08b9beb19ae13d5ac677b9eafb33d1cc0aed628818a70ffa05ac1eb8d6ba5e22

Analysis

max time kernel
134s
max time network
142s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

settings.xml
Size

2KB
MD5

ba17ade8a8e3ee221377534c8136f617
SHA1

8e17e2aec423a8e6fb43e8cbe6215040217bb8a3
SHA256

ce1db1ad8a9512073164e3eccdc193f7eda036e1a9733caec4635de21b2865c8
SHA512

c18bcbcbd4b9a20a72b1a934d70db1eafef047f34f3ba2c6357d8e3afed07ecaab861e5571ceb58c22d4d3e5ebb34b51e366a0553c3153fbc263d1d80472e297

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1CDBB931-2167-11EE-9864-F612EC4A90C2} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396008699"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103ecaf173b5d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd6900000000020000000000106600000001000020000000ffcec9586cceddaec5babcd088741ae0c732938e226a5385ef4f21baff9f88ef000000000e8000000002000020000000b5259f706cf0361c8309115598c7e0ccaafca9e6093419504b7c91917fed822a9000000022539bed7bb448c8d250e939234f747eae704c3d9c6f9789d088c5bbacc0859082017240e5f0d8eb20b0e87d537f393d3053cbb1fff070f13c100d97208c01ae9992cc84ff4c5b7e38bb3aef6b135a0f0523a6f18577b238cafdb75aa006e88e25144cca8987245fef51c834a207c911205e89bd8157b9440867ba9521550a9bef8132e449d1d7168def630db49bbbe240000000cb6e3953cc3f5c6400599cbb26c37539c1c8af62075dba4ddc76bcfc9750e48c12f81c929499046931b489cdf1379162cff2ba4eba93a5f1998a8c882571fcff	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd690000000002000000000010660000000100002000000040f253e652b6a3e52813c5fc929e07df3d39c8f8e93d7d23fb54ba3819f300c8000000000e80000000020000200000009f95cc666d5c0d4fb9ee08e6b939ba1e190fd5b598e830838dd222c9891b15b6200000001f923f57a42626dfe28dca5b7b5129e900be76a230a553d757085e8993e95d8040000000f54c1a5a6ad218e7bc462fe93e5283a7071166060e1d1eab69c054f698c5facd1041162ee33a757b4b696345af81cd1d2beb6d6efccc3d21ccffb3b9c2ba6232	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2536	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2536	IEXPLORE.EXE
2536	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3012	1760	MSOXMLED.EXE	28
PID 1760 wrote to memory of 3012	1760	MSOXMLED.EXE	28
PID 1760 wrote to memory of 3012	1760	MSOXMLED.EXE	28
PID 1760 wrote to memory of 3012	1760	MSOXMLED.EXE	28
PID 3012 wrote to memory of 2536	3012	iexplore.exe	29
PID 3012 wrote to memory of 2536	3012	iexplore.exe	29
PID 3012 wrote to memory of 2536	3012	iexplore.exe	29
PID 3012 wrote to memory of 2536	3012	iexplore.exe	29
PID 2536 wrote to memory of 2800	2536	IEXPLORE.EXE	30
PID 2536 wrote to memory of 2800	2536	IEXPLORE.EXE	30
PID 2536 wrote to memory of 2800	2536	IEXPLORE.EXE	30
PID 2536 wrote to memory of 2800	2536	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\settings.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
625568ab28be91be39e4161cebfde1d9

SHA1
c748ff5866594c0a0eb00f4402fc32374e24f67d

SHA256
60a78f8c8955072b3971e2620f99711a8ab12a98cf72f0a0a7d30b45accba4ab

SHA512
bfb26d2f57b91f1aac9efbce48b0a5bf66b8de332a8fbff8d933630dce45b9bb86cd72d9555a73a658876dc4ab997e399d8b616e95da4cd0590965a9ac986cc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2aa2978401b897ddba08ec6f962416ed

SHA1
94075ac38e5bdae508cda58bf9c14c5123849e81

SHA256
027ceac801621f2553655a87e219007b7e768411fbe5e3f0daa3047d1b7b849c

SHA512
ca8d1eae9ec71dd3bf090298ad95be8ff6209f0968b2a17d49d9444d5f653e29a6bc605e3566b3e962890689e42527cfb36c71d8a9d93263e0dcdd712b032ba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bd4890bf9bad2b2b991b7e60eb9f550

