9fbd2943a668e098f3c8b06cfc567c12a99c2d9d30c1df55b87ec4e4b558f033

Analysis

max time kernel
102s
max time network
140s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

help_screen_font_italic_ja.xml
Size

148KB
MD5

2834463314e3997feb32547200f0661e
SHA1

f9ee1fb8ca7805a76f78e7bcd130fb44993ccc0f
SHA256

15f3c8be102d928a9c256d3a73b9ddba564e0306e8f92f3d7361e49535adab73
SHA512

105d5d8fe38711447697f5c0bfbf3fec2f3e70f79b34478f16526a6632fdd8cb94f4e9be729f4475556492de9dd8bebf59f093ee9b7b3969150981bc08574c48
SSDEEP

1536:GiuaPl/2mWIasLeIHzgsfzDbVXS4WT50E4Mz7buuQWUeXDFgsdyoHVuWE4:c

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65FB3661-1DD2-11EE-AF0E-C28494556A1D} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395614973"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10de943ddfb1d901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eb4bce00ffaaaf46b42b39f311b0211a00000000020000000000106600000001000020000000ec27fdbec2f959e91bf59364d893fed46259ead2160c9c6c929dcefbc1cc99cf000000000e80000000020000200000008d43e39056b8f2ceacb565517d1b142f9e595be802d2a53ea498b754431b431a200000009ef1bcbd8731dfb6f7a25c2713c03e1176983fea9504b5887325f7a1c67624ed400000006e31871fb643459abd93c7afa145d38cb28efd0bb6b99e4394a153c2cb2a51ef30e2ec83360422dc7997c8e6e0856ac78c5d68b1e285c1252636cd7a3e1fdb79	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eb4bce00ffaaaf46b42b39f311b0211a000000000200000000001066000000010000200000005fbc2bfed3eda83cede1d19fc7905f2a6d9c6eeb36e27a91d0a8cb01d9b1c6af000000000e8000000002000020000000f82f1f312bc17f4d28c388db6568c2ecb6a74c7ed0fa633d4328385537326f5d900000000671b1a91617450e453e85a1917b1c156688d5b798571dcf87bc3ac1eccf8f2ce42490af311fd8e12133f3e513aeb3584e44ef7f13239114d2018242daf47d50f9718e6b968c0f6b37cfc7ffd5828088f51b069d2eee510801d909e39f272967dabc22550881401bb4fafd982d65a93ba7db51833c4311556fd11426d454c9d09e805ae79499f3396741e50c9069a99140000000572b14519ac5662a11ef2a6e33ab333f1d6407a131223d722e4615009eacced4e07c9811d07d61106ad6a9b2628a8705a1ec582e2c8bfc4cf5079ba943a828e4	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-511725148-388773979-2853099937-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1672	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE
760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2316	3064	MSOXMLED.EXE	27
PID 3064 wrote to memory of 2316	3064	MSOXMLED.EXE	27
PID 3064 wrote to memory of 2316	3064	MSOXMLED.EXE	27
PID 3064 wrote to memory of 2316	3064	MSOXMLED.EXE	27
PID 2316 wrote to memory of 1672	2316	iexplore.exe	28
PID 2316 wrote to memory of 1672	2316	iexplore.exe	28
PID 2316 wrote to memory of 1672	2316	iexplore.exe	28
PID 2316 wrote to memory of 1672	2316	iexplore.exe	28
PID 1672 wrote to memory of 760	1672	IEXPLORE.EXE	29
PID 1672 wrote to memory of 760	1672	IEXPLORE.EXE	29
PID 1672 wrote to memory of 760	1672	IEXPLORE.EXE	29
PID 1672 wrote to memory of 760	1672	IEXPLORE.EXE	29

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\help_screen_font_italic_ja.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
315645227a82680c967f4dcca39676b0

SHA1
21bea20f88e14b4070309b29167fe46fd1c45f33

SHA256
5c4b7d0c7ed2a3fb0b76e60e65893a7154c52752e550cdc15c5571a83e153226

SHA512
ea86f99a3bf374fe4a48f9f58d91c20cd6078353d1a594bc4e24249f8a354d9d57d360726a772b2210c8c648ec0312c9abd3b52513da804afd668842c1f8bc26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
251585f9ad214c32050d29ad2f107ec2

SHA1
2057b933b730c06616b11c73484899b19f1cfd12

SHA256
e7fc9f4e2ce0a437d5989f7cfa96fbfeaefc1a49629c91938234b9dd84fa6dc5

SHA512
6894c18f5e019b99c5948fbb1aeb3aa049fb8ecf61b76a0c65497d4b45432b6f670c55acdfa219a10254cfd116a969af618dc4445ac5c29ba47e645e7b00885e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e09cc4b393aeaef870b69f822bfc645

