08b9beb19ae13d5ac677b9eafb33d1cc0aed628818a70ffa05ac1eb8d6ba5e22

Analysis

max time kernel
134s
max time network
147s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web.xml
Size

18KB
MD5

08101241b15b53ef0ab908f6d388881f
SHA1

ea3e2ad6d71d483c54b12852dcbdcd0baa569988
SHA256

15a2c7a9242bf54d3ccb3e07fa6d8f84ba8b303d8877243787a1103009941bdb
SHA512

a1ee7f17bb069ac42483d1f98ca839ff1bd06f3fc15cd379dff4aca3732a5dac24dc17e15acc8f8fa39e60e186219f4fd70664f9ea284002274a4ff8609791ed
SSDEEP

384:lJJuAr8F1mJ1ayCk5+HK5YaW41DBWTwa6st/tlLvSqwwU4FVXaS7L3nHIXYFXc//:jbpJi91Xbi

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396008701"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae000000000200000000001066000000010000200000000620a3bfc0b1a69626c573000b8f6c60c45a11f063c7ade7318b187e05d32c1a000000000e80000000020000200000005ffa822f06e03dc90f2b5aaddab92185c8f3e0f1eca9e7fb2eb4edcb8fadd97d200000001ccfc1568394ca06909216f50bf006c19a8a1f03b9591e4b07c25d27c79433004000000085c9c9b829241a0a7057b52972cf3f13779f20e43fec5a60aa16fc95e1e78d7b2579e19ddffc3dc27d2ea0d5509f25c0f28820658d6760f7b69b649df6a60a6d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03668f373b5d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015e49348610e2a42ac63317e6e4271ae00000000020000000000106600000001000020000000792d75275f169f730192cb584690b0418a624fa248ab50156eedbc40afc983a6000000000e8000000002000020000000d327b5cd97e592434a5df8762234c2aec041b5e3f02698f821047d34835acd7b90000000083807626f9fab425675fc8840661f9d887d95e2422f1fe67d0b3619391749c734801edc007fae84a21751fa2e34c7de1d1fab226094dbc35dbcae6b32e1764250b0690adb29534b59e5df43140036ca9016819313ba22883303624b9cafa9bd9e958ec550ad10ff77017195f65bbc571bcb00196ec607ea17e129e63e91a15712a000e5d69d51f4a1a022fc4f41ab44400000001f87b3792855c88aaf998caba05cc6ed9a706dae1d29593fbe4205572a873c2f96dcf91d9809073555c7a030f37c11c46bf59848b639cae9ae51be38f4ac0d36	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E55F551-2167-11EE-91F8-F2F391FB7C16} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2896	2668	MSOXMLED.EXE	28
PID 2668 wrote to memory of 2896	2668	MSOXMLED.EXE	28
PID 2668 wrote to memory of 2896	2668	MSOXMLED.EXE	28
PID 2668 wrote to memory of 2896	2668	MSOXMLED.EXE	28
PID 2896 wrote to memory of 2372	2896	iexplore.exe	29
PID 2896 wrote to memory of 2372	2896	iexplore.exe	29
PID 2896 wrote to memory of 2372	2896	iexplore.exe	29
PID 2896 wrote to memory of 2372	2896	iexplore.exe	29
PID 2372 wrote to memory of 2980	2372	IEXPLORE.EXE	30
PID 2372 wrote to memory of 2980	2372	IEXPLORE.EXE	30
PID 2372 wrote to memory of 2980	2372	IEXPLORE.EXE	30
PID 2372 wrote to memory of 2980	2372	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\web.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fe369c128a5ddcdcf3e401d8cc1a6fc

SHA1
2ddfbe4222a99c9b2ba2f2fbab526306b7c0b5ce

SHA256
3c59a5f2e0ae48b3457c58c1a9430bfa4ba6e43164023ebef8aeb9e14deb91d7

SHA512
e58ee32fc400182f11d86d30e0a2514a6b774431e89cba41fcf11253f5c5c731c4cfa3312162b5a427fa069b7f35180cd012466428af468d84293a5ee96d0c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69614b1a688d2a10a7bd3ffa07b015fc

SHA1
9122c12a6b600b6186cc739a8708456fc65d10ec

SHA256
0ee9f25ab6d046bb3c450b845c8bd50ee74e5f1c6a1a4529e819bcb30e019d54

SHA512
5ccad326e374a7318d95381593eda9a44413536c37c837c49cd49a7444da1eff80bcf0e124f363dd7b3f2ab1290315866ca5bf39f75f4c7c5af218fe6d58b956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35047930541393e9cfa9e51c61c38ea4

SHA1
afef7c8aa5ea464c561f43bba617fa8f452557c9

SHA256
732f2adbb794f8371fa719fe8321d752cade46ecf5cd1f725ac58f541c2644ff

SHA512
bcacfbf48b05030ca0c4208da72a3544f7b6e4d3cd191389542d4154f11bd33dbbbe23508b836a368ec9ebef0a98506f93b448d59b7de63157e7e3466b34ff30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01773d9f8534ea186d9a3442a12e5f66

SHA1
0c9e70d3a936b8e58132c9bb1ba628cbf6d0770a

SHA256
5164627fc9ecef7a4d9c50a0e2222196e5952c04c64f4421b2f506808f787954

SHA512
7514bf8d9855371d0282613c0f631489fb96c5c94e7d7bfc12a64452ca28567a5508fcd615e82dd487c21068b6640efac849645a09b2d005940ba3c6bd51a762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a1faae9931a4b797558328a7d682842b

SHA1
96837b7055eaf79eac57e6c0434311f6de37bfbe

SHA256
9a10946fe371b41467baf7464e5866d64fb30175027119379f3cbea32d4c8bc8

SHA512
dff62b091fbd1088e31cdfd1a374088d1449092dc95880422907b52c27026baafb76028d79a06c16a6b02e3dea63016e82eed555e6d13cb37e63ac354b10d2f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc525f73b0c41e51d7e53e94131c9bd8

SHA1
c36430b7692fc71566cb1f0021012b267172ff19

SHA256
003fae203d9f3fe4d8668345142517e677ce2f6873e4c87243737a8743ca0092

SHA512
93ae9cf9dcac9a16fb906d790c4208be28421b18e5b6360d5688d4ab625002ea8ca34baac95e6e928508b3803a5f6ea1d7c72b18655e6728c0ad65fee53f9e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b4a721697ea4275361b118e3cedd408

SHA1
d6796efdfcae383a6b8724fa160ad0833b152b6b

SHA256
9237f8a70655d01e3ce389a1f53e8af73588fc2b254b1b610501718fa873275c

SHA512
1687b16b717403f936aa1f5a79c44c5dc15b524651e885be0196151eb2d9edf9c1750531861b64ca68044dc8f6a594469e2b8f727726c88886469a8ae7c7547b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UORESFNG\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFC0.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD07F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B1M9HCXR.txt

Filesize
603B

MD5
70e14827ac5b69eceecf336f0ce5c418

SHA1
eb89322e10331dd8bba39642d1b73471e0439917

SHA256
6cd97cf02e937be8290b6a89e3be977ff2a13f1de6ea932510aa3594d0289029

SHA512
8a3aa6f1fc82d21b0bafeb5f9d2e5ee60b96d6bc0a640ca1bae6518d61be0fd5caf2024d56a06a5db1176e237127df3011ab2cd72e074cae7b587d8be739bf40

Download Submit