f08130ff8f580e3bf902eec1400af45854341bbb5ccf00f669092efc76a076fa

Analysis

max time kernel
135s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sticker_bowler.xml
Size

1KB
MD5

4b4859eb8acca3cd30de9f1794e3dcb3
SHA1

6f3565a3deacbc50944697fa0011ba133023ff1f
SHA256

e30917cbdaa6e343aa3576a8a918054a51f1b9b9c724b20ec1eb3dab181c73df
SHA512

3aadd471c2320e14baeac7debb12e724ee518e6927f0efcdf413271bcabb194d058a8b97f975a6cf8fa04ebaccc433c749d60409ff6f9aec967c399a3548cca3

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc630000000002000000000010660000000100002000000061cc5a49b712e929d175ca3b07f089f15779fa36ea5edc8ab88242bb3649e534000000000e8000000002000020000000c2952f2335db030f9e942dcfcea35a0e043e2d7e3afc7aa28b0fb42d96a13cb52000000045a001c7f20bd6e758450119be11c014152e2ecf8d86cb30e1b09d9b0a7a28f440000000b4d9faf8df94f655664a34b281b29566209fe3309cf4e22d60bb2dff50cc32d6021dac55244fec4540b54e93d034bec517adc7cbe10dd1be921c30d4071baed3	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05754ed5cb8d901	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395725600"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{188253D1-2450-11EE-9172-D63E05CE97E8} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b14723a8e389564aa88fef2378dcfc63000000000200000000001066000000010000200000001196807c97c707e9df4665894241bb8e2c5b43fb1f23761c785f253b2bc4edd0000000000e8000000002000020000000ac297cb2f3b4e8507070067ac534ed0a1a54bd750d3e368eb367ae1f70e6935690000000086d82d6cc7ef96b3ffe9e3c841c6ee16cbbbdcb1b68941e5e3b4c8795959dda2f7688ad1178de1137872aab31e66e2274aa52a625b04557f641bbf89ed9e7bb405bf388ef8d05a1b3776cdbfa83eb802ccc7a3f1ae85735f878c6dc2b9da455944a54ab65fcf0e5bab74ec6b0ea0cc1bc72ee8fee4e62cd2814e9734abc8095d8f24830aca99bc4ed8b8ad8c9dda97c4000000095035cc6424a1f906c56599e160248295e502ca8b922d8db75d9993ba2dc7a83410ab80c353c964707d06065810abab8c6485e62db6a62013fad58ee7ca6741f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2948	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2180	2300	MSOXMLED.EXE	28
PID 2300 wrote to memory of 2180	2300	MSOXMLED.EXE	28
PID 2300 wrote to memory of 2180	2300	MSOXMLED.EXE	28
PID 2300 wrote to memory of 2180	2300	MSOXMLED.EXE	28
PID 2180 wrote to memory of 2948	2180	iexplore.exe	29
PID 2180 wrote to memory of 2948	2180	iexplore.exe	29
PID 2180 wrote to memory of 2948	2180	iexplore.exe	29
PID 2180 wrote to memory of 2948	2180	iexplore.exe	29
PID 2948 wrote to memory of 1340	2948	IEXPLORE.EXE	30
PID 2948 wrote to memory of 1340	2948	IEXPLORE.EXE	30
PID 2948 wrote to memory of 1340	2948	IEXPLORE.EXE	30
PID 2948 wrote to memory of 1340	2948	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\sticker_bowler.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ef0e9c918182c0826ff7ee88226b922

SHA1
9fa550ca27141658e9877bb95c870d485e5102d7

SHA256
05e7f322b7996d4d9f63f8aeb8e97d164db1a0a44cdb926d4e7215fe100d92b6

SHA512
822c180f7a9d05111f0f003418fa070c3b952e7553c2cf40c4413143244868978cae5b5d36e12f0ee9079b740eb69134d3f80d5a88de6e75575659b7e85c2bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ccc54b3527faafdcceef88bf30ffdb0

SHA1
f4bd7fd2fc3998354a9f04317e2d8a255a4a0c73

SHA256
ab0a4c12fafc7eafd9e843048d5f4d3ec030bcfede0f189e6cc38c052dbcf035

SHA512
f62321aabd89e6137a7cc3a399d03b6608be92d309f9116702fa49ee6957909a3b7b697cb45d99138a3b88d56efd4d2fbbf783d3c96036bfd8c1f29af05386a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e79debfcea392b81723aa02d2bd2b8ac

SHA1
c19775ddde21e900a3a63cadfcffc34d2860d9a8

SHA256
7f8b1f385bafac99904ccc87a08f3924ab25f46cb8833950415307a3ed1b8bfb

SHA512
24727f801b9a0a0212a5ced5af5689c6a807ca3a115eba490b144c19381389de5d59a1d61a887eafc8a122093790534f4a9bd319c8a2942e2365408f846a2e62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5764f94487d6d4d1f3890c96548f9f45

SHA1
2941351332cea8055c354720e7bf4d00438f433f

SHA256
9bdb7a5d64cc1d3518f32f384b0853d0f917612b0501d92372a4690badf464de

SHA512
97a1ea59c39741d3e55d62247d84e7765921e780e41ea1cd1661797f49b49239b90d92fafc855338bef62184532054aaf7e9df7655831605ed9f41d9a195c8f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2327b62488a1ea98ae5a1ac710c8c661

SHA1
fc7f397993f4b70e335fc80a79258cbf2b4b96db

SHA256
53c23f5055bc0c338811f898853074785375002289542658246c5b4dba60f886

SHA512
127aec3d1f313ad68d921b63252f3304fa697b90c52c1b82fb7988e8106a70d08e0f177cbec44c1b7ce54bf46092b5828e2dc25e8f4226ae992e996bcb13b107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a7209c2ca99a97225138c4ba24c23fd

SHA1
14b87628d179e37c9a7334d18be722abd04c80d7

SHA256
aa0ae791b07275f9ccf0c8d8f010db6404fb6c5f8456930cfb39901e26c2f0cc

SHA512
9cca182e824ef4a1fc21de3adebbd73f986848430feb79202ade9220c2ed056853883761f7c232206e1087fba2fbf68acb1e2c6289d28e300cc956984fc108bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a99c5cf5c552f5d99a81cb243787501

SHA1
bd589503257907ab0e5b3576feb9adf22891295c

SHA256
d138721f3c2c552f18005a4ce692bec1e78f5c0ade67263b2d0e049ac630685a

SHA512
4892e14ed017e3be47ccc4a9b95509d286c167f62207a116a45579fae80047c540e4c2dccee79529ee0dcae7b0ea854c8df46fe09d85c3900ff93bfa1f68800d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f9627754c97338d1d6369171094ae51

SHA1
8961def748f667470da0f135034419d910614d7c

SHA256
04c30bcdcebdaef4ef5bbf8dddcde0cedc900bb2ff3420961720b8e899ea0ac2

SHA512
1b5bc2ba6fbb0726f93efe57d48371ba4029ca97dcf684aca632c8c895faeb4c96101b4a6a3af5e561b18693a7566a6748cc50defa6c89bb5dda6df9db209be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca11828eba9e73f3b1413d2d74e2affd

SHA1
ce6b4747ac9ffd99064434e5e4011e95b8dd23ad

SHA256
d504a04a3af28869856b8780a0b4f484672724b5055ab4370fcb917078170d14

SHA512
a13698ef59578e837d8f859e32af37b374a66fde854455398ea760613c94e85b64a70c8c72122042532f20dcf47744ece9c6bb551ed559e75e4c96f778c5589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFFB.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar106B.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit