f08130ff8f580e3bf902eec1400af45854341bbb5ccf00f669092efc76a076fa

Analysis

max time kernel
135s
max time network
140s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sticker_basketball.xml
Size

1KB
MD5

1767916b4383d1c76e2ae70afb76b9b7
SHA1

abd7d89842725bba9892c567e002a01dd96e9d9b
SHA256

d74dc98cafc6bd883d37335b7940f6d4d37c1704a15a119653b3cb98db79c94e
SHA512

a46faf5827fcecb1c63a184c8aa45f8a6d9b80a89b6342d228afa8610063a02be079df630299192ed06ad40dec2ca0a6241769cf9ae2626f8f1dbf9821dedf36

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396328664"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b02100000000020000000000106600000001000020000000c6e4fd39bba56951808a69da1131e45be2f6708b0fd8dd206118aec65150937e000000000e800000000200002000000080890f453f156d29538044d0df6ed9d1e48a44848ed4fe6e4a13482940dba29d9000000095f181e85db885ed7c32c9942ae8a7a48e6a0aee4a119097bb990af3291cfa8bf0cce1807ca5d006c510774ab8db39ed55aa883a744d404c708d369265ed9108bc408e37240243270f2db462e396c80bdfc2325732384cdbe7198adb26702c2e4bae8260675025259d2561cc6b51540216f8ec30f03b021ada8e5182bbac5bf73e16e563628e493e30f2aac04007a97840000000c8345087c8a4896170e721907500e63f363df8bb97c1c7604b38d1a0a598973c02ce33b6dc41314703eecc70361d0146aa1514c54919e5d4573ef1004ac2076d	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000e8664bdb653864eb3b20ffc0ad3b0210000000002000000000010660000000100002000000041278e32f3fc1cedddb42678fc299d8068ac538f966e93a2d1aeaa90744261e2000000000e8000000002000020000000e2b60ba982ffad0a59fb4583d17d1595164fe7c5af3fe4653e7bc7e83a7986e4200000003f7568d4e4afdb73a37375f61b59b563de3e91cd29bb80415b8171f555b265c44000000028de912dcf7add1be350ad0789c243a8f1b548352ca487d9fbdddf9ac8d3146d45a4043c55b57badeff958270d60ea17cc0cb6c472966a71c504a3ad0488e975	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1676D431-2450-11EE-8AC7-6A17F358A96E} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607566ec5cb8d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
860	IEXPLORE.EXE
860	IEXPLORE.EXE
860	IEXPLORE.EXE
860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2816	2208	MSOXMLED.EXE	28
PID 2208 wrote to memory of 2816	2208	MSOXMLED.EXE	28
PID 2208 wrote to memory of 2816	2208	MSOXMLED.EXE	28
PID 2208 wrote to memory of 2816	2208	MSOXMLED.EXE	28
PID 2816 wrote to memory of 2992	2816	iexplore.exe	29
PID 2816 wrote to memory of 2992	2816	iexplore.exe	29
PID 2816 wrote to memory of 2992	2816	iexplore.exe	29
PID 2816 wrote to memory of 2992	2816	iexplore.exe	29
PID 2992 wrote to memory of 860	2992	IEXPLORE.EXE	30
PID 2992 wrote to memory of 860	2992	IEXPLORE.EXE	30
PID 2992 wrote to memory of 860	2992	IEXPLORE.EXE	30
PID 2992 wrote to memory of 860	2992	IEXPLORE.EXE	30

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\sticker_basketball.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96ee64d6ba785ddf988caf1a878408dc

SHA1
4ed6c83afeeebdb8e6562a567e7dd5bd1d55f9f3

SHA256
2b3502b9711124edbea32d03b4ff185914438e0957fc5c979b2b8ec493730094

SHA512
c815511895e295a99860b60a3e47177378050b639eb71910e227568627a91ad6c0f827956766e357eca9429de47850ff479d3449ede902dbf59dfbdabe4f2c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88d6cee8c9874ee9934ea60867340695

SHA1
8a31791d3063201be99f352482dbfe390d01cf20

SHA256
7185699e508ae8603dc1e8baecc3b357accc369bf0ce2313a510d90b724a361a

SHA512
129fa01c18bcbf9a0684471d240f2b69f5564357ad67e9cc3dc4c29539f2a8fd381d28e7e1f5c9e0f84016165b1cdee9105e4e05c7b125339b5e02a35f6d5072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cc25057b7273c2ded0bce961a99313df

SHA1
36dd8982a62f66da437b2a3d6005a3a0ed223698

SHA256
27227677d69774a3d08c541a2b3b17810bf75cd5769f30c7f177923e1fa6f05a

SHA512
f4051e1be6a278bad5b3193d0a42f06849cf5abc82476e18c8351d37caef217382404110f41b7b4fc81a75da071e83f302ed52f652cd5576cbb99ea5e4d18b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2157f7e7af43b1de4bd726a039b6efb2

SHA1
a5e3db2810a80f69b8a1577f1b70daf9f2456342

SHA256
47425ac90d7aae544cc0dd17233466565d51d1291f9317d0b5d59b0a2e93d6b4

SHA512
b9d31035d8368a79c07f7aa8d89c1071d6917fc0e129370a3ae07a269f66a05219b06090bddcbb2ae8c2fbfb82c99db96b3f99777cbe9620f5bd6a980abbb82f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc86cf7235b93b16459e605116c99027

SHA1
3b1376d28f331b7c25cd9c74ef23bac78e283a50

SHA256
d304ac2f08b921cd5e06d900a44ab5b32350d0009540d61b5d71fe4fbc1bbbbb

SHA512
b9e54151570cc71b29d6e1d8fa988fd4a71847d67580513cb11f331e7870f72df1643d0b12b1d3b8a07a3112df5f13bbd096ad970cfcef70c2b8cb9e14f57fef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2353e83b917c7fa77c368b7965f6ccb7

SHA1
dcf50ad1419c68689a591e914c4981cac4638b4a

SHA256
239b59075d3667957d43567ef0f8760cc780cbf30e795484c561bb0f08086751

SHA512
00eba57491c5b08401a3890f7ac09c0e53b76dc9f4b2240395d0305899177a49675b874b22f7eb1488f7fca47fa81b4832035351e5876a37e8d164c38c785bce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ea398a172ad8303731c8e6fc074d2e64

SHA1
969fe43bd33fb65d219e675a9a6c1b3237d6a096

SHA256
392cd6929a7c94ecf49d4da02e19c860017be198d089edd97d89da704c054530

SHA512
f36b2277ca9bc5bc138158f7c8f67144b1eb490dbc522122a8a164e1246dc8afa1b652f7e11cfcac20fb4d70a90998cafe8f49cbf684d3769d1298971a79e2e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df02ce955b2578d4942978e18abc77e4

SHA1
57ce54bed307e86b7a6eac86aa0ec57c3d561658

SHA256
f336e2aad7a05e0ab8dc45de26d77f081617c8a7d20cbed336b51c836262a767

SHA512
84efd91372c8e61ffcb1d058a960e3aa5773ef1809599cbb79444dc79d6c2d678f30e884dc6e12c8745173242ae2b3a116955385f355e6a4ecdcd45d34f910e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB954.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB9B5.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NOZEW93X.txt

Filesize
593B

MD5
1d988d5749ebdf3cc7234b7db3825261

SHA1
2428d28df0649bbe4fec70b17356ba0d593f388a

SHA256
0ebdca8430ad085363370cb1836a4406593d2a85e4cadad400780db455366509

SHA512
1a18ec933b13918f1dd2e37a1fc87a53833f71079e2fc386079a4dbc80d394a6afca6bdfdc7eeee78386edeb7f317b67573a158209987a3ad95e0462779ba043

Download Submit