f08130ff8f580e3bf902eec1400af45854341bbb5ccf00f669092efc76a076fa

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sticker_boquet.xml
Size

30KB
MD5

ab439079d2f44318c52196063311705a
SHA1

34c6e2cd1aaeeb7662af0f53a3839af88db886b2
SHA256

e4baa3e40b4e8775baf2e6470305a1dbfacc8c8cd625d808f9783545fe7b43d9
SHA512

cde052924d64109a60f1bcbab2b7a6ea05f9f5be61b59e1680d78dabf8a42701d53ae42ca1a189138eea8e172e973f1a8e341b38cd09f1709474c892f14ded4a
SSDEEP

768:sun3awcWVqm5Sye1/fnfXHSA9TTuF0ZU/1uPLsq6iygfwE6Ebg0qfZCm:sunGsPh+m

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396328660"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d00000000020000000000106600000001000020000000ea01de6e6b6d278d194b49dab709118815e19a5662df3b25bee5246b980a53d5000000000e800000000200002000000009d7d0716e116d35ba9a5f12b82e8a3150a612d24f3379b4cfe24735e366142e90000000417f137a961b6811c72b032ca1b7e18c0afbf3cae5030b9c1dae187dfbcf86185594064d7427c1ab1e5ec183cf6f437bb73c9f57c30f26be8afd4203d2176004cb8cf2bc1ac0b9f4e91113b7fa56db32f89dee9419a1a36961cd70d00402b8007123281e8d0de71319b8f60a1db14fbf5926c84caca622884472d65a83e2771911b63663010aa075521bc8f985e554a140000000c5d88c3953493fb683a420c691bad6454eef8ab423a6a1b94e07ee3282d5c5a42449d226a21745a05ce5dde71f9f4346bfef57f2b74208277208bef14017c7b7	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0869eea5cb8d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14AC9B81-2450-11EE-88A1-76CD9FE4BCE3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002a91d4b999c9854dbdd04be1b9b2202d0000000002000000000010660000000100002000000075bf2b15f70a199ccda35708d1cbe56456185776e7a7e239aef6998dbb716781000000000e8000000002000020000000fdd96c7a629c6b8e93edd192ea667b9acf64c347c13f35416959415824996aa8200000005f3a65f0e737042eadd9c286a5e94663ee21a553951531657dcd3400240c40b840000000d39f4bab8717aa8aaa5e4ca5ded481baa7a58f0c46a184200f02bd97018d5d2585ee85fa3033a2329cb53cd082bf3c8defca242c2715a8fc949eaa4c28c8e76a	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2920	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2920	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2828	2624	MSOXMLED.EXE	28
PID 2624 wrote to memory of 2828	2624	MSOXMLED.EXE	28
PID 2624 wrote to memory of 2828	2624	MSOXMLED.EXE	28
PID 2624 wrote to memory of 2828	2624	MSOXMLED.EXE	28
PID 2828 wrote to memory of 2920	2828	iexplore.exe	29
PID 2828 wrote to memory of 2920	2828	iexplore.exe	29
PID 2828 wrote to memory of 2920	2828	iexplore.exe	29
PID 2828 wrote to memory of 2920	2828	iexplore.exe	29
PID 2920 wrote to memory of 2824	2920	IEXPLORE.EXE	30
PID 2920 wrote to memory of 2824	2920	IEXPLORE.EXE	30
PID 2920 wrote to memory of 2824	2920	IEXPLORE.EXE	30
PID 2920 wrote to memory of 2824	2920	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\sticker_boquet.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2920 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2baef5fa9951b049cfdfa52016165a76

SHA1
e061e43883bd67d43bd86f555f538f8ecf866dfe

SHA256
f716153cf7123324f4440a511cab460680427eb5fde0b1f46852cdb0bf743e87

SHA512
371f4c1501eddf78e537d88298f4c8ccf6a43d92daec31511c0d5e5983b36f8bdf974f34482ad0f44418e3b1ee9fb9253a5eb9dc782e34f5a3c6efd50a818187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
725c7e03fcdff16c72966abb19d60367