SHA1
04952d6909e221bd92b1b69c04b02afe0676446a

SHA256
34da257eca7aa254da4b81ce0f4bd89c3172421e0a6387ec4e40924f94676ce4

SHA512
a3d2645fb7bb565a7f52e46127166ae894b12e19d09920343c3e854da9f0ac6052b1c49214302d872cb899da05d8d8f0a3238ffcd33a5208d20453bd19d21a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b48a540763caeb261415d2ab04b70053

SHA1
91ceb28504546864cfbf08d3186dc90dba39f202

SHA256
7cf711c5da2b66b34205f7933b49ab94023884e5e141e163f38fc451d1721936

SHA512
649aef7ab1c9628c4262b719ad982d870c9c16baf144802e4db61141c0cd6298e585f94ebaf753187462d9dbb8944706a3304dab8ecede615bcbafe6f043efcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31bdd5583d9f08e90d6fdab7ba9aea7e

SHA1
fdb8fb253c3cdaacfe33e44053697b1b05054d35

SHA256
bf02e382cdb4f16f6070e6fbf57ab4772a41760071c32e90bbec9ddb716c001d

SHA512
5452f951bc7ad397e6fd6d31b368d564df5610dee8b663f172343486b5ad09e4c5c247d09af856827f251bbb868a9fde676b5a9d3a4810d3214064f95eba0970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9315b39d98381080812038cb4bb7ed3e

SHA1
5810a5bba2403a9f36f9e335a5bb418972f850a0

SHA256
83830e92a5575bba0946ff42b908714c97f7ddc8d23009c5d78fa31689e35ea1

SHA512
a6d8341dd29b388fd3789068580700064d216f4404a3e900bc9e815ec0dd36476fc532714b76356c55c4a6e27794b31bf038ca9bff7463540b9e098b29bbfb0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1c8eb152e525c75377407b1530f3735

SHA1
c79626546d4e15351767489255c6e621d8502895

SHA256
556b825cff461b4a54907ba423e3da60d4c68094cdf660e255a677c6723e06e3

SHA512
aacb441d4905f2d53bbb30a3503e62d6f6067564b6046f6ee74513df1ef7d589627ef5fb329206217e675e92f635c6d56b37c121ac544e899bf76f56b9d8fb8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07904c43dd148f4a3e08005ed9500230

SHA1
ad217f10fce3e650b3a33d0b58a1921318e82f9d

SHA256
d2f2c13f6d11e509dbeaa33befca5d3b520ceddc8573ac9b5fb5f2aaeb264a3e

SHA512
e1d397df47c584fbfc3b80c1cf459eec2eb8281aeaef9569bf0617113391b163009fadc57c7ebf4c882320f20e12733a09f72a42a8e657e94f21808b758b35bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4345c0b6faf278800cd707eae3ef8bb0

SHA1
d6ff5a794c60c5aca93cf9f116d1b38ff5d3ffe2

SHA256
f1fd7567fa470967260571f7da5771abf8bb89e791271e98056d40ed6d5a6939

SHA512
1e053facea4667cce154e80d31e1f0fb886a7e45e607f4c6f8a7e87aafb2e9ac31ef7b75cbbd4875e1889d3d05473e5eb898cc3d245a621ed9589841609ddb6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1be0d53e2086d3c44fc0fdd10241331a

SHA1
df57043aa3230d5d7a8456229031f40569609fce

SHA256
4f9e8404676fd890a58674cd6f8b4b5d471d7a596923d767d281d21e0f90e548

SHA512
d587205d8ee0342f75e8be4e96e47f7f837a6013375bf55dcf4fb38098a45d3181f5acc840a43633cabc5a1a05a7f9a018edd1b566b139736029708bb3e922f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d7f0546b4285650493a4bf4b782a606

SHA1
40221981e1a99a284408cb5e2ea83dab60597799

SHA256
5796144d9c032bb9f017f660ae2f9a2afdb4372b81273f23934dd2e0d7be9c40

SHA512
8f147c5e401e2dd0a3cb2706f67fd30cf06004212f8bf0d63cecb9570ef99b338b9ea22e58102d84ebc5c85fadd50f96c753afcfe892cef1bfb2a144655ce25b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5I9HDCK2\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDFF5.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE0C5.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RLBIG2FN.txt

Filesize
606B

MD5
49ca25be7b5f2b0ec70e48e0f28f89b0

SHA1
a8c39aae66f2a735a6e8751317f1e24f43f93f5d

SHA256
234d1774605cfb687e6e709f75c19b387ca138322a2f90adb0b8e3be97385740

SHA512
2d91d1f1701e8f0581db439d06d022f87a148a37d42c71d31922ca1add55194a6ba58279d54c8867b78888236d392338d9a4630dc8f6000d36cb6cffb3083f24

Download Submit