SHA1
b051ac15ff99a86ea8ccaee4d2f3a9f87cf53504

SHA256
3b32542544c89018305985f80be2d5facc2eb648cffe9893b4a0b42ded96c8bc

SHA512
baa8de5f96dd86e463a218e66866d6088a0a11b416aec7621230fc9304bfea0e70c9eca1fdb5c246cc0b53d79802bb9ec1de6fbf838cfb66afa127d94ffc2cd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffb1c4c67f40eb5f2a458559eb21d1a2

SHA1
4262890ebea83f8c311fb1c0b59bec038a0cd3f5

SHA256
735db75cf0481175631cc6c579d81bca02d4d11682db6e7d324041b72fba0e96

SHA512
ab896a8a5b955a03e3f7e511952463f467bf0786ae88f33987da58872ced5deaffb4e6c3a4e04134655cb91bc3d7bcad7f61e76f370073649d5500eba50b4472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0193f924138376c914770fd69d43046

SHA1
8986888839133ac30b60100493eb257f3d702f9d

SHA256
dc0dbe5be9114876309cfc3ea6bcc9395372f10477e500fee5e50b0df0d55c96

SHA512
6e88886e098aa3f1092ae77037ee99beb314feda7edb4911df1125043d8258276b1089257166e462817b7968e9f9980447d682e1afb94fcbcd51b0f5df5afaaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a561b7d5611428f675ef7dd7c73781a

SHA1
108dde956a7b875a6b7ca7e480c77f7a7c58748d

SHA256
c436e152164a677b730303684b18d87eb29ddd881d6da8865b1c07417a9a653a

SHA512
7d95a9f4ce9cb1a5afbfe76391ff8758cc4fb4551d20b1562883da10df6a254278e7ee684962f1309fc4bc445319d92552ef45541ae07493594b0489e55a5d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
191023073efcb8e509e2b2237bccee26

SHA1
1d98c1f9d79cdb7c89695eb5be04c865411d5225

SHA256
02ae2c922a4e359c43104dc5b916dc46b50199fde06a502666fd35a6476fca35

SHA512
c2c7c00c56c9876d1fe77a5b5091d29e49742366b3004c86c3cca96c79a9a8ab002f9faf034af80c6d79b33b28818400a43227b7b1bec31cc3aa97b9f4004ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abc436d855553e3e2887b144bbf3826d

SHA1
f5e700fd7bb58d9153bbc597d7fc37b456bbaac1

SHA256
98d73bbe764a888c3a07b1fd0a64c914e198ad610730ba60ed4d020099b73892

SHA512
7380167188ce38beb87e89a4002778cf2bd66cd178305671af517928b02ec5f54fd2cf6d326b9546ec7927abee8fbb0149eae5f2ee06d2f88191cf8c7316f371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
887e578ee4cd967d6032e97f60ae7486

SHA1
326ce0a8357fb6c67a6ec8c44bb497c6fe195cc2

SHA256
5487b1aa02bed14adc76b0a3ba7b87906608bbaf85738676586065e2350be65e

SHA512
9a920ce099be3293a62aab955c5910ce38b5139105c8e9b111d7c375f8aefb032ca9637fb074fe4258ddb7f7bba1abbbdf62ca9dc80b5095c6bb2da62d5e1b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90a948c199ce832df3b14b801caeb3b0

SHA1
0873b45a54d983bcd8c0af815cc7a9106aabe46c

SHA256
e8c3e20dec7c34a618b9e7a0d67269441415c3ceb5ec40d04ca2a7328bb482e6

SHA512
95b1cb3058473073a067418671b86b5bd7b4c61173257018343496e7b0ab231082e9d80a5d09f587be9344102be04f25d167efdb936b5cc7b2fa68a9490bf2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\977QBXKR\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC12F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1CF.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2WM3IZN9.txt

Filesize
601B

MD5
e78c192afa2aad9c3624af2b335d0490

SHA1
b39f7f14da13186e6b146c35a19a521b2d72355f

SHA256
7bd24f737561dacf502c9cbd16bd5bcf4332b2c900a10b3da58c5053ee9c79ae

SHA512
c6473d1a155c773ce42383e898466944561b6ab35176297dfbeaf16d1496042c0656a2297ad74f188e9360230226e05bf5f82c6bbbe957dbc1ed4310bcee6f8d

Download Submit