SHA1
1aeeff410fbaa6c21dbd0a491f187831956d756f

SHA256
4498840fe62059669f1764e4b3ce4a676933bf98ecb62e1e7cfca931ab977718

SHA512
f607aedbae9c2a5a7ed77b8ef99dacec25c1e25e00974079e1e94a1c3aa6a9f8876ad0d0af2f19ae676bf6d46bc16d2831de8be047ecd4b9070e49483855abed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42627c8ff0880cb573016d35ab5aff29

SHA1
95f597549fe697672633ba4488c7775b2118de55

SHA256
2e38222f37a0c0a1380dd78b68275df1c2cbbfd2aa974c7b1eaeebdc44764cde

SHA512
70a874b716e4ad56f295de24198cf42ce540fb2a85dbc092ab6bf0d49eced6f4cc1de53223c32d88414f19eb12f34a1d7573ca1cf04a83417792c9ee64186712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3e256c34b8fbcda7de36e9ecddc2729

SHA1
cf668b8ae7f197dbcf40ab35129e591bbf4c9f84

SHA256
981a51ee8686c6c4c179739e9c8964747f44df5155a2d34107ca2c36ef047361

SHA512
6fdc7eeb4b65857c8776c9064820748ef07a9b8f1b9b4221141aed4f0de7fa601538f8d1525061e5ab4a4ca9cfde04b7921ce58abe7db95b4a27b7f06a028af3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f3c7b301a4c052769ec1fcaf2dce0d7

SHA1
e25e842179e17534706a16da18943ee4729c290d

SHA256
56a64f6323f08473ab42c5a53e57755604c6d249f8348d212c60b2d103d964c0

SHA512
3796e58e98ead89523037a0107fa179546284ecd529d66b25e64e066101af07a459dbb8568d7cbb4a423b989e9b62c85a75f2cafb4297d8669ca88d93e6a5f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc7c3198d42105aac304cab223702702

SHA1
069b61b45f6504b2a0be336c83b7a1ed60470a91

SHA256
735d2920fbb7f0142191473a072d0c28535c775e545d0992dd8270bae2fd1ff8

SHA512
e578abe2e68a1d4db2004163833d79f6952d5eeec7faf9b352bed4e5e9af8a3269ad8b91f200320248f0b96563006b0c85905d7761902e9ff5e762f8d1c55a7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
739fa74f7f6bda09a1bfed1cc245484d

SHA1
dcd39b3f3331c2a548d06a596aae46900761f82d

SHA256
9f3c892b08bb443a65ac72062d69c5bc44a42472c30cea661cb6a6a2402d3b24

SHA512
7eb35ee8f251a410b300e729cea523d50764823e41a04d252ecb00b604bb7d3b03c9566a99cbea1fb48a13fb3098e2b811ea38752feb16a401c4057abd328596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6de23637065a7e8dfea023f7dc2a0c6c

SHA1
8465de5ef543533eb7c985719ca7cf57d1a4a20f

SHA256
d27121eaebd8edb429fe9e3ebfdd90837a2634f556119622d0ec5bd32ef6fc6a

SHA512
f044eec56252833c0f3cb3318d16053daf22557542e1315a713699ba7bcb61ab97788a8889f48d78b02c233804916b0efc3f39242cd56a4377f75468b2e179a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54e8c562d17edc4cc1a92da62c8121c4

SHA1
42dbca36ce6c0e13bf3ebf4766994495dce65e92

SHA256
3ca93d42bd15a435fdcb7d264c04fef94cab76d6d77c7f4ae4eaaf939af18063

SHA512
d826e6c55c33e113476325dd3fdd276c8d0782a5350b4ea3a05f8099704792f7cc76bc30ac652bc9629b210be5304f760c0fa5723823692d9ee5fdcf38f245ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64WRFCMO\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB4B2.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB513.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TT8P154A.txt

Filesize
606B

MD5
2a66fc86acc7f9aef198ed06efddf021

SHA1
3e032bace88e0c1a43ab8257a81de6e7916cb9e6

SHA256
6db9c6bce2091fb54f023dda5d3b828d8bd79c90f8845fb0f898497832ecb7e4

SHA512
7abbfa22d22ebc3633a51a3fa35f42c579d3fd5e308e0baa1735e564bf4873260cf3d8be152e80ac947d4fce6a3300d4e3c244937c78b5d313864adf18cff7fb

Download Submit