83281a4b325008c7

SHA1
fc8f32c8867d854aad963dd663d3d02b86683292

SHA256
b60ecf47a69f2199bda755a4c016ed3d68cdc536d6bab19862f17a2fe39a65ef

SHA512
26382856179dc184de7241ca9a39ad2ea74cdf45978d89e612b4ff4522dfd87e8e3927f0f19e3851c1fa73b6e5dd771125fc7ddf5652192c68c1fdb00e597715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a070b133a8fd11ccd86bf818e0160ad

SHA1
de2613ef19f01daed64d25e1721f7364f3157c29

SHA256
d502aa38e4028349a7dcc73416070d5d7bc9ce37f952f64ce15d515aa7c820be

SHA512
ce441f4663e2f10c9e9cfad3ab12afe6f374c048a80aa70797bc59408cd305611d1df75d8a93860e4648d4e807d87b617046aeecaa4328335e4d1fe822ac2e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GHQOZ3XD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab57B3.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5854.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MK6Y1YOF.txt

Filesize
608B

MD5
ba901aac0a9d5e02e50753c3a9956824

SHA1
3177c1d24e40a89037afda55e4488605fa54f9a9

SHA256
fb068aa1265008b592529d745abd9944c62756c9f27f8bc26c99e7ba1d6f33b4

SHA512
502caa1d7e8f2cc4c69f056f77e1eba962c6316c67c6ec8eedabca0bc2b974fe10780e14c3dab351c1f34a7e20d539ec5b7a3958bd97bac4e8bf2f80e646a6c8

Download Submit